Back in May, I noted that the House version of the NDAA contained a very interesting section addressing “military activities” in cyberspace. Section 962 of that bill would have “affirmed” that DOD may conduct military activities in cyberspace (including clandestine operations at least when acting in support of military activity under the 9/18/01 AUMF and the target is outside the United States, or when the activity is responsive to an attack on DOD assets). I wrote at the time that this seemed responsive, albeit in a fuzzy way, to the so-called “Title 10-Title 50” debate and thus had implications for the various issues that debate entails (I write about these issues in much more detail here; they include questions such as what counts as “covert action” subject to finding and notification requirements, what counts as “traditional military activity” that is exempt from the “covert action” definition even though the US role is not intended to be acknowledged, and whether the applicable substantive legal constraints differ depending on whether one is acting under the Title 10 or the Title 50 heading). The Senate, for its part, ultimately included nothing comparable in its NDAA bill, and so the discrepancy had to be addressed during the recently-concluded conference.
The end result is section 954 of the Conference version of the NDAA. The new language is brief, yet very interesting:
SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—
(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
So…what does this accomplish? First I'll discuss the issues impacted by the text itself. Second, I'll discuss some important issues directly addressed only (or at least only clearly) in the explanatory statement promulgated by the Conference Committee in connection with this section.
I. The Text of Section 954
Based on the text alone, there are three components to this provision: An affirmation of authority, a requirement of presidential authorization somewhat akin to the covert action requirement of a presidential finding, and a limited clarification of how such operations relate to various other bodies of law.
A. Affirmation of Authority to Conduct OCOs
First, section 954 makes clear that DOD can conduct offensive cyberspace operations (OCOs) under certain conditions, defined very, very loosely as the defense of the nation, of allies, and of our “interests.” That’s not much of a limitation, of course; the reference to interests would seem to encompass just about any scenario in which one might like to be able to conduct an offensive operation. And I suppose some might look at this language and draw the conclusion that section 954 is some kind of free-standing cyber-AUMF, usable at presidential discretion. But I really do not think this is what the "affirmation" language means to signify. On the contrary, with respect to separation of war powers I think the whole section is premised on the notion that there already is some separate underlying legal foundation for the action, such as the 9/18/01 AUMF in the case of an OCO directed at an al Qaeda website or Article II national self-defense for fact patterns that might fall under that heading. Put another way, I don't think the purpose of section 954 is to grant new authority, but rather to clarify a variety of procedural and substantive questions OCOs raise. So on to the first such issue, which concerns the decision-making process.
B. Requirement of Presidential Authorization
Substantive conditions aren’t the only way to limit how an authority can be used. Procedural constraints, such as requiring the affirmative approval of senior officials, can contribute to this end as well. We see this in the context of "covert action" under Title 50, for example, in the requirement of a presidential finding approving such actions.
As I explain in Part II below, one intended consequence of section 954 seems to be to make clear that OCOs need not be categorized as "covert action" even when conducted in a manner in which the US role is not meant to be apparent or acknowledged, but instead may be categorized under the "Traditional Military Activities" (TMA) exemption. That has the effect, among other things, of making clear that no presidential finding is required. But presumably out of recognition that at least some such operations are sufficiently consequential to in fact warrant presidential involvement as a condition precedent, the text of section 954 imposes a stand-alone requirement that covered OCOs must be authorized by the President.
A few observations about this:
Programmatic OCO "Findings"
First, I would imagine we would see "findings"-style authorizations in which programmatic approval can be provided for certain categories of OCOs, thus enabling specific OCO activities to be undertaken in real time as circumstances warrant rather than having to go find the President and get approval for every individual OCO. Section 954 does not really weigh in on this, so that's just my speculation.
Interagency Vetting of OCO Proposals
Second, the utility of insisting upon presidential authorization, as opposed to just SecDef authorization or that of a commander, is that it makes it likely if not certain that there would be interagency screening of the proposed OCO (or set thereof) under the auspices of the NSC staff process, with more than just DOD weighing in on the question. For example, the State Department – which institutional equities disposing it to perhaps pay more attention to collateral/unintended consequences that an operation might have on other countries – might well have more of a voice as a proposal for a particular operation makes its way up the chain to the President. In this respect, I should emphasize at this point that the public record reveals that there has been a fairly long-running fight over just these sorts of issues within the executive branch over the past couple of years. Ellen Nakashima’s story last week is highly relevant here, and there also is relevant material in the Schmitt & Shanker book Counterstrike. Hard to tell from the outside if section 954 is a codification of what has been worked out, or if instead it will break some sort of logjam.
Which OCOs Really Require This?
A third issue arises when one considers the fuzzy lines distinguishing among OCOs, defensive cyberspace operations, and cyberexploitation, all of which may have effects comparable to an OCO. The presidential authorization requirement obviously is meant to attach only to offensive operations, but it seems clear that there could be lots of disagreement as to when this obligation truly must be brought to bear. As I note below, it may be that nothing turns on this insofar as Congress is concerned, and so any disputes on these points most likely would arise as an interagency matter...assuming, of course, that non-DOD elements in the interagency actually learn about whatever operation is in question.
Further complicating matters, it may be that there are cyberspace operations that are best thought of as "offensive," yet which are relatively de minimis in significance, not rising to the level of "use of force" implicating jus ad bellum and LOAC concerns....and as to those, it is not quite clear that this language is meant to require presidential authorization. That is, it may be that OCOs as used in this context are meant to encompass only those more serious uses of (cyber)force.
C. Other Legal Constraints:
Section 954 calls for OCOs to be conducted subject to the same policies and legal frameworks that govern kinetic ops, and also references the WPR.
Most interesting to me is the specific imposition of two sets of additional constraints on offensive operations carried out under 954. First, the statute makes explicit that such operations must comply with the policy and legal frameworks that would govern a kinetic operation. This includes, explicitly, the law of armed conflict. The million dollar question is whether and to what extent it also includes neutrality/sovereignty considerations. As the public reporting has repeatedly emphasized, the big stumbling block in such operations is the fact that they can have a debilitating impact on servers located in other countries, raising the question whether this amounts to an infringement of that other country’s sovereignty or perhaps even its rights as a “neutral” in an armed conflict. Section 954 arguably speaks to this question by requiring that the offensive cyberoperation be governed by the same rules as would a kinetic operation…yet it seems to me that even if you agree which rules apply, cyber operations by their nature and effects still may be difficult to analyze under those frameworks. That is, it will remain as hard as ever to say whether a particular action with some complex impact on a server in some other country is properly viewed as violating that state’s sovereignty/neutrality. In any event, this language perhaps helps minimize the range of issues in dispute.
Then there is the reference to the WPR, which has a similarly unclear effect. It seems likely that the aim here was to dispell any argument that section 954 itself might be read as a congressional authorization sufficient to discharge any WPR-related requirements, assuming the operation in question otherwise would implicate the WPR. But it's not clear to me, come to think of it, how a cyber operation might ever implicate the WPR. More specifically, it's not clear to me how cyber operations might implicate the triggers listed in WPR section 4(a), such as 4(a)(1)'s reference to introduction of U.S. forces into hostilities (or circumstances of imminent hostilities) or 4(a)(2)'s reference to deployment while equipped for combat. Even without embracing the administration's position on the WPR in regards to Libya (i.e,. that the use of armed drones do not constitute the presence of U.S. forces in hostilities, given the lack of exposure to U.S. personnel), it is not easy to map the WPR triggers onto the cyber operation example.
Which raises the question whether there isn’t some better way to ensure some amount of legislative awareness of such operations. The original House bill, notably, simply required quarterly briefings to SASC and HASC for operations carried out under this authority. That was the right way to do it, in my view, and I’m sorry to see that this is not part of 954.
II. The Explanatory Statement for Section 954: The covert action/TMA distinction
As I noted above, the original House version of the bill had been framed very much as an effort to address (also) questions as to whether OCOs should be deemed “covert action” or, instead, “traditional military activity” (TMA). If the former, then a presidential finding is required, and the finding must be shared with SSCI and HPSCI. If TMA, neither is required (though as noted above, OCOs under section 954 now will require presidential authorization nonetheless). Some take the view that the covert action/TMA distinction also impacts the question of which substantive bodies of law constrain the underlying activity (and how).
Nothing in the text I review above speaks to this issue. But note that it is still addressed explicitly in the explanatory statement accompanying the conference bill. In relevant part, the conferees wrote:
…The conferees recognize that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in relation to cyber operations and that it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles, and legal regimes that pertain to kinetic capabilities. The conferees also recognize that in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged…. (emphasis added).
That is not the clearest language ever. It seems to me, however, that this is meant to overcome any argument that OCOs cannot qualify as “traditional military activities” simply because of the novelty of their nature and the technologies involved. I can't resist pointing out that the novelty argument probably should not matter in the first place, at least not if you buy the arguments I spell out in my Title 10-Title 50 article. But set that aside, and assume they do matter to at least some participants in the internal government debates. In that case, one can imagine arguments running back and forth as to what an OCO might be comparable to in terms of military activity in the pre-digital world, with some feeling that there are good analogies and others thinking it is all quite novel and unprecedented and hence not "traditiona." The explantory statement, on this view, is an effort to put that issue to bed in favor of applying TMA to OCOs.
Of course, none of this TMA business is in the text of the statute, and so the analysis above matters only assuming one gives weight to what appears in this explanatory statement. In my view, the explanatory statements and committee reports have always been unusually important in the Title 10-Title 50 debate context, as repositories and expressions of carefully-negotiated compromise positions, and so I’m not surprised to see that same approach carried forward here. It may be that since these aren’t the sort of issues that get litigated in court anyway, it is more sensible than normal to leave such impotant details in the legislative history documentation rather than ensuring their clear expression in the statutory text.