Cybersecurity and Deterrence
Offensive Cyber Operations and the Interagency Process: What’s at Stake With the New Trump Policy
Yesterday the Wall Street Journal’s Dustin Volz reported that President Trump has altered the interagency process for vetting offensive cyber operations. We do not have the full details yet, but it appears to be the culmination of long-running efforts to make it easier and quicker to conduct such activities. Here’s a roadmap of some of the key interests and issues at stake.
I. Context: What sort of cyber activities is this story about?
Computer network operations—activities in “cyberspace”—can be divided into many categories. For our purposes, just bear in mind the following:
A. Activity within our own systems: Some (but not all) operations to defend US government networks take place solely within those networks. We’re not concerned with such activities here.
B. Activities involving unauthorized penetration of other systems: Things get interesting once we move outside our own systems, penetrating a system outside the United States without the owner’s permission. We can subdivide that category in many ways, including:
1. Collection operations: Espionage. Penetrating a system to collect intelligence.
2. Operations intended to have an effect: Sometimes the primary aim of a penetration is not to collect intelligence but, rather, to cause an effect. This could be deletion of data, alteration of data, manipulation of control systems, etc. And we might break this down further:
(a) Covert action – Some cyber operations intended for external effect of course will constitute covert action. In such cases, the usual legal and policy architectures for vetting and oversight will apply.
(b) Combat operations – Some cyber operations intended for external effect are part-and-parcel of ongoing combat operations. Where we are talking about in-theater penetrations and effects, the usual legal and policy frameworks for military operations apply.
(c) Other “offensive” operations – Here’s where it starts getting tricky. We’ll need some further subdivisions:
(i) Combat-related operations outside the theater: In some cases the operation is directed at an enemy against whom we are engaged in combat, but the operation itself penetrates a system that is located in some third country.
(ii) Operational preparation of the environment: In some cases the operation is anticipatory of potential conflict, involving advance work to ensure we have the implants and resulting access that might or might not be needed later.
(iii) Offensive operations below the threshold of armed conflict: In some cases the operation is not just anticipatory but intended for immediate effect, yet also unrelated to any ongoing armed conflict. These usually will be conducted on an unacknowledged basis (though it could be otherwise). If conducted on an unacknowledged basis, that should make you think of covert action first. But under the “Traditional Military Activities” (“TMA”) exception to the legal definition of covert action, such operations often won’t count as covert action when conducted by CYBERCOM. Note: this gets really complicated, but the brand-new John McCain NDAA FY’19 has important provisions designed to confirm that the TMA exception does apply to a lot of activities of this kind. Read all about it at Point 2 of this post.
The point of all this is that hard and unfamiliar issues arise as one moves into the “other offensive operations” category (B.2.(c)) I just described. This in turn led the Obama administration to adopt a set of rules calling for interagency vetting in at least some such cases—and that’s the set of rules that the Trump Administration has just changed.
II. What was the status quo under the Obama rules?
I want to be careful here. Famously, the relevant directive was leaked by Snowden along with so much else. It’s all over the web, and people write and talk about it all the time. Still, I’m under the impression it remains classified and so I’m not going to link to it or quote from it. Instead, I’ll simply quote this line from Dustin’s Wall Street Journal article:
“the Obama policy required U.S. agencies to gain approval for offensive operations from an array of stakeholders across the federal government”
That’s consistent with all the (voluminous) public reporting on this issue. The commonly-asserted bottom line is that, under the Obama-era policy, proposals for the sort of offensive cyber operations that concern us here had to run an interagency gauntlet.
III. What was wrong with that?
There have been endless stories over the past year or so emphasizing that some have been frustrated by this process, believing that it unduly slows down or even precludes desirable operations. As Dustin notes in his story, National Security Advisor Bolton is among those who may have been pushing for a sleeker system, and the removal and non-replacement of key cyber experts like Rob Joyce and Tom Bossert no doubt helped make this change more likely.
IV. So what has changed?
We don’t know with any precision, yet. But Dustin did get confirmation from multiple officials that the Obama rules have been replaced, and the only reasonable inference is that there will be less interagency vetting before CYBERCOM can conduct an operation of the kind we are discussing. Perhaps it is a massive shift away from any interagency vetting, or perhaps it is a marginal change involving much tighter timelines, fewer bites at the apple, and fewer participants. No doubt we’ll hear more soon.
Meanwhile, what are the big issues at stake in these changes?
V. The issues
Here’s a (really brief) roadmap:
A. Operational efficiency — Will the changes enable CYBERCOM to act with (much) greater dispatch? There are many who believe CYBERCOM has been hamstrung by the interagency vetting, and that our ability to counterpunch in cyberspace has suffered as a result. To the extent a given counterpunch is desirable otherwise, speed and efficiency to move from the decision to the execution certainly would be good. But whether a given counterpunch is desirable is a tricky issue. Let’s move on to consider why.
B. Deconfliction with competing national interests — Let’s assume for the sake of argument that, all things being equal, there is a strong national interest in favor of conducting a particular offensive cyber operation (say, e.g., screwing with the servers of the Internet Research Agency). The thing is, all things are rarely equal. It is critical to bear in mind that there may be additional strong national interests, and a proposed operation might imperil them. A recurring example in this space involves competing intelligence collection interests. If NSA is in the target system already and reaping important intelligence, an offensive operation that imperils that collection may or may not be in the country’s net national interest.
C. Bring on the lawyers… — One of the murkiest but potentially important aspects of interagency vetting appears to involve the opportunity for some participants to raise legal objections. These seem to have taken two primary forms. To some extent it has involved Title 10-Title 50 debates about the line between covert action and TMA. As noted above, the new NDAA seeks to put that issue to rest (hopefully it will do so at least to some extent!). But it also may involve international law concerns, where the operation will impact infrastructure in a third party that has not been asked (or cannot be asked) to consent to the operation. You can imagine how this one might intertwine with diplomatic concerns about third-country push-back.