Members of the Senate Armed Services Committee took top defense and intelligence officials to task Tuesday for failing to finalize an integrated policy for cyber attacks. Committee Chairman Sen. John McCain (R-Ariz.) noted that congressionally mandated policy is already a year late. After asking Deputy Defense Secretary Robert Work about the status of the policy and what response it outlines for another attack like the one on the Office of Personnel Management, McCain became frustrated. “We have not got a policy, and for you to sit there and tell me that you do—a broad strokes strategy—frankly is not in compliance with the law,” McCain said. Work, Director of National Intelligence James Clapper, and US Cyber Command boss Adm. Michael Rogers? all agreed the US needs an offensive cyber capability to act as a deterrent, though Rogers said the US is “still working our way through” what constitutes an act of war in the cyber arena. Sen. Angus King (I-Maine) said when the US does have an offensive capability, it must make that threat known. “Our instinct is to make everything secret, and the whole point of a deterrent capability is that it not be secret,” he said.
While some of the Air Force's newly announced changes will happen quickly, it may take most of Chief of Staff Gen. David W. Allvin's tenure in the job to accomplish the rest, he said in a Brookings Institution event Feb. 28.