Conferees from the House and Senate are in the midst of ironing out the details for the next National Defense Authorization Act. Meanwhile, the Secretary of Defense has now weighed in with a “heartburn letter” pointing out the items in the bill that particularly concern him (Politico provides a copy of the letter here). The second item on his list: Section 1621, titled “Policy of the United States on Cyberspace, Cybersecurity, and Cyber Warfare.” More specifically, Secretary Mattis asks the conferees to remove 1621(f):
I am troubled by the conventional approach applied to an unconventional problem.... The nature of cyber-attacks is ever evolving, and we need to maintain our ability to take decisive action against this increasingly dangerous threat. Section 1621(f) is particularly concerning as it would require the U.S. to notify foreign governments before we take steps to defeat certain cyber threats. We request removal of this section during conference.
Sounds serious, so let’s dig in. What follows below is an annotation of 1621's many subparts, not just 1621(f). My aim is to explore the Secretary’s objection, yes, but also to understand what other things the remaining portions of 1621 do.
(a) In General.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond when necessary, to any and all cyber attacks or other malicious cyber activities that target United States interests with the intent to—
(1) cause casualties among United States persons or persons of our allies;
(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);
(3) threaten the command and control of the United States Armed Forces, the freedom of maneuver of the United States Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or
(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.
It’s tempting to pass over this one, since a statutory statement of policy of this kind will not control decisions the President may make as to which instruments of national power should be deployed, and in what manner, in any particular instance. Put another way, provisions like this are usually best understood as symbolic. This one is a bit more complicated, however, in two respects.
First, note that 1621(a)(2) conspicuously—if rather awkwardly—squeezes in the word “democratic” in a manner that one can’t help but read as a veiled reference to the Russian covert action program that impacted the 2016 election. That in turn suggests a reading of 1621 that signals a desire on the part of Congress, at least, to warn Russia (and others) that such interference (particularly interference with voting machines?) might be construed by the U.S. government as a justification for a cyber countermeasure.
Could the scenarios listed in 1621(a) also be a justification for a cross-domain response, of the traditional military variety? That’s also strongly implied, though not said expressly. And that’s where 1621 gets interesting. Can it be read as the equivalent of a standing AUMF in the event of a high-salience cyberattack fitting into one of the four 1621(a) categories? I think it’s probably too indirect in its terminology to bear that weight, but I also think that it does not need to. The section 1621(a) categories might all be understood as examples in which it would be possible for the executive branch to assert that the United States has suffered an attack implicating the authority of the president to use at least necessary and proportional means in national self-defense. From this point of view, 1621(a) will function to reinforce a presidential determination of that kind, which might otherwise stand alone as an Article II measure.
(b) Response Options.—In carrying out the policy set forth in subsection (a), the United States shall plan, develop, and demonstrate response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.
The idea here appears to be to improve America’s cyber-deterrence posture by pushing the executive branch not only to have a full suite of response options in case one of the 1621(a) scenarios arises, but also to display those capacities in some fashion. If that display is meant to encompass cyber means of response (note that 1621(b) does not actually say so, and of course it would be silly to assume that a US response must be a within-domain response), then it’s probably a bad idea. Such a display to be effective for deterrence might well have to involve considerable exposure of means, thus enabling adversaries to gain valuable intelligence. Conversely, if the display is limited to avoid that risk, it will not likely be an impressive—and thus deterring—display.
c) Denial Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall, to the greatest extent practicable, prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities described in subsection (a) of infrastructure critical to the political integrity, economic security, and national security of the United States.
None, aside from noting the reference to “political integrity” as an additional reminder that our electoral processes are now in the critical infrastructure category along side the traditional CI categories.
(d) Cost-Imposition Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall develop and demonstrate, or otherwise make known to adversaries of the existence of, cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity described in subsection (a).
This is much like 1621(b): trying to improve our deterrence posture by pushing the executive branch to take steps to ensure adversaries understand what we are capable of doing. Alas, the problem probably is not that our adversaries underestimate our technical prowess; it’s that they do not believe we have the political will to use that prowess.
(e) Multi-Prong Response.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall—
(1) devote immediate and sustained attention to boosting the cyber resilience of critical United States strike systems (including cyber, nuclear, and non-nuclear systems) in order to ensure the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attack;
(2) develop offensive cyber capabilities and specific plans and strategies to put at risk targets most valued by adversaries of the United States and their key decision makers;
(3) enhance attribution capabilities to reduce the time required to positively attribute an attack with high confidence; and
(4) develop intelligence and offensive cyber capabilities to detect, disrupt, and potentially expose malicious cyber activities.
What’s not to like? Each of these objectives would improve our deterrence posture. And there’s certainly not any harm in having Congress express its desire to see such efforts. My only quibble is that I am confident the executive branch already feels the same way, and that efforts of these kinds already exist. I certainly hope so, at any rate.
*Section 1621(f)* (aka, the one that the SecDef has challenged)
(f) Policies Relating To Offensive Cyber Capabilities And Sovereignty.—It is the policy of the United States that, when a cyber attack or malicious cyber activity transits or otherwise relies upon the networks or infrastructure of a third country—
(1) the United States shall, to the greatest extent practicable, notify and encourage the government of that country to take action to eliminate the threat; and
(2) if the government is unable or unwilling to take action, the United States reserves the right to act unilaterally (with the consent of that government if possible, but without such consent if necessary).
This is the one that drew a strong objection from Mattis. In his letter, he says that it would “require” the US government to give notice to foreign governments before we take certain steps in response to cyber attacks. Does it really require that step in all cases, though?
It can be read that way, yes. And if it had to be read that way then I would agree it should be removed. But it can be read otherwise, too. Here's why I think that:
The “unable or unwilling” language in 1621(f)(2) is the giveaway on this point. That language is very familiar to those who follow debates over whether the use of lethal force violates the UN Charter when carried out for counterterrorism purposes in the territory of a state that has not consented and has not itself attacked the state that now is responding. The issue comes up in relation to using force in Syria against the Islamic State, for example, and previously has been associated with U.S. uses of force in Pakistan. In the latter context, critically, it seems clear the U.S. government does not believe it always must actually ask the foreign sovereign whether it can and will act. The bin Laden raid is the most famous example in which we instead made a determination ex ante based on past experience and current intelligence.
The point being: US practice with the unwilling/unable test already seems to encompass the possibility of not actually asking in advance and then waiting to see how it turns out. The same logic could be applied under 1621(f), then.
Does that mean 1621(f) should be left as is? No. Why leave any uncertainty on the point? If the provision is to remain, the language should be amended to confirm that the unwilling/unable determination can be based on anticipated actions/inaction in light of experience and available intelligence, and does not always have to involve the question being put first to the foreign sovereign in question.
Before moving on, note two other issues that 1621(f) raises, apart from the one highlighted by the SecDef.
First: The provision is a bit unclear insofar as it might be read to apply (i) only to US operations that have an effect on a server located in the third country in question or (ii) also to US operations that ultimately will have their effect elsewhere but that happen to transit through the third country in question. It would be good to make clear that the latter scenario is not covered.
Second: This language needs to be adjusted so as to eliminate the possibility that it might be interpreted to apply not only to Title 10 actions but also to Title 50 actions. That is to say: the drafters need to watch out lest this be read to bind in the context of a covert action, and not just in connection with what CYBERCOM does.
1621(g) and (h)
(g) Authority Of Secretary Of Defense.—
(1) IN GENERAL.—The Secretary of Defense has the authority to develop, prepare, coordinate, and, when appropriately authorized to do so, conduct military cyber operations in response to cyber attacks and malicious cyber activities described in subsection (a) that are carried out against the United States or United States persons by a foreign power.
(2) DELEGATION OF ADDITIONAL AUTHORITIES.—The Secretary may delegate to the Commander of the United States Cyber Command such authorities of the Secretaries of the military departments, including authorities relating to manning, training, and equipping, that the Secretary considers appropriate.
(3) USE OF DELEGATED AUTHORITIES.—The use by the Commander of the United States Cyber Command of any authority delegated to the Commander pursuant to this subsection shall be subject to the authority, direction, and control of the Secretary.
(4) RULE OF CONSTRUCTION.—Nothing in this subsection shall be construed to limit the authority of the President or Congress to authorize the use of military force.
(h) Foreign Power Defined.—In this section, the term “foreign power” has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
Thanks for reading through to the end! Your comments on this analysis are very welcome, so feel free to reach out (@bobbychesney or firstname.lastname@example.org)