Fragmented Cyber Legislation Hinders Military
The patchwork of legislation that allows the U.S. military and government to perform cyber operations is too disjointed to enable an effective and swift response, a former Army officer said.
“We’ve got to deal with four different pieces of legislation in order to conduct a well-coordinated cyber response or cyber defense,” said Jeff Schilling, chief security officer at Armor Defense, a cloud security company based in Richardson, Texas. He is also the former chief of current operations for U.S. Army Cyber Command.
Schilling pointed to Title 10, Title 50, Title 18 and Title 32 of the United States Code as the four pieces of legislation that govern allowable actions when operating in cyber space.
Title 10 allows the U.S. military to conduct cyber attacks and take advantage of an adversary’s vulnerabilities; Title 50 enables the United States to collect cyber intelligence or conduct cyber espionage on foreign countries for the sake of national security; Title 18 enables law enforcement officials to conduct cyber investigations and do surveillance on criminals and actors who are trying to conduct cyber espionage against the United States; and Title 32 outlines the role of the National Guard, he said.
The National Guard has a unique ability to deal with cyber threats because of its dual state and federal roles. It also works closely with the civilian community, which could provide an advantage over other military branches in the cyber sphere, experts have said.
This environment of fragmented responsibilities and capabilities makes dealing with network attacks difficult, according to Schilling.
“At the crux of the problem … is trying to bring together all of these different U.S. titles and having a cohesive plan both to protect ourselves as well as conduct offensive cyber operations going forward,” he said.
At the same time, adversaries are not constrained by bureaucratic policies. “The threat actors don’t have to go between different titles. They have very little, if any, constraints or restraints for conducting cyber operations, which allows them to be much more agile,” he noted. “They have the advantage in the fact that they can seamlessly transition from doing espionage to attacking and also using information” to protect themselves.
Schilling said he is not hopeful for comprehensive legislation under the current Congress. “They’re having a hard enough time getting the CISPA — the Cyber Intelligence Sharing and Protection Act — passed because while there are fans in both parties of the legislation, the privacy groups are against it.” Mistrust among those organizations has worsened since the Edward Snowden National Security Agency leaks, he said.
CISPA is a proposed law in the House that would allow for the sharing of Internet traffic information and threat signatures between the government and private industry. The bill was passed in the House in 2013, but failed in the Senate.
A related bill — the Cybersecurity Information Sharing Act — recently passed in the Senate. It offers similar protections for companies that share information with the government.
Schilling said information sharing between the government and industry is a good first step but will not be a “game changer” when it comes to getting ahead of the threat. “I believe this is a baby step in the right direction. However, I am seeing there is little political will in D.C. to go much further to really build a comprehensive strategy,” he added.