John McCain says White House’s cyber deterrence policy comes up short

The cyber deterrence policy put out by the White House last month is “wholly lacking any new information,” Senate Armed Services Chairman John McCain said in a blistering statement released Thursday after the Obama administration unveiled its plan more than a year behind schedule.

Mr. McCain, Arizona Republican, had repeatedly called on the White House in recent months to make good on its promise of publishing a cyber deterrence policy explaining how the Obama administration plans to push back against hack attacks waged on the nation’s computer networks.

That policy was finally put out by the White House in late December, but in a statement on Thursday, the senator said he was not happy with the administration’s offering.

The policy lacks specifics with regards to how the administration plans “to integrate ends, ways and means to meaningfully deter attacks in cyber space,” said Mr. McCain, who previously sent letters to the heads of the director of National Intelligence’s Office and the Departments of Homeland Security and Justice urging officials to publicize its policy.

“It mostly reiterates steps taken and pronouncements made over the past few years, all of which we know have failed to deter our adversaries or decrease the vulnerability of our nation in cyberspace,” Mr. McCain said in a statement to Federal News Radio.

“The report also goes to great pains to minimize the role of offensive cyber capabilities and does little to clarify the policy ambiguities that undermine the credibility of deterrence,” the senator added.

“The administration has not demonstrated to our adversaries that the consequences of continued cyberattacks against us outweigh the benefit,” Mr. McCain said. “Until this happens, the attacks will continue, and our national security interests will suffer.

The National Defense Authorization Act of 2014 had mandated that the White House write a cyber deterrence policy to provide to Congress, but its release in December occurred 15 months later than expected.

The United States is “pursuing deterrence through cost imposition measures … designed to both threaten and carry out actions to inflict penalties and costs against adversaries that choose to conduct cyber attacks or other malicious cyber activity against the United States,” the White House explained last month.