Congress Executive Branch Foreign Relations & International Law

The Law of Military Cyber Operations and the New NDAA

Robert Chesney
Thursday, July 26, 2018, 2:07 PM

How will the soon-to-be-enacted NDAA alter the legal framework for military operations in the cyber domain?

Published by The Lawfare Institute
in Cooperation With
Brookings

How will the soon-to-be-enacted NDAA alter the legal framework for military operations in the cyber domain? The House version of the bill would not have impacted this question much, but as I wrote here and here the Senate version had several interesting provisions. Well, those Senate provisions have emerged largely intact from the conference process, and the John McCain National Defense Authorization Act for fiscal 2019 almost certainly will become law soon. Here is the full text and accompanying conference report, what you need to know about how those cyber provisions turned out.

1. Cyber-related oversight statutes are being moved around within Title 10 (Section 1631)

Several existing cyber operation oversight measures are being moved around within the U.S. Code, which is good housekeeping but also annoying for those of us who are accustomed to the original numbering. Ah well.

What’s happening here is that Congress in recent years has generated a handful of cyber-operation oversight statutes for the Defense Department, and these had been dropped into Title 10 under Chapter 3 (“General Powers and Functions”). But they arguably fit better in the relatively new Title 10, Chapter 19 (“Cyber Matters”). So, the new NDAA moves them as follows:

Old Section #

What does it do?

New section #

10 U.S.C. §130g

A 2015 statute directing SecDef to prepare for (and when properly authorized to do so, to conduct) cyber operations in response to hostile foreign cyber operations.

10 U.S.C. §394
10 U.S.C. §130j

A 2017 statute that requires SecDef to submit a written notice to the Senate Armed Services Committee and House Armed Services Committee within 48 hours of military cyber ops intended to have effect in foreign locations that are not combat zones (thus roughly paralleling the model of Title 50 covert action oversight).

10 U.S.C. §395
10 U.S.C. §130k

A 2017 statute that requires SecDef to give the Senate Armed Services Committee and House Armed Services Committee quarterly notice of “weapons reviews” for the legality of new cyber capacities, as well as 48-hour notice when such cyber “weapons” actually are used.

10 U.S.C. §396

Professors, update your syllabi accordingly!

2. Preventing interagency friction when the Pentagon conducts unattributed cyber operations (Section 1632)

This section attempts to remove some interagency friction that apparently has limited Cyber Command’s capacity conduct cyber operations that would have effect outside of combat zones.

If you are not a Title 10/Title 50 nerd like me, you just need to know that this is not really a new grant of affirmative authority to act but, rather, a statute to defeat arguments to the effect that the Defense Department somehow is precluded from carrying out deniable operations in cyberspace where the effect would occur outside a combat zone.

If you are a T10/T50 nerd (yes, I will look into making a T-shirt for that … send ideas for a logo/image), here’s the full picture:

According to the conference report, the Pentagon at times has encountered “difficulties within the interagency in obtaining mission approval” because of “perceived ambiguity as to whether clandestine military activities and operations, even those short of cyber attacks, qualify as traditional military activities as distinct from covert actions requiring a Presidential Finding.” Translated: someone (State? CIA? The Justice Department?) apparently has been arguing that computer network operations outside of combat zones cannot qualify for the Title 50 TMA exception (which should spare fully Defense Department activities from triggering the covert action finding-and-notification system under Title 50), presumably because of the technical novelty of such activities. As I’ve argued in many settings, that’s an incorrect reading and application of TMA. Nonetheless, the argument apparently has had real traction in the interagency process (and, critically, under current presidential directives it is necessary to go through the interagency when proposing to carry out such operations for intended effect outside a combat zone (something that media reports have suggested might change at some point). The conference report, in fact, says that because of such objections, the Defense Department has been obliged to limit its operational activity in such cases to those “that could be conducted overtly on attributable infrastructure without deniability.”

Section 1632 is designed to put a stop to such objections, thus allowing CYBERCOM to conduct operations involving deniable infrastructure without having to face recurring objections that somehow they can’t count as TMA and thus must instead be treated as full-fledged T50 covert action.

Note, too, that the report expressly encourages the president to alter the interagency review process to speed it up as needed, but Section 1632 does not actually purport to dictate process on this point.

So far, so good. But what does Section 1632 actually say, and which part of U.S. Code will reflect this?

The changes will all appear in the new 10 U.S.C. §394 (the old 10 U.S.C. §130g). The language is complicated, but the key moving parts are these:

  • Under new 10 U.S.C. §394(b), the affirmation of authority for the Defense Department to operate in the cyber domain is expanded to include language stating that this includes operations “short of hostilities” and ops “in areas in which hostilities are not occurring.”
  • Under new 10 U.S.C. §394(c), “clandestine military activity or operation in cyberspace shall be considered a traditional military activity” (emphasis added) for purposes of the Title 50 exemption to the covert action framework.
  • Under new 10 U.S.C. §394(d), the secretary of defense shall include such activities during quarterly briefings to the Senate and House Armed Services Committees on Defense Department cyber operations (required by 10 U.S.C. §484, which absolutely should also have been moved to Chapter 19 along with the other stuff in the box above—something to do in the next NDAA!).

3. A mini-cyber AUMF? Pre-authorizing “proportional” Defense Department cyber operations in response to Russian, Chinese, North Korean and Iranian cyberattacks (Section 1642)

While Congress cannot make the president issue orders to take more aggressive actions in response to malicious foreign cyber activities, it can express its wish that he would do so and it can pave the way a bit by granting preauthorization for some such responses. That’s what Section 1642 is all about.

The conference report expresses frustration that the United States has not acted more aggressively in response to foreign hostile cyber activity. This clearly pertains to the current Trump acquiescence to Russia, but it also goes back to frustrations with the Obama administration as well. At any rate, Section 1642 underscores the fundamental concern that still more such activity is invited by failing to impose serious costs for past hostility. Hard to argue with that.

Apart from that, though, what does 1642 do as a legal matter?

It is not styled as an “Authorization for Use of Military Force” (AUMF), and it certainly is not an authorization to do anything militarily involving non-cyber means. And yet it is an AUMF of a very narrow and specific variety. It authorizes action of the following kind and subject to the following conditions, when the executive branch finds that those conditions are satisfied and decides to invoke this grant of authority:

1. What triggers this authority?

Two elements must be satisfied in order to trigger this authorization:

(1) There must be “an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes”;

(2) The responsible party must be Russia, China, North Korea or Iran.

Note that Section 1642 makes the “National Command Authority” the relevant decision maker on those triggers. The NCA is, of course, the president together with the secretary of defense. Very interesting to specify the NCA as opposed to just the president, no?

2. What is then authorized?

Once those determinations are made by the NCA, Section 1642 pre-authorizes CYBERCOM in particular “to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks” (emphasis added by me). And the statute goes on to emphasize that this will count as “traditional military activity,” thus reinforcing Section 1632’s attempt to put an end to Title 50-related objections to CYBERCOM operations.

3. Is that really an AUMF-level of authority, or is it necessarily below the threshold at which the separation of powers comes into play and one arguably must have ongressional authorization?

As Libya, Syria, Kosovo and other examples attest, the executive branch takes a strikingly narrow view of when it needs congressional authorization for military activity in addition to Article II authority. From that point of view, Section 1642’s approval for proportional cyber actions arguably is superfluous as a legal matter (however significant it might be as a matter of policy and politics).

The War Powers Resolution (WPR) probably does not change that analysis, both because we might not be talking about activities that are likely to trigger the War Powers Resolution “clock” and because the notification requirements mentioned below (especially the one doubling-down on 10 U.S.C. §395) happen to be compatible with WPR notification requirements.

Note: This makes it merely academic to ponder what to make of the language at the end of 1642, stating that 1642 should not be read to “affect” the War Powers Resolution or the 2001 AUMF. That’s a pretty ambiguous phrase, of course. Does it mean that the 1642 authority is capped out at the level that would rise to hostilities? Would any WPR clock objection instead be met fairly with the response that 1642 is adequate authorization, satisfying without “affecting” the WPR?

4. Will we know when this authority is used?

First, Section 1642 specifies in an excess of caution that activities under this authority must be reported under 10 U.S.C. §395 (the old 10 U.S.C. §130j, with the requirement of a written notification from the secretary of defense within 48 hours).

Second, Section 1642 also adds, in another excess of caution, that this requires reporting under the quarterly system of 10 U.S.C. §484.

But of course neither of those systems specifies reporting to the public; outsiders are not often going to have a good sense of what, if any, use 1642 gets.


Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare