IC officials: Cyber threat is real, but it's not the only one

Threats from cyberspace may have become the top concern to the Intelligence Community, but its leaders emphasize that it’s not the only one in what has become a complex environment. Director of National Intelligence James Clapper said this week that, in his 50 years in intelligence, he “cannot recall a more diverse array of challenges and crises that we confront as we do today.” 

In an overview provided to two panels of lawmakers in the Senate during the annual “Worldwide Threat” assessment hearings, Clapper said in written testimony that Russia remains the most assertive cyberspace actor with China continuing to achieve success in cyber espionage and North Korea and Iran residing a tier below. Non-state actors, he said, also continue to pose a growing threat to the overall cyber landscape.

Last week, during a visit to the Naval Academy, Clapper noted that cyber bumped terrorism from the top spot of national threats in 2013. But when asked by one senator to rank the threats facing the nation, for the purpose of prioritizing and allocating resources and funds to particular crises, Clapper demurred. “Well, the more time I’ve spent doing this, I think the more loath I’ve become to try to rank order threats because any of them can leap up and bite us,” he said. “I don’t like to mislead people that ‘well this one threat is the one that we’re going to focus on at the expense of others.’ ”

 Another challenge in the navigation of cyberspace operation has been defining certain actions. In particular, the term “cyber war” has garnered a fair amount of debate. “That’s a great question,” Clapper responded when asked about cyber war during a hearing before the Senate Armed Services Committee. “It’s one that we’ve wrestled with. To an extent, it’s in the eye of the beholder,” he said, adding that it’s a determination “that would almost have to be made on a case-by-case basis depending on the impact.”

Clapper’s co-witness at Tuesday’s hearing, Lt. Gen. Vincent Stewart, director of the Defense Intelligence Agency, said that a concrete definition of cyber war would be helpful. “We generally look at all cyber events and we define it as an attack. In many cases you can do reconnaissance, you can do espionage, you can do theft in this domain we call cyberspace,” Stewart said, echoing similar comments made by the head of the NSA and Cyber Command Adm. Michael Rogers at a House hearing last year. “But the reaction always is, whether it’s an adversary doing reconnaissance, an adversary trying to conduct a [human intelligence] operations in this domain, we define it as an attack and I don’t think that’s terribly helpful.” 

The lack of clarity on some of these issues has drawn the ire of many members of Congress. “Wouldn’t it be a good idea to have a policy?” asked committee chairman John McCain (R-Ariz.). “As I understand it we have no policy as to whether we should deter, whether we should respond, whether – if so, how. Wouldn’t it be good if we had a policy?”

Despite the release of a White House cyber deterrence policy in December – one that Senator McCain has derided for being delivered far too late in the game – McCain continued to voice his displeasure at the lack of clarity guiding cyber operations. “The fact is we don’t have a policy and I don’t know how you act when there’s no policy as to how we respond to threats or actual acts of penetration into some of our most sensitive information.”

McCain’s comments were guided partially by a cryptic answer by Stewart regarding the U.S. deterrence policy in cyberspace. “I think we have a pretty robust capability to understand the adversaries. I think most potential adversaries understand that we have a capability whether or not we are ready to use that because that’s the essence of deterrence that an adversary actually feels that we’ll use the capability that we have,” Stewart said. “I’m not sure we’re there yet and that goes beyond our ability to understand and to counter its military capabilities. I think there’s another dimension of convincing from a policy standpoint that we’re willing to use that capability.”    

Along those lines, Rogers told the Senate Intelligence Committee Tuesday that one of the biggest challenges is not so much insight into cyber threats or vulnerabilities – to which he said officials will never have all the insight they desire – but generating action based on available insight. “How do we generate, take that insight, and generate action. And make the changes that I think we all believe are necessary given the dynamics of the world?” he asked. 

The cyber agreement the U.S. struck with China last fall to cease economic cyber theft has also been subject to criticism, considering China was seemingly caught violating the stipulations before the ink even dried.

“I think that there has been a decline but I think we’re going to have to have some more time to assess whether this is a case where these state sponsors – those elements, cyber actors that are under the control of the state – have actually reduced their activity or they were told ‘don’t get caught,’ ” Clapper said. “There’s also the challenge of determining whether, per the agreement, that any information that was purloined is actually used for economic advantage or not.”