U.S. officials are lauding new offensive cyber authorities provided by the executive branch and Congress that allow for quicker decisions on whether to make a cyberattack.
The Trump administration replaced an Obama administration policy, known as Presidential Policy Directive 20, with a new policy known as National Security Presidential Memorandum (NSPM) 13. The new policy allows the president to delegate certain cyber authorities to the secretary of defense for particular missions.
“Presidential Policy Directive 20 … virtually paralyzed the conduct of offensive operations by U.S. Cyber Command outside of armed conflict,” Sen. Mike Rounds, R-S.D., said during a joint subcommittee hearing of the Senate Armed Services Committee Sept. 26.
“I am hopeful this new policy will enable the Department of Defense to act more nimbly and effectively to counter and deter our adversaries’ ongoing cyberattacks on the United States, attacks conducted with virtual impunity.”
In unveiling the administration’s new national cyber strategy, national security adviser John Bolton described a new era for cyber in which operations will be unshackled, allowing a freer hand for the Defense Department from the interagency process.
Cyber Command’s deputy commander told the Senate panel Sept. 26 that the government is in a “much better place today” than it was earlier this year.
“If you had approached me six months ago of the limits of our authorities, I would tell you that caused me much frustration,” Lt. Gen. Vincent Stewart said.
In this year’s annual defense policy bill, Congress clarified what qualifies as an exemption to the covert action statue, listing “clandestine” cyber operations as a traditional military activity and excluding it from this restriction.
Such a move will make getting operations through the interagency process easier, a U.S. government official, speaking under a non-attribution agreement, said during the Cyber Beacon Conference hosted by National Defense University’s College of Information and Cyberspace earlier this month.
However, the official noted, leaders won’t know how much the new policy changed until they go through the process and write plans for the first operations under them. This echoes comments from officials who have said they have confidence in the new authorities even if it’s not yet clear how the new process will work.
“We’re still working with the DoD and with Cyber Command to kind of flush out exactly what [it looks like],” Maj. Gen. Robert Skinner, commander of 24th Air Force/Air Forces Cyber, told Fifth Domain in September. In his joint role, Skinner is the commander of Joint Force Headquarters-Cyber Air Force, providing cyber effects to European Command, Strategic Command and Transportation Command.
Defending forward and persistently engaging
A key pillar of DoD’s new cyberspace strategy is the notion of persistently engaging adversaries in cyberspace and “defending forward.”
Persistent engagement is the notion of constant contact with adversaries in cyberspace, which often takes place below the threshold of war. Defending forward, meanwhile, appears to be the notion of offense for defensive purposes; gaining access to networks in order to better understand what an adversary might be planning against friendly forces or networks.
Ben Buchanan, an assistant professor at Georgetown University, explained in a recent blog post that defending forward is exemplified by a National Security Agency operation in which the NSA hacked into digital infrastructure used by China’s People’s Liberation Army for conducting operations. By hacking into the infrastructure, the U.S. side was able to develop a picture of the Chinese operations and used that intelligence to thwart specific Chinese attempts to penetrate U.S. networks.
Katherine Charlet, who formerly served as the deputy assistant secretary of defense for cyber policy, wrote recently that since DoD operates outside the nation’s physical boarders, the “defend forward” mission in and of itself should not be surprising.
Rather, she writes, it is more notable that defending forward will be done in the context of day-to-day competition as opposed to a crisis.
As such, Stewart told senators that Cyber Command has learned over the past year or so that growing the force demands persistent engagement, persistent presence and a persistent innovative spirit. Failure to do any of the above means DoD can never compete against near-peer competitors in cyberspace, he said.
As University of Texas law professor Bobby Chesney points out, Congress also gave certain DoD cyber operations the authority “'to take appropriate and proportional action in foreign cyberspace to disrupt, defeat and deter' in response to an active, systematic, and ongoing campaign of attacks against the government or people of the United States in cyberspace …’ so long as the malefactor in question is Russia, China, North Korea or Iran.”
An additional challenge includes lack of legal consensus about pre-planting malware on systems, according to former officials and outside experts.
According to a former U.S. official, who also spoke at NDU’s Cyber Beacon conference, there is not a good international legal framework for how to treat malware that might lay dormant on a system to be used at a later date. To use an analogy to more traditional war, it is a clear violation of sovereignty to establish a forward presence in another country in preparation for a potential operation. The presence of malware, however, is more of a legal gray area.
Moreover, Dave Weinstein, vice president of Threat Research at Claroty and a former Cyber Command civilian, notes that any such operation has to be limited in scope and collateral damage. The U.S. would not want to be responsible for an incident similar to NotPetya, which started as a targeted Russian operation against Ukraine and turned into an unintended global campaign costing billions of dollars in damages, Weinstein says.
The effectiveness of any defend forward strategy must account for two variables, he adds; the duration of denial, disruption, or degradation to the adversary’s objective, and; the deterrence value.