Cybersecurity and Deterrence

CYBERCOM’s Out-of-Network Operations: What Has and Has Not Changed Over the Past Year?

By Robert Chesney
Thursday, May 9, 2019, 5:56 PM

I’d like to draw attention to Mark Pomerleau’s interesting piece at Fifth Domain examining the operational impact at Cyber Command (CYBERCOM) of several recent developments, including National Security Presidential Memorandum 13 (NSPM 13), doctrinal/policy innovations under the headings of “persistent engagement” and “defending forward,” and new/clarified authorities associated with the most recent National Defense Authorization Act (NDAA). I’ve written at length (e.g., here and here) about several of these developments before. Pomerleau’s article is a handy glimpse behind the curtain regarding how things are coming along in light of those changes. Two things stood out to me:

1. The tempo and nature of out-of-network operations

It appears the collective impact of these changes has made a significant difference in the tempo of CYBERCOM’s operations outside the Department of Defense (DOD) Information Network.

First, let’s talk about the tempo. Remarkably, the article quotes an unnamed senior DOD official suggesting that, under the earlier decision-making procedures, approval for out-of-network operations was exceedingly rare: “I would say that in 8, 9, 10 years under the old decision process, I can count on less than two fingers the number of operations conducted.”

I’m no math major, but I’m pretty sure that “less than two fingers” means either one or zero. That’s a shockingly low figure, so low that it seems at first blush to be implausible. We have long known, after all, that CYBERCOM has had an active out-of-network role to play in support of the armed conflict with the Islamic State, via Joint Task Force Ares (JTF-Ares). The claim can be reconciled with JTF-Ares, of course, if we assume that the one approval for out-of-network operations mentioned by the unnamed official refers to JTF-Ares itself (thus subsuming within it all the many specific operations then conducted under that heading). Or perhaps there is an unmentioned caveat for out-of-network operations conducted in direct support of an ongoing armed conflict? Either way, the characterization remains: Under the prior rules, almost nothing got approved.

Is it different now? The combination of NSPM-13; the new doctrinal posture explicitly favoring out-of-network engagement with adversaries; and the new NDAA legal framework, which prunes away perceived obstacles such as claims that CYBERCOM lacked affirmative authority for non-armed-conflict scenarios or that such operations should be categorized as Title 50 covert action, collectively ought to make a difference. And now we have an explicit claim that they have. We don’t have numbers, but we do get a general claim from the unnamed official: “‘In this time since mid-August when the new process went into place, we’ve conducted many more operations,’ the official said.”

This is consistent with earlier reports about CYBERCOM activities in Russian networks, in a defending-forward posture, in relation to the 2018 election. And as Ellen Nakashima wrote on May 7 in the Washington Post, CYBERCOM also recently “operated in the networks of Ukraine, Macedonia, and Montenegro, which were being targeted by Russia, to help those countries identify foreign malicious activity.” Nakashima also notes that the JTF-Ares mission in some fashion has “expanded” to include “coordinating the cyber effort to counter violent extremism globally” rather than just in relation to the Islamic State.

What about the nature of these operations? We get some insight here as well. Not all the new operations are for “effect,” we are told in Pomerleau’s article. Much of these are, instead, “collection operations and preparation.” Which is exactly what one should expect, of course, but it’s still useful to see a degree of public discussion about it.

2. Clarifying what did and did not change with NSPM-13

Though NSPM-13 remains classified, it has been widely reported that its main thrust was to reduce the procedural obstacles to authorizing CYBERCOM to conduct operations outside of DOD’s Information Network. It seemed clear from prior reporting that this involved, at a minimum, a sharp reduction in the array of circumstances in which such operations would require presidential-level approval. And that is certainly reflected in Pomerleau’s article, as noted above.

But it had also seemed to me, previously, that NSPM-13 might have included a similarly sharp reduction in the amount of (or opportunities for) interagency vetting of such operations. That is, reduced interagency vetting might have been an express part of NSPM-13, or it might have followed indirectly from removal of presidential-level authorization requirements.

Pomerleau’s article suggests, however, that interagency vetting might be alive and well despite the reduction in presidential-level authorization requirements. Specifically, the article quotes Maj. Gen. Charles Moore, the J-3 at CYBERCOM, for the proposition that the new process still “requires very close coordination and synchronization with the interagency.”

I realize that this may be a characterization that is not shared by other participants in that process. Perhaps fewer entities have a voice in the process now, or perhaps the nature of the process has changed in a manner that reduces the leverage that participants can bring to bear when they oppose a proposed action. But it’s interesting, nonetheless, to see a direct assertion that interagency vetting continues.