Leaders at U.S. Cyber Command have used new authorities to conduct more cyberspace operations in the last few months than in the previous 10 years, senior Department of Defense officials said.
“I would say that in 8, 9, 10 years under the old decision process, I can count on less than two fingers the number of operations conducted,” a senior Department of Defense official, speaking on the condition of anonymity, told reporters in April.
The new process, called National Security Presidential Memorandum (NSPM) 13 and minted in August 2018, replaced an Obama administration-era process, which required presidential approval for offensive and defensive cyber operations outside U.S. networks.
“In this time since mid-August when the new process went into place, we’ve conducted many more” operations,” the official said.
The official, as well as other top officials in the DoD enterprise, declined to say just how many more operations Cyber Command has undertaken since the executive branch created a new process for gaining authority for operations.
NSPM-13, is essentially the process by which the government makes decisions to gain approval for offensive and defensive cyber effects operations, the official said. The process can be associated with any department or agency, although it mostly revolves around DoD operations. The formal document describing the process is classified.
DoD is now operating under a new cyber concept known as persistent engagement, which recognizes that cyber forces must be in constant contact in cyberspace with competitors day to day. A key pillar to that concept is what defense officials are calling “defending forward,” which involves operating outside U.S. networks to face threats as far away from the United States as possible.
Defending forward, “helps us better protect ourselves," Maj. Gen. Charles Moore, director of operations, J-3 at Cyber Command, told reporters May 7 during a first of its kind media briefing at its facilities at Fort Meade. “When we do this, we can observe enemy techniques and procedures and their tactics as well as potentially uncover any tools or weapons that they might be utilizing.”
Moore added the new decision making process had been critical to operations because it allowed departments and agencies “the ability to execute cyberspace operations within very specific confines as given to us by the president and requires very close coordination and synchronization with the interagency in terms of doing that.”
The combination of a maturing Cyber Command, a more experienced cyber force and new authorities that allow for more activity have led to a normalizing of cyber operations alongside other more conventional activities.
In previous years, cyber operations were less understood by senior government leadership and military commanders, leading to cyber warfare to be considered as an afterthought in planning.
Operators “understand that every time they touch the keyboard where the authority comes from and where they are in the command chain and who is authorized that particular operation. It’s clear," the Defense official said. "That’s part of the check list of when you log on and before you take an action. Just like a pilot climbing into a cockpit or a soldier picking up a rifle and going on patrol, they understand their [rules of engagement], they understand their left and right bounds, they understand the objectives, they understand how that fits into a higher echelon of objectives.”
He added that while they might not be conducting cyber effects operations daily, they’re doing collection operations and preparation.
Cyber Command officials noted that Congress granting additional authorities in this space has cleared the way for daily operations.
In last year’s defense policy bill, Congress clarified which activities qualify as an exemption to the covert action statue by listing “clandestine” cyber operations as a traditional military activity and excluding it from previous restrictions. This allowed the Defense Department to hunt outside of its networks as a way to see attacks before they reach the United States.
“You can imagine that if we’re not considered a traditional military activity, that we essentially have to declare or make very overt any of our operations. And acknowledge that it is being done by the Department of Defense and the United States of America,” Moore said. That is “not very conducive to being successful inside the cyber domain. By declaring it a traditional military activity, it allowed us to move away from that.”
Similarly, this authority, as well as NSPM-13 and language in the bill authorizing actions against certain nation state actors should they conduct malicious activity in cyberspace, allowed Cyber Command unprecedented freedom of action in defensive actions during the 2018 midterm election.
“We had actually been constrained to only operating our forces on the [DoD Information Network],” Maj. Gen. Timothy Haugh, commander of the Cyber National Mission Force, told reporters at Cyber Command. “We’re proud of how it was done, meaning we worked really closely with the Department of State, we worked really closely with European Command to be able to do those missions and at the end of those missions we had a more secure ally, we gained insights that we wouldn’t’ve have had otherwise in a very transparent way.”