Army Gen. Joseph Votel, Commander of U.S. Central Command, briefs reporters on the release of the investigation into the U.S. airstrike on the Doctors With Borders trauma center in Kunduz, Afghanistan, Friday, April 29, 2016, at the Pentagon.

Army Gen. Joseph Votel, Commander of U.S. Central Command, briefs reporters on the release of the investigation into the U.S. airstrike on the Doctors With Borders trauma center in Kunduz, Afghanistan, Friday, April 29, 2016, at the Pentagon. AP / Molly Riley

Science & Tech

A Fight Is Brewing Between Congress and the Military Over Cyber War

Should in-theater commanders be allowed to launch attacks that currently require approval from the national command authority?

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

U.S. military commanders want more authority to launch cyber operations. But Congress is mulling new restrictions and reporting requirements, setting up a showdown that will shape American defense in the new information warfare era.

In one corner, you have commanders like Lt. Gen. Paul Nakasone. The head of U.S. Army Cyber Command recently said that his service is producing hackers who are better than their peers in the civilian world by orders of magnitude. “I’ve been in a number of different army units. I’m trying to think: is there a sniper I’ve ever met, or a pilot, or submarine driver, or anyone else in the military who is 50 times better their peer? It’s hard to imagine. but I will tell you that some of the coders that we have are 50 times their peers,” he said, speaking at the Army’s CyCon event earlier in November.

Speaking just days after the Army announced that its Cyber Mission Force Team would reach full operational capability almost a year ahead of schedule, Nakasone said recent ops that eavesdropped on ISIS and shut down messaging networks would shape doctrine and training against other adversaries. “We are rewriting our strategies today. We are re-writing the way we teach our forces,” he said. “We are running faster than our headlights because we are learning so much, employing these forces today, having an impact.”

Gen. Joe Votel, who leads U.S. Central Command, has also touted cyber ops against ISIS. “We had a recent success in coordinating the lethal effects of our special operations and air components with highly targeted and effective cyber operations,” Votel told participants at the Billington Cyber Security forum in downtown D.C. in September.

Why go to the nation’s capital to boast about cyber ops in Syria? To make a larger point about policy: specifically, that Washington is weighing down commanders in the field who are eager to let their soldiers put their new hacking tools to use against foes like ISIS.

“We at [Central Command] have narrowly defined authorities to execute cyberspace operations at all, let alone execute the required initiative and adaptive thinking towards countering this pervasive threat,” Votel said.

At one level, that makes sense, he said. “For very good reasons and concerns about cyberspace operations propagating outside the intended joint operation area, a lot of the approval authorities to execute these types of operations reside with the president or the secretary of Defense.”

Those reasons include the need to have someone in charge of strategy coordinate various combatant commanders.But, Votel continued, “at the operational level, the level at which cyberspace operations are integrated with conventional and special operations forces, this can make approval so cumbersome that the capabilities are nearly irrelevant.”

In his speech, Nakasone did not ask directly for more authorities to execute cyber operations. But he did say that the Army would test and drill as though those authorities were already there.

“We have to be able to look at a tactical force, whether it’s a brigade combat team or some other type of force, and see how they might operate and leverage those types of capabilities. And so what we have done, as an Army over the last two years is, over eight different rotations, is empower these brigade combat teams with elements that look at social media, that look at their own networks for vulnerability, that look at close action support [read that to mean information operations aimed at individuals who might pose a real threat on the battlefield] so we as an Army are already training toward that. I will tell you that this discussion on authorities will mature as we learn more and I think that what we have to do, as a force, is be prepared to leverage those, once they do come.”

Adm. Michael Rogers, the head of U.S. Cyber Command, has also said that he’s anxious to move hacking authorities down to operators in the field, very similar to the semi-independence granted many special operations forces. He said SOF is a great model for  Cyber Command.

“Offensive cyber is almost treated like nuclear weapons, in the sense that their application outside of a defined area of hostilities is controlled at the chief executive level and not delegated down. What I would like to see, over the next five to 10 years is, can we engender enough confidence in our decision makers to say, ‘you should feel comfortable pushing this down to the tactical level. You should be integrating this into the strike group, the amphibious expeditionary side.’ We should view this as another tool for a the commander, as part of the broad scheme of maneuver, to achieve a desired outcome,” Rogers said at a U.S. Naval Institute event in February event in San Diego.

But some of the language coming out of the Senate committees discussing the National Defense Authorization Act for 2018 suggests that lawmakers are moving in the other direction. Instead of handing more authorities to commanders to execute cyber operations, they’re looking to increase congressional oversight. University of Texas law professor Bobby Chesney notes at  Lawfare that lawmakers are considering categorizing certain cyber operations as “sensitive military operations” on the same level as kill-or-capture operations.

A second proposed change to Section 1631 of the bill, Chesney reports, would oblige the Defense Department to give the Senate Armed Services Committee and the House Armed Services Committee written notice, quarterly, of Defense Department reviews of the compatibility of cyber weapons with international law, as well as specific notice of the use of such reviewed cyber weapons within 48 hours of that use. “Looks to me like [the Senate and House committees] are concerned about the international law analyses arising during these weapons reviews,” Chesney wrote.

More congressional oversight does not necessarily mean infringing on commanders’ authority in the field — but it might. It basically depends on which cyber operations qualify as “sensitive” enough to require a lawmaker to be read in on the operation, and “sensitive” is subjective term.

This tug of war is emerging as U.S. Cyber Command is entering a new, more grown-up phase, having been nominally elevated to a full combatant command, albeit with many details still to be worked out. The move would give the head of Cyber Command central authority over training, resources, and mission execution.

One military official, a long-time information warfare specialist with a deep background in intelligence, said that giving commanders more authority to execute whatever hacking missions that they chose—without first having better policies in place to guide them – was a sure recipe for disaster. (The official spoke on condition of anonymity because he was not authorized to speak to the press.) What could go wrong with operators having all the legal room they might desire to run whatever hacking operation they wanted? He offered the possibility of operators from one service hacking soldiers from another service simply because no one had a real clue of who was who in the information environment in question.

“In the complete absence of policy, we are going to make it up as we go. That means, there will be no standards, no de-confliction, everybody will be doing there own thing,” he said. That could result in some less than well trained U.S. cyber operators going up against seasoned Russian contract mercenaries, a scenario likely to result in an embarrassing loss of data for the U.S., he speculated.

Ideally, Cyber Command would manage that deconfliction, he said. Instead of becoming a virtual version of U.S. Special Operations Command, CyberCom would offer more value if it evolved into something more like the Office of the Director of National Intelligence as it was originally stood up after Sept. 11, 2001. Imagine a central coordinating point for cyber-operations across the military and  a means to break down silos between intelligence agencies.

“Look at the intelligence community prior to the creation of the director of national intelligence. Everybody was doing their own thing. CIA, DIA [the Defense Intelligence Agency] — no one was looking laterally. Post-9/11, they came back and said, ‘We have to make this an intelligence community.’ They created procedures where they had to talk to each other. No one in the military likes to study history because we are going to do the same exact thing in cyber that we were doing in intelligence. We’ll have a massive failure,” he said.

NEXT STORY: China and the CIA Are Competing to Fund Silicon Valley’s AI Startups

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.