Cybersecurity: Legislation

Decoding the 2017 NDAA’s Provisions on DoD Cyber Operations

By Charley Snyder, Michael Sulmeyer
Monday, January 30, 2017, 3:31 PM

Thanks to the at-times breathless coverage of the Obama Administration’s deliberations on cyber warfare policy and organization (and now the Trump Administration’s tweets and early proposals), it can be easy to forget that Congress can exert significant power when it comes to the roles, responsibilities, and authorities of executive branch agencies, including the different components of the military. In the most recent legislation authorizing the activities of the Department of Defense, Congress was particularly proactive in its approach to military cyber operations. Provisions of the Fiscal Year 2017 National Defense Authorization Act (NDAA), recently signed into law, will affect how the military organizes for and conducts cyber operations, in ways large and small. In this post, we examine some of the most important provisions that the Trump Administration must grapple with during its first year in office. 

Creating a Unified Command for Cyber Operations. Most importantly, Congress finally settled the “will they or wont they” debate regarding whether U.S. Cyber Command should be “elevated” to a unified combatant command from its current status as a sub-unified or subordinate command under U.S. Strategic Command. As former Pentagon officials working on cyber policy, we have each been involved in several rounds of assessment on this issue, so we are glad to see the end of this debate, if only to spare our former colleagues further rehashes.

Elevating Cyber Command by granting it the authorities of a traditional unified combatant command does not accomplish much in and of itself.  Indeed, our previous work on this question in government revealed that there is little that a unified command can do that a sub-unified command cannot do.  However, by elevating Cyber Command to a unified command, the four-star Commander of U.S. Strategic Command (responsible for the nation’s nuclear forces, among other issues) will no longer be in the chain of command between the Secretary of Defense and the Commander of Cyber Command.  The commander will now be on a level playing field with the other combatant commanders responsible for employing force. These hierarchy changes are largely symbolic, given the autonomy Cyber Command has enjoyed in recent years.

Empowering Cyber Command with New Authorities. Congress did not stop with elevating Cyber Command to a unified command. The legislation grants Cyber Command authorities above and beyond those given to most of the other combatant commands. Most combatant commands are primarily responsible for employing forces—i.e., preparing to fight wars. Cyber Command will have that responsibility, but the legislation also makes them responsible for developing forces—i.e., organizing, training, and equipping cyber forces. Many of these authorities are more akin to those normally performed by the military services (the Army, Navy, Air Force, and Marine Corps). These additional authorities include:

  • Developing strategy, doctrine, and tactics;
  • Preparing and submitting to the Secretary of Defense program recommendations and budget proposals for cyber operations forces;
  • Exercising authority, direction, and control over the expenditure of funds not only for forces assigned to Cyber Command, but cyber operations forces assigned to other commands as well;
  • Training and certification of assigned joint forces;
  • Conducting specialized courses of instruction for commissioned and noncommissioned officers;
  • Setting requirements for capabilities needed for cyber operations, and validating the cyber capability requirements of other DoD components;
  • Ensuring the interoperability of equipment and forces;
  • Formulating and submitting requirements for intelligence support; and
  • Monitoring the promotion of cyber operation forces and coordinating with the military departments regarding the assignment, retention, training, professional military education, and special and incentive pays of cyber operation forces.

Only Special Operations Command has such a broad mandate for both developing and employing forces; indeed, much of this new legislation mirrors legislation from the 1980s establishing Special Operations Command. It appears here that Congress is seeking to avoid the mistakes that plagued the special operations community leading up to the creation of Special Operations Command. Until its establishment in 1987, the military services were not sufficiently attuned to the unique needs of the special operations community, gave their special operators short shrift in terms of promotions and assignments, and did not treat special operations as a core competency that required focused capability development and specialized doctrine and strategy. This resulted in the Desert One debacle and other events that together prompted congressional action. The move to endow Cyber Command with new authorities appears to be a similar attempt to create a central champion for the cyber community across the military.

These authorities, along with Congress’s charge last year to Cyber Command to establish an acquisition arm, will represent a dramatic shift in the way the military organizes, trains, and equips for cyber operations—taking power from the Army, Navy, Air Force, and Marines, and giving it to a central cyber command.  One risk of empowering Cyber Command with these new responsibilities is that the command (indeed, like most commands) is neither staffed nor resourced to execute them.  Needless to say, it will take some time, just as it took Special Operations Command time in the 1980s and 1990s, to embrace these special, service-like authorities. 

Also notable is the legislation’s emphasis on integrating Cyber Command’s operations with those of the geographic commanders. The congressional language specifies that cyber operations should be conducted under the command of the geographic commander, as opposed to the commander of Cyber Command, unless otherwise directed by the President or Secretary of Defense. With talk of “cyberwar” dominating the headlines, it is easy to lose sight of the broader geopolitical context, within which cyber is just one tool of national power. This language encourages the military to integrate cyber capabilities into full spectrum operations across all domains, versus a construct where cyber operations are centrally directed and divorced from integrated joint operations.

Bolstering Civilian Oversight of Cyber Command.  Finally, the 2017 NDAA empowers the Principal Cyber Advisor (PCA) to the Secretary of Defense with the authority, direction, and control over most of Cyber Command’s new activities. This PCA position and office were established by Congress in 2014 to try to consolidate the myriad organizations with equities in military cyberspace operations and cybersecurity across the Department of Defense and to create a central official responsible to the Secretary of Defense. The original legislation from the FY14 NDAA charges the PCA with “overall supervision” of DoD cyber activities, yet the office has no authorized permanent positions, consisting of short-term detailed personnel rotating in and out of the office from across the Department. The PCA role has been filled by an assistant secretary within the Office of the Under Secretary of Defense for Policy, and its staff is collocated with the Under Secretary for Policy’s office focusing on cyber policy. While the Cyber Policy office focuses on cyber warfare policy and strategy, the PCA focuses on enterprise management across all of the DoD’s cyber organizations and activities.

As a result of the 2017 NDAA, the PCA will need to evolve into an organization more akin to a service secretary, similar to the role played by the Assistant Secretary for Special Operations and Low Intensity Conflict in overseeing Special Operations Command. The Department would be well-served to treat civilian oversight just as seriously as it treats the elevation of the command itself. The PCA will be critical for ensuring the activities of the command are in line with the objectives and vision of national civilian leadership, and it should be equipped with a permanent staff to oversee administration, budgets, acquisition, training, and all the other new functions that Cyber Command has now been granted.

Placing Roadblocks to Splitting the “Dual-hat.” Congress also waded into the contentious issue of whether or not Cyber Command and the National Security Agency should be led by the same individual.  Congress inserted a provision into the authorization act to make it more difficult for the Executive branch to split this “dual-hat” relationship. This provision requires the Secretary of Defense and the Chairman of the Joint Chiefs of Staff to certify jointly to the Armed Services, Appropriations, and Intelligence committees that the split will not pose unacceptable risks to the military effectiveness of Cyber Command.

At Cyber Command’s initial formation in 2009, senior officials decided to collocate Cyber Command and NSA so that the Command could benefit from the world-class talent capabilities at NSA.  They decided to give the organizations a single leader to breed cross-fertilization across offense and defense and to encourage NSA to share the most sensitive intelligence on cyber threats in real time with the new operational Cyber Command. (For more on Cyber Command’s history, see Fred Kaplan’s book Dark Territory.) Even at the time, some were concerned that this would place too much responsibility in one person’s hands and give Cyber Command a bias towards its offensive missions.

The Obama Administration had reportedly been close to ending the dual-hat arrangement on several occasions. Following a review initiated after the Snowden leaks in 2013, the Administration opted to preserve the arrangement to ensure coordination between the organizations and to avoid duplication of effort. In 2016, the Administration again came close to separating the two positions. In the signing statement accompanying this bill, President Obama endorsed the separation, indicating that a recent review found that Cyber Command had sufficiently matured and no longer needed to rely as closely on NSA’s capabilities, and that each organization deserved a leader devoted to executing their respective missions.

Now, this move will potentially become less palatable: as it has matured, Cyber Command has undoubtedly benefited from the support of NSA, and departmental leadership may be more hesitant to split the organizations if it requires stating on the record that it will not create any undue risks. Some officials are reportedly concerned that without a referee heading both organizations, cooperation will suffer and Cyber Command will be less able to get the support it needs from NSA to be successful. Other senior military officials reportedly believe that Cyber Command’s military mission (to operate with a degree of openness and create military effects) is being stunted by its reliance on NSA (an organization that operates clandestinely to collect signals intelligence). The inclusion of the Chairman in the certification suggests the Armed Services committees want an unvarnished military opinion in addition to a broader assessment of the policy and political benefits to ending the dual-hat arrangement that the civilian leadership of the Department would normally provide.

Improving the Cyber Workforce. Attracting information-security talent is a top concern for government officials, and Congress continues to tinker with the authorities that would make the military more competitive in the fight for skilled personnel vis-à-vis the private sector (not to mention other government agencies). Last year’s NDAA authorized the Department to create an “excepted service” for civilian cyber operations personnel, modeled after existing hiring programs for the Intelligence Community, that would exempt the Department from certain federal hiring laws to build its cyber workforce. This latest legislation includes provisions that

  • permit direct commissions of cyber personnel to be officers, similar to arrangements made for doctors and lawyers;
  • expand an existing private sector jobs exchange program for information technology personnel to include cybersecurity personnel;
  • add a training requirement for human resources personnel to ensure they are aware of these new hiring flexibilities; and
  • grants managers interim hiring authorities while the cyber excepted service is still in development.

While these provisions indicate a high degree of interest in and concern for human capital, they still look like marginal reforms to us rather than radical changes to the way the military recruits and retains talent for information security and cyber operations. The U.K., for example, notably waived common military regulations, including those covering physical fitness and grooming, to recruit technical talent for their cyber reserve component. While the authorities in the NDAA will no doubt help DoD build and maintain its forces, the U.S. does not appear ready for more fundamental changes to the workforce at this time.   

Deterring Adversaries in Cyberspace. Congress continued its efforts to improve the executive branch’s deterrence posture by requiring the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide a list of military and non-military options available to deter or respond to malicious cyber activities and a list of rules of engagement and operational plans for executing said options. Once such a list is provided, the President is then required to articulate when and in what circumstances he would authorize the execution of such options. This provision is an attempt to force the Administration into articulating a stronger and clearer public policy to deter cyber attacks. An earlier bill also forced the Administration to develop a report on its cyber deterrence policy, and it was not well-received on Capitol Hill. Though these kinds of reports can cause political headaches for any administration, the simple fact is that setting U.S. defense policy is the executive branch’s prerogative, and the new Administration is likely to bristle at this request to predetermine sensitive national security decision-making.

DoD Critical Infrastructure Vulnerabilities. The bill also directs DoD to develop a plan and a pilot to evaluate the cyber vulnerabilities of DoD-owned critical infrastructure. Generally, discussions of critical-infrastructure cybersecurity focus on those infrastructures that are privately owned and operated, like the electric grid. This provision is a good reminder that the military itself owns and operates a wide array of critical infrastructure—much of which has the same vulnerabilities as commercial critical infrastructure.

Emergency Procurement of Cyber Capabilities. Congress has been legislating on cyber acquisition issues for several years; recent authorization bills have attempted to provide authorization for the rapid acquisition of cyber capabilities and have granted Cyber Command the authority to establish their acquisition office. This latest bill amends the previously-authorized special emergency procurement authority to ensure it can be used to facilitate the defense against or recovery from a cyber attack on the United States, in addition to the existing authority to defend against or recover from nuclear, biological, chemical, or radiological attacks and to support contingency operations.  This emergency authority allows more flexibility and higher spending limits when invoked, and has been used in support of Hurricane Katrina recovery as well as the emergency purchase of armored vehicles known as MRAPs (Mine-Resistant Ambush Protected) during the Iraq War. That said, its usefulness in a cyber attack scenario may be limited. If an attack is imminent, it may be too late to be call a contracting officer to purchase additional firewalls. 

VIP Cyber Support. Finally, the bill has an interesting provision allowing the Secretary of Defense to provide military cyber support to secure the personal devices of any officials in the Department that the Secretary deems vulnerable to cyber threats. While the bill makes clear that the language is not intended to encourage DoD personnel to use their personal devices for official business, it is an explicit recognition of the risks to our national security from the targeting of senior leadership’s communications, personal or otherwise.

Conclusion.  The 2017 NDAA features a range of provisions that will shape how the Defense Department develops its organizations and capabilities to manage conflict in cyberspace.  Now, Secretary of Defense Mattis and his new team must implement these provisions as they get up to speed with governing the Department of Defense as a whole.  We anticipate that Cyber Command’s elevation will precede the implementation of many of the other provisions in the 2017 NDAA.  We also believe that it will take the newly independent Cyber Command some time to evolve into the service-like entity envisioned by parts of the 2017 NDAA.  The key for Cyber Command and the Office of the Secretary of Defense will be to demonstrate progress over the next year in reports and briefing to Congress, even though it will undoubtedly take longer to achieve the goals Congress set forth in the cyber provisions of the 2017 NDAA.