The Senate passed its version of the John McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA FY19) on Monday night, and it now heads to conference for reconciliation with the House version. The Senate version has a number of really interesting provisions relating to cyber operations, and though they may or may not make it through conference, I’m going to go ahead and provide reviews of several key sections this week. In this post, I explore how the Senate bill seeks to improve the deterrence posture of the United States vis-a-vis malicious cyber activity, with an emphasis on improving the credibility of our capacity to respond in like kind.
The Senate has often used the NDAA to express concern that the executive branch is not doing enough to deter adversaries from engaging in malicious cyber activity against U.S. interests (see last year and the year before). Generally, this concern has been expressed through statements purporting to dictate what U.S. policy should be or provisions requiring reports to Congress on this topic. Well, there’s something similar in this year’s Senate bill, but it is a bit more prescriptive than in the past.
Section 1621(a) begins in traditional, hortatory style. It declares that it “shall be the policy of the United States” to “employ all instruments of national power, including the use of offensive cyber capabilities to deter if possible, and respond when necessary, to any and all cyber attacks or other malicious cyber activities that target” certain enumerated U.S. interests. Nothing problematic there, in my view; the executive branch no doubt would agree with all that, given that it is framed at a high level of generality. But Section 1621 goes on to say something more interesting, too.
Section 1621(b) directs the executive branch to “plan, develop, and demonstrate response options to address the full range of potential cyber attacks” (and, in doing so, to prioritize responses relating to “infrastructure [that is] critical to the political integrity, economic security, and national security of the United States”). That’s not just hortatory, but a direction to action (though it is not directed to a specific executive branch agency nor backed by particular deadlines or other overt accountability mechanisms). For good measure, the same thing appears in Section 1621(d): The “United States shall develop and demonstrate, or otherwise make known to adversaries the existence of, cyber capabilities to impose costs on any foreign power targeting the United States…”
The call for demonstration of capacity is connected to the Senate’s ongoing concern that the executive branch has not done enough to establish credible deterrence in relation to malicious foreign cyber operations. Proving to adversaries that we have the capacity to respond in various ways, the theory goes, is a key part of fixing this.
But will these directives really help? That’s hard to say for many reasons.
First, it’s not clear how serious the executive branch would take these directives, both because they do not task any particular department or agency and because there are no deadlines or other accountability mechanisms attached to them.
Second, it’s not clear what would count as an adequate demonstration of capability.
Third, a real demonstration of capacity to engage in certain cyber operations entails significant risks. The code involved might then disseminate, with others adapting it to their own purposes (see, for example, Russian exploitation of EternalBlue). That is good for our adversaries, both for the obvious reason (hey, thanks for the free tools) and because it also creates an opportunity to shift some of the blame to the U.S. for whatever harms the adversary then inflicts on others (increasing the political and diplomatic friction that in recent years has beset the U.S. (particularly NSA) and thus potentially eroding U.S. will and capacity to some degree). Further, adversaries can take lessons from the demonstration, adapting in response to the tactics, techniques, or procedures on display.
Fourth, credible capacity is only part of the deterrence equation. Credible capacity must be matched with credible will to use that capacity. And will, alas, cannot be legislated. Does the Trump administration have the requisite will to direct military action in cyber space? As to some adversaries, surely so; the Trump administration obviously is less concerned than past administrations with the sovereignty objections other countries might make in response to U.S. cyber activities that might impact their networks, and it also seems clearly eager to empower Cyber Command and the Pentagon in general. On the other hand, the Trump administration (at least at the White House level; Treasury is different) is not exactly known for its robust response to Russian cyber activities, which is a pretty significant gap in its will on this general topic.
What Congress can do about will is to reduce friction that increases the costs for deciding to employ a particular method. As I’ll explain in my next post on the Senate bill’s cyber provisions, it looks like the Senate has exactly that idea in mind. There are several provisions that seem designed to smooth the way for Cyber Command to conduct operations below the threshold of armed conflict.