Earlier this year, Congress and the White House granted the U.S. Cyber Command a range of new authorities, and, in the months since national security experts have said the Department of Defense will be more aggressive in cyberspace, leading attacks against bad actors who have stolen intellectual property or against those who are attempting to influence American elections.
But a new narrative with additional nuance now surrounds that discussion. Rather than thinking of the United States as being more aggressive, national security experts and government officials say that Cyber Command has more flexibility and that the authorities allow for offensive action in the name of defensive purposes.
Despite praising new offensive cyber authorities, officials are still unclear how the process will work exactly.
“During peacetime, we’re not seeking to escalate, we’re not trying to be aggressive in behavior, we are trying to defend those that breach norms to be able" to enact consequences, Burke “Ed” Wilson, deputy assistant secretary of defense for cyber policy, said during an April 23 event hosted by the Atlantic Council.
Adversaries have been increasingly active in the so-called “gray zone” of conflict. Top military officials argue that those activities, while individually not rising to the level of armed conflict, have a cumulative strategic effect on the United States.
“In this space, there is going to be constant contact, there is going to be continuous engagement. The question we have to ask ourselves is ‘what are the acceptable things below that threshold of armed conflict,’” said Emily Goldman, who serves on the policy planning staff in the office of the secretary at the Department of State. Goldman, who is on loan to the State Department from the National Security Agency, spoke at the same conference.
Wilson said that to be successful in the cyber arena, concepts such as persistent engagement, persistent contact and persistent innovation are necessary.
New authorities allow DoD to act faster and respond quicker to activities in cyberspace.
In 2018, Congress clarified which activities qualify as an exemption to the covert action statue by listing “clandestine” cyber operations as a traditional military activity and excluding it from previous restrictions. This allowed the Defense Department to hunt outside of its networks to see attacks before they reach the United States.
This is important because cyber operations, often portrayed in Hollywood as a few keystrokes, are far from simple. They require gaining access to adversaries’ networks — not always an easy task in and of themselves — mapping those networks to understand where files are and then figuring out how to degrade or destroy portions of the network. Complicating matters, if an adversary changes portions of the network via a software patch, the access gained could be negated.
The new language better postures Cyber Command to make necessary preparations prior to some operations.
“There [are] certain things you must do in order to prepare for operations and you can’t wait until the operations begin,” Lt. Gen. Vincent Stewart, the recently departed deputy commander of Cyber Command, told Fifth Domain in November. The changes from Congress “freed us up to do some of the things, the operational preparation of the environment, that we were limited from doing outside of the counterterrorism mission and now can do much more broadly against all of our peers and competitors.”
Moreover, the new language in the 2019 annual defense policy bill “clearly articulated an expectation for the Department of Defense to use its capability to compete with adversaries that were operating outside of international norms,” Brig. Gen. Timothy Haugh, commander of the Cyber National Mission Force, said during the same conference. “That allowed us, as a department, to begin to organize and resource in partnership with the other combatant commands.”
Goldman noted that under these new authorities, defense leaders are more assertive in defensive actions.
“That doesn’t mean aggressive or offensive. That means actually defending outside of, for example, military networks,” she said.
She also clarified that U.S. actions should not necessarily be couched under a grand deterrence strategy “because it’s not threatening to punish afterwards.”
“But over time, if you push back, hopefully you’ll get a deterrence effect,” she said. “At some point, [adversaries will] come to a sense that this is not worth the energy we’re putting in to try to do x, y or z.”
Similarly, some national security commentators have noted that the alleged Cyber Command strike against the notorious Russian troll farm the day of the 2018 midterm elections, was not an act of signaling or deterrence, but a preventative act.
“This was not about ‘deterrence’ or ‘signaling’ but a specific counter-offensive op to counter a specific adversary from conducting a specific activity during a specified window of high-vulnerability. It was part of campaign specifically approved by the president,” Jay Healey, a former Bush administration White House official and senior research scholar at Columbia University, wrote in February.
Rob Morgus, senior policy analyst at the New America Foundation, noted that certain cyber actions, such as the purported action in Russia, aren’t always conducted with a single purpose in mind.
“Signaling in order to compel or deter behavior is certainly one reason for a response, but — as was the case with the countermeasures taken against the Internet Research Agency — blunting the capacity or halting the operation of an adversary who is actively conducting an attack or an operation is certainly another purpose. An ideal response can serve these two purposes together, while also living up to our international legal and normative obligations,” he told Fifth Domain in an email.
Healey added this action against the Internet Research Agency was “the right kind of cyber operation and one that all democracies should applaud,” noting that potential interference in democratic processes from foreign nations are red lines that should be drawn, more so than hitting back over the North Korean attack on Sony Pictures or Iran’s attack on the Sands casino.