Progress in cybersecurity has long been stilted by bureaucracy. We all talk in circles about how the threat evolves faster than our ability to protect our own systems and data, thanks to a slow procurement process, for example. And we often point to this fuzzy line of cyber “ownership” — typically private sector versus government — which long complicated a productive and cohensive reponse.

But what we saw on the Hill last week presented another fascinating complication to the cybersecurity dilemma that focuses squarely on jurisdiction.

Defense News’ sister publication Fifth Domain reported about a rather heated exchange before the Senate Armed Services Committee on Oct. 19, with Chairman John McCain and the Department of Defense’s principle cyber adviser sparring over the Pentagon’s roles in protecting the nation in cyberspace.

Here were the perspectives: Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and a principle cyber adviser, cautioned against “ending the current framework and against reassigning more responsibility for incident response to the Department of Defense.”

McCain argued otherwise: “It’s the Department of Defense’s job to defend this nation; that’s why it’s called the Department of Defense.”

Both are right, which is exactly the problem when one kicks off a philosophical dialogue about cyber response.

Rapuano pointed to “a long normative and legal tradition” of limiting the role of the military in domestic affairs. He likely was referring technically to Title X, which outlines the role of the armed forces — providing the legal basis for the roles, missions and organization of each of the services and the department. He pointed frequently to the Department of Homeland Security, which generally owns the cybersecurity challenge for civilian agencies.

But whether you consider the current Title X, which resulted from a 1956 overhaul of the previous version, or you harken all the way back to the Posse Comitatus Act, a law signed in 1878 to limit the use of military personnel to enforce domestic policies in the U.S., cybersecurity didn’t exist at the time. Just as procurement standards didn’t account for the speed of technological advancements when they were established, laws intended to establish roles and responsibilities within the government did not necessarily account for the prospect of global networks. Or cyberwar. And yet, here we are.

Should the DoD be called in when Russia hacks into systems in an effort to disrupt elections, as McCain insinuated? I’d argue no, though the intel community should certainly dissect the tactics. But if terrorist groups hacked into the power grid, is that not a military operation in some capacity? An act of war?

By definition, cyber extends beyond any individual domain. So must the response. And that response has no borders.

Jill Aitoro is executive editor for Defense News.

Jill Aitoro is editor of Defense News. She is also executive editor of Sightline Media's Business-to-Government group, including Defense News, C4ISRNET, Federal Times and Fifth Domain. She brings over 15 years’ experience in editing and reporting on defense and federal programs, policy, procurement, and technology.

More In