In a major story this morning, Yahoo News (Zach Dorfman, Kim Zetter, Jenna McLaughlin and Sean Naylor) disclosed the existence of a 2018 presidential covert action finding altering the terms on which CIA can (and should) engage adversaries via cyber means. Should you be concerned, impressed or both?
1. What exactly does the story reveal that we did not already know?
It should not come as a surprise to anyone that CIA has been ordered by the president to engage in covert action in relation to Iran, North Korea, Russia and China. Nor should it be a surprise that this might include operations in the cyber domain. So what is the news here?
It’s about process, and more specifically about the way that executive branch decision making procedures are calibrated to modulate risk-reward tradeoffs. The essence of the story is that, under the Obama administration’s approach and continuing well into the Trump administration, the CIA had to get approval for cyber domain operations on an individualized basis through the National Security Council’s usual screening process for covert action (or perhaps with extra scrutiny beyond what covert action proposals usually receive). But in 2018, we are told, President Trump issued a new finding that provided blanket authorization for CIA to conduct cyber operations against certain named adversaries—Russia, China, North Korea and Iran—and potentially others (though the triggering conditions for other states or non-state actors to come within the scope of the finding are not identified in the story), without having to revert to the NSC process to get approval of particular actions. Critically, the reporters indicate, this has cut approval times from as much as a year or more to a matter of weeks.
Note that this is very much of a piece with earlier (and official) disclosures about National Security Presidential Memorandum 13, which emphasized that Trump’s policy was to cut back considerably on interagency screening of cyber operations in general, out of concern that excessive screening in the past had made the United States too slow to act in some cases and entirely unable to act in others. NSPM-13 has mostly been discussed (by me and others) in terms of its impact on U.S. Cyber Command’s operations, but that just reflects the fact that we have more grist for the mill in that context; there is plenty of public talk about U.S. Cyber Command’s “defend forward” strategy and even some particular operations, whereas we almost never hear about CIA covert action in cyberspace. Well, now the latter is changing a bit, but not in a way that I think is particularly surprising.
2. But the story has strong overtones of concern about this development. Are there some red flags?
The story has plenty of quotes from former officials who appear concerned that the reduced external scrutiny of CIA covert activities and the sped-up timeline for approvals will result in undue or unwise risk-taking. Fair enough; there’s no question this is a high-risk business. But note, too, the reference in the story to at least some officials taking more of an “it’s about time” perspective on this change. Ultimately, this is about the balance between risk and reward, and the change plainly reflects a judgment by the Trump administration that we previously had an unduly cautious approach. The extraordinary length of time it sometimes took to get approval for particular operations strongly suggests that a change was indeed needed.
3. It has been two years since this happened. Does the evidence suggest success or failure?
The article makes clear that CIA has been active in using its authority, claiming that more than a dozen operations have occurred and even making a pointed suggestion—though not quite a firm attribution—about CIA responsibility for a pair of particular doxing operations. The article does not identify any notable failures or abuses (though of course opponents of the general idea of engaging in covert action in this way would object to that characterization), and there is no claim whatsoever that anything has been inconsistent with U.S. law.
4. But what about the article’s references to “critical infrastructure”?
One of the most interesting nuggets in the article involves a rule change that apparently removed or weakened a prior prohibition on operations that might “damage critical infrastructure, such as petrochemical plants.” It’s hard to know what to make of this without more detail. On one hand, a blank check to blow up critical infrastructure would indeed be deeply concerning. But it is possible—indeed, probable—that the finding does not give such a blank check. Possibly it just authorizes prepositioning of capabilities, in the event an adversary takes such an action against U.S. critical infrastructure and thus opens the door to such a countermeasure. Possibly it just identifies a revised set of circumstances in which such permission might be given. Notably, the article does not allege that this particular authority has been used; yes, the article does say that there have been some kinetic effects from CIA operations under the finding, but it does not claim that any of those involved an adversary’s civilian critical infrastructure.
5. Bottom line?
The story is an important reminder that, despite the much greater visibility of U.S. Cyber Command’s defend-forward activities, the CIA continues to play a critical role in the increasingly fierce gray zone competition that characterizes statecraft in cyberspace these days.