The other day President-Elect Trump released a video summarizing his plans for the first 100 days in office. Little noticed or remarked upon was his commitment (see 1:45 in the video) to ask the Department of Defense and the Chairman of the Joint Chiefs of Staff to develop a comprehensive plan to defend critical American infrastructure from cyber attacks and all other forms of attack.
This would be a sea-change in current policy, which gives the lead role in defending non-military government cyber infrastructure to the Department of Homeland Security and tasks DHS with coordinating the private sectors' own defense of the civilian cyber infrastructure. Put colloquially, DoD defends .mil, DHS defends .gov, and DHS helps coordinate the private sectors' own defense of .com, .edu, .net, and so on. Taken both literally and seriously, the President Elect seems to be suggesting that DoD would take over active defense of all those other cyber domains (as well as the physical defense of domestic infrastructure like chemical plants).
Perhaps I read too much into this and it was just a rhetorical trope. If not, however, it would, likely, violate existing law. That law designates DHS as the federal entity responsible for domestic infrastructure protection. Section 201 of the Homeland Security Act of 2002 tells DHS to:
(1) To access, receive, and analyze law enforcement information, intelligence information, and other information from agencies of the Federal Government, State and local government agencies (including law enforcement agencies), and private sector entities, and to integrate such information in order to--
(A) identify and assess the nature and scope of terrorist threats to the homeland;
(B) detect and identify threats of terrorism against the United States; and
(C) understand such threats in light of actual and potential vulnerabilities of the homeland.
(2) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks).
(3) To integrate relevant information, analyses, and vulnerability assessments (whether such information, analyses, or assessments are provided or produced by the Department or others) in order to identify priorities for protective and support measures by the Department, other agencies of the Federal Government, State and local government agencies and authorities, the private sector, and other entities.
(4) To ensure, pursuant to section 202, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this section, including obtaining such information from other agencies of the Federal Government.
Perhaps most notably, given the President-Elect's focus on a comprehensive plan, the HSA also provides that DHS should:
(5) To develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency preparedness communications systems, and the physical and technological assets that support such systems.
I will leave it for others, with greater knowledge of the limits that law places on the domestic activity of our military, to comment on whether the President-Elect's plans violate those provisions (e.g. the Posse Commitatus Act). For me, however, beyond noting the likely illegality of the proposal, I would also suggest that it is an incomporably bad idea to militarize the defense of the civilian cyber domain (much less the physical defense of all critical national infrastructure).