Covert Military Information Operations and the New NDAA: The Law of the Gray Zone Evolves

In recent years, Congress has been building a domestic legal framework for gray zone competition (that is, the spectrum of unfriendly actions that states may undertake against one another, surreptitiously, that are below the threshold of actual hostilities yet more serious and disruptive than the ordinary jostling of international affairs) for military operations conducted in the cyber domain. That project has gone rather well, compared to most things Congress undertakes. Last year, it culminated in National Defense Authorization Act (NDAA) provisions that clarified CYBERCOM’s authority in this area while also ensuring a sound degree of oversight of the resulting activities. So far, so good. But the gray zone challenges that define our times of course are not limited to cyber operations as such.

They also include a broader battle over beliefs and identity. The United States has learned the hard way that today’s information environment, characterized by the ubiquity of decentralized social-media distribution networks, provides malicious actors (including but not limited to hostile foreign governments) with a remarkable opportunity to inject fake information and to selectively amplify or distort other information. Russia obviously appreciates this, and others increasingly do as well. Much like cybersecurity, it is a context in which America’s traditional advantages of conventional military superiority and geographic insulation mean nothing, and indeed we are asymmetrically vulnerable due to our openness and commitments to free expression.

Growing appreciation of the strategic significance of this aspect of gray zone competition, both for the United States and for its allies, has led to fascinating and difficult questions about whether and how to alter institutional, doctrinal and legal frameworks so that we can defend and compete more effectively in this space. By and large, the resulting debates have focused on the pressures that might be placed on U.S.-based social media companies to do more to prevent their systems from serving as the vehicle for malicious activity. But what about the role of the U.S. government itself? In the related context of competition in the cyber domain, Congress and the executive branch have determined, for better or worse, that the military should play an important role in that competition, and, as noted above, Congress has quickly stepped up in a thoughtful way by adapting the U.S. domestic legal framework both to facilitate that role and to subject it to oversight (you can read in detail about that here).

Should the same now occur with respect to competition in the broader information environment? Congress thinks so. As I explain below, Section 1631 of the pending NDAA is an important (but little-noticed) provision that borrows heavily from the framework for cyber operations. It is the latest, and least appreciated, element of the ongoing project in which the United States is building a legal and institutional framework for the gray zone competition—a competition that will define critical aspects of interstate competition throughout the 2020s, in this case along a dimension that ties in directly to the United States’s increasingly ugly domestic politics. Read on for an explanation of the nuts-and-bolts. Or, if you prefer, you can read the full text of the gigantic bill, or just the “joint explanatory statement” issued Dec. 9 after the House and Senate conferees reached agreement at last.

1. Affirming the authority of the military to conduct (and defend against) information operations

No one doubts that the military already has some authority to conduct information operations. Information operations are a traditional incident of war, after all. And I suspect that no one seriously doubts that some part of the U.S. government ought to be doing something when foreign governments—like Russia—engage in systematic efforts to spread false information to the American public. The interesting question is whether and to what extent the U.S. military should play a role in contexts where hostile information operations are not related to armed conflict, preparation for armed conflict and the like.

One might argue for this function to reside primarily with the CIA, for example, particularly insofar as we are talking about conducting an operation where the U.S. role will not be acknowledged. That’s the very definition of “covert action,” after all, which, as Executive Order 12333 has long affirmed, is in the CIA’s purview unless and until the president expressly determines otherwise in a particular case. But the same thing might be said about deniable cyber operations in gray zone competition, and yet, for a variety of reasons, the United States has developed and empowered CYBERCOM to play a central role in that setting. Indeed, as I noted above, Congress has worked hard in recent years to build out a domestic legal framework to facilitate and oversee that military role.

Congress is now following that same script, working to extend the model to competition in the information environment through Section 1631 of the new NDAA.

Section 1631(b) expressly affirms that the Defense Department can conduct “military operations” in the information environment, “including clandestine operations,” for certain purposes. I’ll have more to say about that reference to “clandestine” below. First, let’s note the broad list of purposes.

The military’s role comes into play in three scenarios. First, defense of the United States itself. Second, defense of allies. Third, defense of the “interests” of the United States. The statute notably does not clarify what nature or degree of threats to these objects count, and so the invitation can only be described as quite broad.

Critically, Congress goes on to remove any doubt that this grant of authority encompasses operations in situations below the threshold of hostilities. Section 1631(b) says as much, stating that the authority recognized in this provision includes “the conduct of military operations short of hostilities and in areas outside of areas of active hostilities for the purpose of preparation of the environment, influence, force protection, and deterrence of hostilities.”

2. Are we talking about military “covert action”?

In fact, yes, we are. But the statute goes out of its way to ensure that the statutory framework for “covert action” will not apply to these activities.

Let me explain. You may recall that, for many years, there was considerable debate about whether military cyber operations could qualify for the “traditional military activities” (TMA) exception to the statutory definition of “covert action.” Helpfully, Congress settled that question in the affirmative in the last NDAA, defining military cyber operations for the most part as qualifying as TMA. Ever since then, it is clear that military cyber operations do not trigger the statutory covert action framework even when conducted on a deniable basis. So far, so good. Much less helpfully, Congress opted at that time to put the label “clandestine” on that category, despite the fact that “clandestine” is a term that is supposed to signify an intent for an operation not to be detected, in contrast to the idea that U.S. responsibility for said operation is intended to be deniable in the event the operation in fact is detected or has manifest effects. That is the difference, or at least it used to be, between “clandestine” and “covert.” Of course it made sense for Congress to want a label other than “covert” once it decided to exempt most deniable military cyber operations from triggering the covert-action statutory regime and its oversight requirements. It’s just that “clandestine” was the wrong word for that job. But what’s done is done; Congress says that “clandestine military cyber operations” includes deniable ops, and that’s that.

Why mention all that here, where we are talking about operations in the information environment beyond cyber operations? Because, as noted above, Section 1631(b)’s affirmation of authority expressly includes “clandestine” information operations, and the same definitional-confusion issues arise as a result. And because Congress again resolves it in the same way. Section 1631(c) states expressly that clandestine military activity in the information environment shall count for purposes of the TMA exception to the statutory definition of covert action. And, for good measure, a definitional provision further down in this same section reinforces the point by defining this category to include operations that are “marked by, held in, or conducted with secrecy, where the intent is that the operation or activity will not be apparent or acknowledged publicly….” Section 1631(i)(3) (emphasis added).

Had Congress not taken this step, there is no doubt whatsoever that there would have been loads of debate about whether Defense Department information operations below the threshold of hostilities, and not preparatory thereto, would qualify for the TMA exception. That’s how it was with military cyber operations prior to last year’s congressional intervention, after all, and information operations unrelated to anticipated hostilities would have been a still-tougher case for establishing the applicability of the TMA exception, without Section 1631(c).

It is worth pausing here to note that the symmetry between the cyber provisions in last year’s NDAA and the new information-operations provisions in this year’s model make particular sense insofar as they discuss, in practice, activities with elements of both.

3. Wait, so does that mean there’ll be no oversight of these activities?

By exempting these activities from the covert-action statutory framework, the oversight-and-reporting system associated with that framework also drops out of the picture. If not addressed in some other way, that absence of oversight would be awfully risky. Congress recognized as much in the parallel setting of cyber operations, in the past, and over time it built a parallel system of oversight (running to the House and Senate Armed Services Committees rather than the Intelligence Committees) to ensure that there would still be reporting of deniable cyber activities despite the TMA exception applying. Might it do the same here with information operations?

It has done so, in fact, in the new bill. But for reasons that are unclear, it has chosen to be less aggressive with the rules this time.

In the cyber context, there are several different oversight requirements, including both a general obligation to report to Congress on a quarterly basis and a 48-hour reporting rule for “sensitive military cyber operations” intended to have effects overseas but outside areas of active hostilities. (There is a separate provision of the new NDAA that tweaks that cyber-notification rule, which will be the subject of a forthcoming Lawfare post.) Congress could have adapted exactly that model here, but it is not doing so. Instead, the new NDAA will require only the quarterly-reporting obligation for “significant” activities, in Section 1631(d). There is not, yet, any 48-hour rule for particularly sensitive activities. That’s probably a mistake. At the same time, Section 1631(d) does smartly insist that all clandestine—meaning covert but TMA—activities automatically count as “significant” and thus must be reported. My quibble is just with the timing.

4. If the Defense Department is going to become more active in this space, does it need new internal organizational structures?

Congress seems to think so, though it’s intervention is modest. Section 1631(a) calls for the creation of a new position: the principal information operations adviser, who will focus on advising the secretary of defense as to all department information operations. Too bad that acronym isn’t very pronounceable. “Quick, get me the PIOA (pie-oh-uh), there’s a subversive meme trending on TikTok!”

***

That’s all for now. Stay tuned for more Lawfare coverage of the many, many, many interesting aspects of the new NDAA.