A Fight Is Brewing Between Congress and the Military Over Cyber War
Should in-theater commanders be allowed to launch attacks that currently require approval from the national command authority?
U.S. military commanders want more authority to launch cyber operations. But Congress is mulling new restrictions and reporting requirements, setting up a showdown that will shape American defense in the network era.
In one corner, you have commanders like Lt. Gen. Paul Nakasone. The head of U.S. Army Cyber Command recently said that his service is producing hackers who are better than their peers in the civilian world by orders of magnitude. “I’ve been in a number of different army units. I’m trying to think: is there a sniper I’ve ever met, or a pilot, or submarine driver, or anyone else in the military who is 50 times better their peer? It’s hard to imagine. but I will tell you that some of the coders that we have are 50 times their peers,” he said, speaking at the Army’s CyCon event earlier in November.
Speaking just days after the Army announced that its Cyber Mission Force Team would reach full operational capability almost a year ahead of schedule, Nakasone said recent ops that eavesdropped on ISIS and shut down messaging networks would shape doctrine and training against other adversaries. “We are rewriting our strategies today. We are re-writing the way we teach our forces,” he said. “We are running faster than our headlights because we are learning so much, employing these forces today, having an impact.”
Gen. Joe Votel, who leads U.S. Central Command, has also touted cyber ops against ISIS. “We had a recent success in coordinating the lethal effects of our special operations and air components with highly targeted and effective cyber operations,” Votel told participants at the Billington Cyber Security forum in downtown D.C. in September.
Why go to the nation’s capital to boast about cyber ops in Syria? To make a larger point about policy: specifically, that Washington is weighing down commanders in the field who are eager to let their soldiers put their new hacking tools to use against foes like ISIS.
“We at [Central Command] have narrowly defined authorities to execute cyberspace operations at all, let alone execute the required initiative and adaptive thinking towards countering this pervasive threat,” Votel said.
At one level, that makes sense, he said. “For very good reasons and concerns about cyberspace operations propagating outside the intended joint operation area, a lot of the approval authorities to execute these types of operations reside with the president or the secretary of Defense.”
Those reasons include the need to have someone in charge of strategy coordinate various combatant commanders.But, Votel continued, “at the operational level, the level at which cyberspace operations are integrated with conventional and special operations forces, this can make approval so cumbersome that the capabilities are nearly irrelevant.”
In his speech, Nakasone did not ask directly for more authorities to execute cyber operations. But he did say that the Army would test and drill as though those authorities were already there.
“We have to be able to look at a tactical force, whether it’s a brigade combat team or some other type of force, and see how they might operate and leverage those types of capabilities. And so what we have done, as an Army over the last two years is, over eight different rotations, is empower these brigade combat teams with elements that look at social media, that look at their own networks for vulnerability, that look at close action support [read that to mean information operations aimed at individuals who might pose a real threat on the battlefield] so we as an Army are already training toward that. I will tell you that this discussion on authorities will mature as we learn more and I think that what we have to do, as a force, is be prepared to leverage those, once they do come.”
Adm. Michael Rogers, the head of U.S. Cyber Command, has also said that he’s anxious to move hacking authorities down to operators in the field, very similar to the semi-independence granted many special operations forces. He said SOF is a great model for Cyber Command.
“Offensive cyber is almost treated like nuclear weapons, in the sense that their application outside of a defined area of hostilities is controlled at the chief executive level and not delegated down. What I would like to see, over the next five to 10 years is, can we engender enough confidence in our decision makers to say, ‘you should feel comfortable pushing this down to the tactical level. You should be integrating this into the strike group, the amphibious expeditionary side.’ We should view this as another tool for a the commander, as part of the broad scheme of maneuver, to achieve a desired outcome,” Rogers said at a U.S. Naval Institute event in February event in San Diego.
But some of the language coming out of the Senate committees discussing the National Defense Authorization Act for 2018 suggests that lawmakers are moving in the other direction. Instead of handing more authorities to commanders to execute cyber operations, they’re looking to increase congressional oversight. University of Texas law professor Bobby Chesney notes at Lawfare that lawmakers are considering categorizing certain cyber operations as “sensitive military operations” on the same level as kill-or-capture operations.
A second proposed change to Section 1631 of the bill, Chesney reports, would oblige the Defense Department to give the Senate Armed Services Committee and the House Armed Services Committee written notice, quarterly, of Defense Department reviews of the compatibility of cyber weapons with international law, as well as specific notice of the use of such reviewed cyber weapons within 48 hours of that use. “Looks to me like [the Senate and House committees] are concerned about the international law analyses arising during these weapons reviews,” Chesney wrote.
More congressional oversight does not necessarily mean infringing on commanders’ authority in the field — but it might. It basically depends on which cyber operations qualify as “sensitive” enough to require a lawmaker to be read in on the operation, and “sensitive” is subjective term.
This tug of war is emerging as U.S. Cyber Command is entering a new, more grown-up phase, having been nominally elevated to a full combatant command, albeit with many details still to be worked out. The move would give the head of Cyber Command central authority over training, resources, and mission execution.
One military official, a long-time information warfare specialist with a deep background in intelligence, said that giving commanders more authority to execute whatever hacking missions that they chose—without first having better policies in place to guide them – was a sure recipe for disaster. (The official spoke on condition of anonymity because he was not authorized to speak to the press.) What could go wrong with operators having all the legal room they might desire to run whatever hacking operation they wanted? He offered the possibility of operators from one service hacking soldiers from another service simply because no one had a real clue of who was who in the information environment in question.
“In the complete absence of policy, we are going to make it up as we go. That means, there will be no standards, no de-confliction, everybody will be doing there own thing,” he said. That could result in some less than well trained U.S. cyber operators going up against seasoned Russian contract mercenaries, a scenario likely to result in an embarrassing loss of data for the U.S., he speculated.
Ideally, Cyber Command would manage that deconfliction, he said. Instead of becoming a virtual version of U.S. Special Operations Command, CyberCom would offer more value if it evolved into something more like the Office of the Director of National Intelligence as it was originally stood up after Sept. 11, 2001. Imagine a central coordinating point for cyber-operations across the military and a means to break down silos between intelligence agencies.
“Look at the intelligence community prior to the creation of the director of national intelligence. Everybody was doing their own thing. CIA, DIA [the Defense Intelligence Agency] — no one was looking laterally. Post-9/11, they came back and said, ‘We have to make this an intelligence community.’ They created procedures where they had to talk to each other. No one in the military likes to study history because we are going to do the same exact thing in cyber that we were doing in intelligence. We’ll have a massive failure,” he said.