Congress raised concerns last week regarding the Obama administration’s tendency to avoid assertive action against foreign hackers, claiming the White House has failed to protect the country from large-scale cyber-attacks. While defenders of the administration claim that Obama’s policy known as “deterrence by denial” is the right course of action, instances such as China’s successful data breach on the Office of Personnel Management (OPM), which compromised the records of 22 million federal workers, would suggest otherwise. According to a recent article by Bill Gertz, “deterrence by denial refers to a defensive effort to protect information networks against an onslaught of increasingly sophisticated and innovative cyber intrusions in the hope that foreign data thieves will eventually give up trying—rather than any effort to actually deter such attacks before they occur.” Overall, this policy fits Obama’s approach of avoiding the use of assertive or offensive action against foreign adversaries which have, according to opponents of the administration, failed to deter large-scale attacks from China, Russia, Iran and North Korea.
Christopher Painter, the State Department’s coordinator for cyber security, did claim that progress has led to international talks regarding norms of behavior in cyber space. However, he could not specify any direct results from the administration’s “deterrence by denial” approach, according to the article. “Our policy, as I think you know, is to look at law enforcement and network security aspects, where we’re talking about cyber defense before going to other tools,” he told a Senate hearing on May 25. Senate Armed Services Committee Chairman John McCain (R., Ariz.) has since dismissed the current cyber defense strategy due to the minimized role of offensive cyber capabilities as well as current ambiguities in the policy. “Make no mistake, we are not winning the fight in cyberspace,” McCain said. “Our adversaries view our response to malicious cyber activity as timid and ineffectual. Put simply, the problem is a lack of deterrence. The administration has not demonstrated to our adversaries that the consequences of continued cyber-attacks against us outweigh the benefit. Until this happens, the attacks will continue, and our national security interests will suffer.”