The National Defense Authorization Act (NDAA) passed Monday by the Senate mandates a thorough, distinct doctrine for cyber warfare, filling a void long bemoaned by lawmakers.
Legislators, particularly Senate Armed Services Committee Chairman John McCainJohn Sidney McCain20 years after 9/11, US foreign policy still struggles for balance What the chaos in Afghanistan can remind us about the importance of protecting democracy at home 'The View' plans series of conservative women as temporary McCain replacements MORE (R-Ariz.), have complained about the ad hoc approach to responding to, conducting and deterring cyberattacks since the Obama administration.
“The threat is growing, yet we remain stuck in a defensive crouch, forced to handle every event on a case-by-case basis, and woefully unprepared to address these threats,” McCain said in May.
“We keep talking about a policy and a doctrine, and it never seems to happen,” Sen. Angus KingAngus KingSenate backers of new voting rights bill push for swift passage Stacey Abrams backs Senate Democrats' voting rights compromise NY Democrat tests positive for COVID-19 in latest House breakthrough case MORE (I-Maine) said.
The NDAA calls for the Department of Defense to plan responses to potential attacks against the United States and plans to increase the resiliency of cybersecurity of American defense systems.
It also establishes a policy to notify countries when it becomes aware that a third country has instigated an attack on its systems and establishes that the United States may act unilaterally if a victim country is unable or unwilling to respond.
The Trump administration is opposed to Defense establishing the doctrine outlined in the NDAA, noting in the Office of Management and Budget (OMB) evaluation of the bill that legislators establishing a policy comes at the expense of the president, who usually sets such policy.
The OMB also derided the policy of notifying countries that were subject to cyberattacks.
"This would severely constrain the President’s decision space and undermine the ability of the Armed Forces to act rapidly and decisively, in accordance with applicable law, to neutralize threats and to defend United States national interests in cyberspace," it said.