Despite the recognition five years ago of cyberspace as an operational domain of warfare, the military and U.S. government as a whole are still experiencing growing pains; one in particular surrounds the rules for cyber effects.
Authorities for offensive cyber operations currently trigger an approval process that goes as high as the president. Part of the problem — both for the U.S. and the international community — is developing terms and norms for cyberspace that in many cases use a traditional military and kinetic effects lens to examine cyberspace.
For example, James McGhee, the legal adviser for Special Operations Command North, outlines the difficulties of cyber operations relative to kinetic operations in a realistic hypothetical situation in an essay published in the
Strategic Studies Quarterly, a journal sponsored by the Air Force. A joint force commander can disrupt power in a particular area, if desired, by attacking a power plant being used by the enemy either by sending a team to sabotage it, hitting it with an airstrike or missile, or through cyber means, McGhee wrote.
While McGhee notes the first three are relatively easy and straightforward, the cyber option can "only be used if an execute order (EXORD) authorized cyber operations, that particular power plant was already on a cyber targeting list, the cyber operators already performed appropriate operational preparation of the environment (OPE) on the power plant's network, and interagency and possibly international deconfliction had taken place." Absent the execute order authorizing the offensive cyber operation, McGhee wrote, agencies must request specific use of cyber capabilities through a review and approval process.
"If we say it's a 'cyber' capability … it has to go SECDEF or higher," Brig. Gen. Patricia Frost, the head of the Army's cyber directorate, said last fall. "When we go to the National Training Center, we bring congressional members out, we bring folks from [the Office of the Secretary of Defense] and we say let's have this discussion … We're not saying that we're going to do something that will cause World War III. We're saying we want to give capabilities that I truly believe a commander needs to have to see their environment."
"It should not be harder to use cyber than it is to use kinetics to accomplish your goal. Right now it is in some cases," Lt. Gen. Edward Cardon, the former head of Army Cyber Command told reporters at the annual Association of the United States Army conference in October. He noted that certain challenges arise when using 18th- and 19th-century law "for something that's as fast-moving as cyber."
According to Presidential Policy Directive 20, which outlines U.S. cyber operations policy and was among the classified documents leaked by former contractor Edward Snowden, presidential approval is required for any cyber operation "including cyber collection, [Defensive Cyber Effects Operations], and [Offensive Cyber Effects Operations] — determined by the head of a department or agency to conduct the operation to be reasonably likely to result in 'significant consequences,'" which the directive defines as "[l]oss of life, significant responsive actions against the United States, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States."
Moreover, the policy states the aforementioned presidential approval "applies to cyber operations generally, except for those already approved by the President, even if this directive otherwise does not pertain to such operations as provided in the 'Purpose and Scope' section of this directive."
Others across the joint force share Frost's view regarding the need for greater and clearer authorities.
"There's the authorities piece that we need to work our way through, and we're not there yet," said Lt. Gen. William Bender, chief of information dominance and Air Force CIO, in December. "So if we're willing to change the authorities to actually allow us to operate and maneuver in this cyberspace … we could bring some of the more traditional warfighting principles."
McGhee elaborated on the high-level approval authority necessary for offensive cyber operations prior to being employed. This process, he argues, makes offensive cyber operations, despite their seeming attractiveness, impractical given the extensive planning and approval versus kinetic operations.
"The approval authority for any cyber operation that goes outside of a DoD network is very high. Corresponding approval authorities for kinetic operations is much lower," he wrote.
Even excluding this approval process, cyber operations might not even be as attractive an option because many perceive given offensive operations targeting a certain network or infrastructure must be specifically tailored to have desired effects, he said. Moreover, coordination and deconfliction might not go as planned, either.
"We're still working our way through this," Adm. Michael Rogers, NSA chief and commander of Cyber Command said in 2015 regarding the rules of engagement in cyberspace. "The fundamental principle to me is we've built a good framework in the kinetic world — it's a good departure point for us. So I look for the same kind of broad trends — proportion of response, appropriateness of response, the specificity and discreetness so to speak of the response — the same things that have conditioned my life in the kinetic world as a serving military officer … that's the kind of point of departure for me intellectually in the cyber world."
Maj. Gen. Burke "Ed" Wilson, deputy principal advisor to the Secretary of Defense, explained that more and more, combatant command commanders desire cyber and non-kinetic options in the offensive realm and especially on the defensive side. "The frustrating part…is the authorities piece…Being able to gain the authorities and delegate that down so they can move at the speed of the kinetic fight," he said at an AFCEA NOVA event in December.
Wilson said while some progress has been made in this space, it has been a "frustrating journey" focused on how to delegate authorities or make decisions in a rapid manner as to push decision cycles quicker.
Cyber effects appear to be the metrics surrounding the authorities discussion.
Read Part II: How the Pentagon is Shaping Cyber Tool Use.