Published by The Lawfare Institute
in Cooperation With
This is my third post in a series on cyber-related provisions in the Senate version of the John McCain National Defense Authorization Act for Fiscal Year 2019, which is heading soon to conference for reconciliation with the House version. This one examines the provisions that impact statutory authority for the military to engage in cyber operations as well as congressional oversight of such activity.
Before digging in, here’s some important context regarding the legal framework that Congress has created in recent years for Defense Department cyber operations.
1. Under current law, is it clear that the Defense Department sometimes can conduct cyber operations in response to malicious foreign cyber activities?
Yes. A 2015 statute, codified as 10 U.S.C. § 130(g), states exactly that:
The Secretary of Defense shall develop, prepare, and coordinate; make ready all armed forces for purposes of; and, when appropriately authorized to do so, conduct, a military cyber operation in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.
Note that this is not a blank check from Congress; the statute says there must be appropriate authorization from another source. That means any such operation must be authorized as a separation-of-powers matter—either in the sense that it is within the inherent Article II authority of the commander in chief (either as a matter of national self-defense or, perhaps, as a matter of authority that lies below the threshold of the constitutional meaning of “war”), or that some other statute (like an AUMF) covers it. Section 130(g) merely dispels any claim that the Defense Department is somehow not an appropriate agency for the exercise of such authority, as opposed to some other agency.
2. Under current law, must the Defense Department report its cyber operations to Congress?
Yes, but not because those operations count as “covert action” triggering the Title 50 findings-and-reporting framework that runs through the president (for findings) and the congressional intelligence committees (for reporting).
Let me explain that point, because we’ll come back to it in a moment.
First, assume a cyber operation is meant to go undetected but there is no intent to actually deny the U.S. sponsoring role if and when detected. In that case, it cannot count as a “covert action” under the terms of Title 50, full stop. Second, assume the contrary—that is, that the U.S. sponsoring role is not meant to be apparent or acknowledged. That triggers the “covert action” definition in the first instance. But then we have to consider the statutory exceptions to that definition, and there’s a good chance that if it is commanded and conducted by the military exclusively, it will qualify for the “traditional military activities” (“TMA”) exception. The upshot is that most DOD-conducted cyber operations should not trigger the Title 50 covert action framework requiring presidential findings and reporting to the intelligence committees.
Congress sorted out many years ago that this created an oversight gap of sorts, and began moving to close it by requiring a degree of reporting to the armed services committees.
First, created a requirement for the defense secretary to give quarterly briefings to the armed services committees regarding “offensive and significant defensive military operations in cyberspace” during the past quarter. That’s now codified as 10 U.S.C § 484. Later, Congress added some granularity to this reporting requirement, specifying in an amendment to Section 484 that the quarterly briefing must encompass operations carried out by each regional and functional command, hostile activity directed at each such command, any authorities used, any legal issues that arose, and any “interagency activities and initiatives relating to the operations.” As you can see, the armed services committees were (and probably are still) hungry to get their arms around the legal issues that complicate these activities as well as the positions that different agencies (hello, State) might take in working through them.
Second, and quite apart from that, Congress created a separate reporting requirement (also running to the armed services committees) for the subset of military cyber ops that qualify as “sensitive military cyber operations.” Under 10 U.S.C § 130j, the secretary of defense must give notice within 48 hours of both offensive and outside-of-network defensive cyber ops conducted by the military, if the intent is to cause an effect that is outside of a location where U.S. forces “are involved in hostilities” (within the meaning of the War Powers Resolution) or where hostilities have been “declared.” Simply put: Section 130(j) speeds up the reporting process for the subset of cyber ops that the Pentagon conducts that are meant to have third-country (out-of-theater) effects. Think of a server in a Gulf State that the Islamic State uses to run propaganda, and the possibility of a CYBERCOM op to shut it down. That would have to be reported, whereas a similar op involving a server in Raqqa would not have.
What would be different under the Senate law?
1. Section 1621(g)(1) and the Defense Secretary’s authority to respond to “cyber attacks”
This is an odd one. Section 1621(g)(1) says that the defense secretary is authorized to “develop, prepare, coordinate, and, when appropriately authorized to do so, to conduct military cyber operations in response to cyber attacks and malicious cyber activities” conducted against U.S. interests by foreign entities. (emphasis added)
Look familiar? It should. Scroll up and re-read the existing statute that speaks to this topic, 10 U.S.C. § 130(g). The language is almost identical, except that Section 1621(g)(1) would add the words “cyber attack” alongside the existing reference to “cyber activities.”
So what gives? Presumably there has been some debate about whether 10 U.S.C. § 130(g)’s current language actually encompasses “cyber attack” as distinct from “cyber activities.” That makes no sense to me, for the latter seems broader than and inclusive of the former. At any rate, there’s no harm in clarifying the point, and perhaps it will help quiet some internal debates. I would just ask that they tidy things up, using 1621(g)(1) to actually amend 10 U.S.C. § 130(g) rather than add a 95 percent-overlapping, yet separate, provision.
2. Section 1622 and authority to conduct cyber operations on a deniable basis
Well, speaking of amending 10 U.S.C. § 130(g) … the next provision we will examine does in fact amend that very statute, but towards a different and rather confusing end. This gets down in the weeds quite a bit, so bear with me. If you are a Title 10/Title 50 aficionado, you’ll find this interesting. If not, well, this probably is not the post for you anyway…
Section 1622 would add a bunch of new subsections to 10 U.S.C. § 130(g). Here’s an explainer for the key ones:
The new 130g(b) would confirm that the secretary of defense “may conduct military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies and interests of the United States …” (emphasis added). And it also goes on to say that this affirmation of authority extends to operations
short of war and in areas outside of named areas of conflict for the purposes of preparation of the environment, influence, force protection, and deterrence of hostilities, or counterterrorism operations involving the armed forces of the United States.
At first blush, that all seems pretty simple: like current 10 U.S.C. § 130(g), it tries to dispel possible objections to the Defense Department conducting cyber ops, including in grey zone and extra-theater circumstances. But look again at the clause I put in bold in the first quoted section: “… including clandestine military activities or operations in cyberspace … .”
If “clandestine” is being used here in the usual Pentagon way—that is, if it merely refers to ops that the Defense Department hopes will not be detected by the adversary (which surely covers almost all cyber ops)—then this is perfectly fine, even if the need for it is not obvious. But the statute does not use the word in its usual sense. Let’s turn now to look at the new statutory definition Section 1622 would establish.
Section 1622 provides an unexpected definition of “clandestine military activity or operation in cyberspace,” in what would become 10 U.S.C § 130(g)(f)(1). It’s a cumbersome provision, so I’m going to restate and reorder it below in the form of a simple checklist of the elements it requires. I break it down into five elements. An activity will count as a “clandestine military activity or operation in cyberspace” if:
1) It occurs in the cyber domain
2) It is carried out by the military
3) The activity itself is authorized by POTUS. or SecDef
4) The activity is part of a larger military operational plan approved by POTU.S. or SecDef where that plan directed at any of the following:
- anticipated hostilities;
- “adversaries” (with reference to the National Security Strategy);
- “other emergent national security threats”;
- to deter/defend against “attacks or malicious cyber activities” directed at “United States or Department of Defense” assets; or
- to “support…other information related capabilities such as military deception and psychological operations.”
5) The activity features “secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly.” (emphasis added)
This is all fine if your aim is to encompass cyber operations that normally would qualify as covert action but end up not counting as such because of the TMA exception. And it seems that this is precisely what the drafters actually have in mind. Indeed, another part of Section 1622 would create 10 U.S.C 130g(c), in order to state that cyber operations that satisfy this “clandestine” definition “shall be considered a traditional military activity for the purposes of” the covert action statute. Read in context with 130g(b), described above, this makes it clear that a central aim of all this is to dispel concerns that somehow Cyber Command should not be conducting unacknowledged ops under the TMA rubric. No problem there.
So what is the problem? The problem is using the word “clandestine” as a label for this category. This would not be a problem if the definition was limited to operations that were meant to be undetected, but that’s not all the definition says. It plainly reaches beyond operational secrecy in order to reach the distinct category of deniable activity, and all the TMA talk suggests that this is pretty much the main point of it all. “Clandestine” is just not the right word for that category, and using it here will not only cause confusion in this setting but probably in non-cyber settings too.
Happily, this can be fixed really easily, without having to cook up some clever alternative name. Just don’t use a name at all. Section 1622’s changes to 130g can refer simply to “covered operations.” The rest of the definition can stay exactly as it is. The drafters’ aims will be served in exactly the same way, but without injecting confusion about the difference between covert and clandestine activity.
3. Section 1623 and Russia-specific authorities
The next relevant section is 1623, which is specific to Russia but also relates to the cyber-TMA discussion in 1622, above.
a. 1623(a)(1) and authority for Russia-specific defensive ops
Section 1623(a)(1) purports to give the National Command Authority (the president and the secretary of defense) the power to order Cyber Command “to take appropriate and proportional action in cyberspace to disrupt, defeat, and deter” activities conducted by the Russians if and when the National Command Authority makes a predicate determination that the Russians are engaging in an “active, systematic, and ongoing” cyber campaign against us. Two comments on this.
First, this is perfectly fine in terms of trying to make clear that this authority does exist. I do worry, though, that this framing strongly implies that it is necessary for Congress to grant the authority first, even if we are talking about operations below the threshold of hostilities or war. This might generate friction in other settings where Congress has not taken such specific action but where the level of provocation is otherwise identical. If North Korea or whomever undertakes a campaign of “active, systematic, and ongoing” malicious cyber activity against U.S. interests, I would not want the executive branch hamstrung in its response by an argument that Congress has asserted authority over this question and chosen to authorize defensive cyber action only vis-à-vis the Russians (and, even then, only when the Russian activity is currently occurring).
To be fair, the section goes on in 1623(c) to call for an annual report discussing, among other things, whether this authority should be expanded to encompass other countries, specifically naming Iran and China as possibilities. That’s better than being oblivious for sure, but just note that in the interim someone is likely to make a Steel Seizures “category 3” argument to the effect that Section 1623(a) places Article II authority at its “lowest ebb” (due to implied Congressional disapproval) insofar as the executive branch tries to rely on its own inherent authority to conduct operations of these kinds against someone other than Russia.
Again, there’s an easy fix: Include a savings clause stating that articulation of this authority is not meant to imply a lack of authority that the Executive Branch otherwise would enjoy.
Before moving on, Notably, Section 1623(a)(1) specifies that this responsive cyber action against the Russians would count as “traditional military activities.” This is useful. I like it that it does not attempt to tie back to 1622’s somewhat-troubled definition of “clandestine” military cyber activity. It does not need to do so. It is cleaner simply to state that responding to malicious Russian cyber activity will count as TMA—and thus will not count as “covert action”—even when conducted on an unacknowledged basis.
b. 1623(b), surveillance, and Cyber Command
This one is a bit different in kind, for it concerns the authority of Cyber Command to engage in surveillance activity on networks outside the United States. Now, you might respond to that general description by saying: intelligence-collection activity is a central feature of military planning and operations, so surely a combatant command like Cyber Command already engages in a substantial amount of activity on foreign networks that falls under that heading. And perhaps that is true with respect to the military systems and networks of foreign states. What’s interesting about Section 1623(b) is that it clarifies (or establishes) that the secretary of defense can authorize Cyber Command to conduct surveillance targeting private Russian actors where
- those entities act “at the behest or in support” of the Russian government, and
- they engage in one of the following categories of activity:
- “stealing and releasing confidential information” from U.S. political candidates or their organizations
- “generating and planting information and narratives” in our media in order to “mislead, sharpen social and political conflicts,” and otherwise manipulate things
- creating botnets and also “false accounts” on social media in order to amplify messaging towards those same harmful ends
- developing or using cyber means to harm U.S. critical infrastructure or to cause casualties (U.S. persons or “persons of allies”…does that include Ukraine?), significant property damage, economic disruption, effects amounting to armed attack, effects imperiling a “vital national security interest,” or “significant disruption of the normal functioning of United States democratic society and government.”
So all that is, of course, a response to the 2016 Russian intervention, and I’m all for it. What’s interesting to me is the question of whether surveillance on these topics should be NSA’s business rather than Cyber Command’s. That is, Section 1623 seems to me to reflect, to some extent, the ongoing frictions involved in having a military intelligence agency that is the incumbent and world-class agency for collection of this kind, but also having a new combatant command operating in the cyber domain at a time when we have an increasing degree of “grey zone” activity implicating its interests and thus bringing with it intelligence-support needs that it might want to fulfill on its own.
The bottom line, I suppose, is that there may be some serious deconfliction issues lurking beneath the surface here, which is not too big a deal while the dual-hat remains in place (Gen. Paul Nakasone is the head of both the NSA and Cyber Command), but sure look more complicated if and when those positions are split (especially if at the same time the White House continues to neglect the interagency cyber portfolio).