A House Armed Services subcommittee is looking to flex its oversight muscles over the Department of Defense as cyber operations and authorities evolve.
Language in the first draft of the annual defense policy bill, released June 3 to be marked up by the committee June 4, points to several items related to the newer, more assertive posture the DoD’s cyber forces have vowed to take against adversaries engaged in actions below the threshold of armed conflict.
Some inside and outside government are careful to couch new cyber authorities as offensive in nature, saying they allow greater flexibility in defense.
“There have been significant policy evolutions over the course of the last year … so the chairman’s guidance to us was to mature the committee’s oversight framework for cyber operations,” a committee staffer told reporters June 3.
The combination of authorities from the executive branch delegating cyber authorities down to lower levels and new authorities granted from Congress last year have empowered U.S. Cyber Command to act more quickly, more freely and more globally to contest malicious cyber behavior.
One change in particular is that cyber operations no longer have to go through the president. To that end, the Subcommittee on Intelligence and Emerging Threats and Capabilities’ draft language is requiring the secretary of defense to notify both congressional defense committees no later than 15 days after authorities held by the National Command Authority are delegated. Specific items of interest that the committee is requiring be reported include a description of the authorities delegated to the secretary, lists of countries where the authority may be used, a description of authorized activities and defined military objectives related to the authorities.
New guidance from the White House in the last year has revoked older policies that govern how cyber operations are approved and replaced them with a new framework, so members want to be able to understand what’s been delegated as it’s delegated, not just whether an operation occurs, said the committee staffer.
Leaders at U.S. Cyber Command have used new authorities to conduct more cyberspace operations in the last few months than in the previous 10 years, senior Department of Defense officials said.
Additionally, the committee, in a sign of aggressive oversight authority, is also requiring DoD to provide an annual briefing in the form of a written report to Congress detailing all cyberspace operations conducted within the previous calendar year. These are defensive and offensive operations, though they exclude cyber-enabled military information support operations and sensitive military operations.
For each operation, the committee is requiring DoD provide details on:
- The objective and purpose;
- Impacted IT infrastructure by location;
- Tools and capabilities used;
- Specific cyber mission force teams or DoD entity that conducted the operation as well as supporting elements;
- Infrastructure and platforms where the operations occurred;
- Relevant legal, operational and funding authorities for the operation; and
- Information regarding total funding required.
A committee staffer said there is precedence for reporting requirements like this; for example, the handling of sensitive counterterrorism operations and associated annual reports to Congress. However, this provision is unique in that the committee to date does not receive an annual written report.
“There’s nothing by which [members] can see tools, costs, the actual team associated with. This is just again strengthening” oversight, the staffer said, adding this is a maturation.
“I think there’s a lot that goes on in that sphere, so that’s a lower bar than, say, sensitive military operations. It affords the members the opportunity to see everything that’s going on within that space.”
The draft bill also wades into the relationship between the National Security Agency and Cyber Command.
After a period of relative quiet on the subject, the debate over a split between the two organizations has resurfaced.
Some members of Congress recently expressed their opinion on splitting the dual-hat arrangement between the NSA and Cyber Command at this time.
Congress has long been against a premature split unless certain conditions can be met to ensure the missions of each organizations aren’t adversely affected if such a determination is made. The 2017 defense bill enshrined such conditions.
The current draft frames the issue a bit differently, under the guise of partnership between the two organizations.
No later than 90 days after the legislation is enacted, the bill requires the secretary of defense and the director of national intelligence to brief the congressional defense and intelligence committees on “the nature of the National Security Agency and United States Cyber Command’s current and future partnership.”
These briefings will be quarterly and must include status updates on current and future partnership between the two entities, documents or memoranda governing future partnerships, projected long-term efforts and updates regarding the aforementioned elements in the 2017 bill that limited the termination of the so-called dual hat arrangement between NSA and Cyber Command.
The draft legislation terminates these briefings on Jan. 1, 2022.
Officials at Cyber Command have recently lauded their relationship with the NSA.
Officials spoke favorably about the dual-hat arrangement.
“Here at U.S. Cyber Command, the National Security Agency is our most important partner,” David Luber, executive director of Cyber Command, said. “The strength of the relationship will remain critical to the defense of the nation. NSA has world-class expertise, technical capabilities and access that are crucial to the United States Cyber Command’s success.”