Senators press DOD cyber policy nominee to push for deterrence doctrine

Senators are prodding the Trump administration’s nominee to be the top cyber policy official at the Defense Department on how the U.S. can develop a more proactive, offensive posture against adversaries in the digital sphere.

Lawmakers expressed concern Tuesday regarding the United States’ ability to deter malicious activity in cyberspace.

“Do you think we’ve done enough over the last four years to deter our adversaries like China and Russia and Iran and North Korea by being essentially in a defensive crouch in the cyber world and not developing offensive plans and capabilities that can hold at risk the things that they hold most dear?” Sen. Tom Cotton, R-Ark., asked Katie Sutton, President Donald Trump’s pick to be assistant secretary of defense for cyber policy at her confirmation hearing.

Sutton would be the second official to hold that role since Congress created it in the fiscal 2023 annual defense policy bill.

“As I think Sen. Cotton characterized it, we’re not going to be able to defend ourselves if we’re in a defensive crouch at all times. We need to have both the capability for offensive cyber, but also I believe we need a stated doctrine,” Sen. Angus King, I-Maine, said. “Everyone in the world knows our doctrine of deterrence in nuclear armaments, for example. People should also understand a doctrine of deterrence that if you attack us in cyberspace, there will be a response.”

King has raised the issue of cyber deterrence, or lack thereof, at almost every cyber hearing before the Senate Armed Services Committee in recent years. He has voiced concern that there isn’t a coherent cyber deterrence strategy. In fact, at a confirmation hearing for now retired Gen. Paul Nakasone to be the head of U.S. Cyber Command seven years ago, King asked the nominee if adversaries feared the U.S. in cyberspace, to which Nakasone answered they don’t.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” King told Sutton at Tuesday’s hearing.

For her part, Sutton noted that if confirmed, she would work to make sure the U.S. has the right posture and it is well-articulated.

“The defender has to be wrong every time, [but] the adversary only has to be right once. I think that goes to show that while we need strong defenses, we are not going to deter the adversary with defenses only. And that if confirmed, I will work to strengthen our offensive cyber capabilities to ensure the president has the options he needs to respond to this growing threat,” she said.

In response to written questions from the committee, Sutton noted that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote. “Under President Trump and Secretary [Pete] Hegseth’s leadership, I understand that DoD is laser-focused on restoring deterrence across all domains, including cyber, and will be assertive in addressing China’s unacceptable intrusions on civilian and government networks. While increasing our offensive cyber capabilities is critical, DoD must also remain vigilant in defending its own networks and critical infrastructure.”

Recent Chinese intrusions into U.S. critical infrastructure have raised concerns among American government and private sector leaders that Beijing could be prepping the battlespace for a potential conflict.

Officials in the Trump administration have expressed their desire to beat back Chinese efforts and develop a more offensive cyber footing.

Experts and officials have acknowledged that deterrence doesn’t have to be tit-for-tat in cyberspace, but senators expressed the need for more public-facing offensive capabilities against malicious activity.

Prior to 2018, the military conducted very few cyber operations. Experts and former officials have noted that there historically has been a risk aversion to conducting offensive ops in response to certain activities because it could be viewed as escalatory — a notion that has been largely disproven through academic research, especially given in recent years cyber activities have been viewed as a less escalatory response than traditional kinetic action.

Cyber Command’s “defend forward” concept — which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks, achieved through persistent engagement and challenging adversary activities daily and wherever they operate — was viewed as a remedy to that inaction. It sought to demystify cyber ops by conducting them consistently to give U.S. forces more reps and demonstrate to senior leaders what they could do.

Some of the authorities that were developed in 2018 by the executive branch and Congress and were foundational to enabling a more offensive posture for Cybercom, deserve a relook, according to Sutton.

“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department … I believe we’re at a point where we need to reevaluate those [authorities] and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI,” she said.

Those authorities include the first Trump administration’s National Security Memorandum-13, which prescribes the process by which cyber operations are conducted and coordinated in the interagency. Lt. Gen. William Hartman, acting commander of Cybercom, told the Senate Armed Services Subcommittee on Cybersecurity last month that that policy has increased the command’s ability to execute cyber operations tenfold.

Another important move previously made was Congress clarifying that cyber is a traditional military activity, clearing bureaucratic and interagency hurdles and allowing Cybercom to conduct critical preparations in cyberspace without a “hot” conflict present.

Sutton also pledge to change the culture around offensive cyber, noting that a decade ago there was hardly any mention of the term “offensive cyber” among U.S. officials. She pointed to the parallel of how the intelligence community would keep vulnerabilities for its own use, but now it seeks to share them more with industry to better defend themselves.

“I think that same culture change needs to happen in how we discuss cyber deterrence,” she said in response to Sen. Tim Kaine, D-Va., who questioned why the Defense Department can’t be more candid in discussing offensive activity more publicly.

“We talk about offensive operations in other military domains — the number of sorties we were flying against [ISIS], we know when there’s a U.S. bombing in Yemen against Houthis, we’re aware of it. But we don’t talk about what we do offensively in cyber very much,” he said. “It ends up making the public very aware that we’re under attack because [of] the news stories a couple of times a year about successful cyber attacks. But the public never hears about our use of the offensive cyber capacity to impose costs on those who are attacking us. Why can’t we be a little more candid with the American public about our offensive use of cyber so that they’re aware that we’re not just playing defense all the time but that we actually have an offensive capacity that we use?”

Part of the reason the U.S. government has been hesitant to discuss offensive cyber more openly is to avoid tipping off adversaries. If a vulnerability is known by the target, it can be patched and cut off as an avenue for attack.