Cybersecurity and Deterrence

Should Interagency Vetting of Defense Department Cyber Operations Be Reduced?

By Robert Chesney
Friday, May 4, 2018, 8:00 AM

To what extent should other agencies have the chance to object on policy or legal grounds when the military wants to conduct a cyber operation that will have effects outside of the Defense Department’s own networks?

That’s the question at the heart of a fascinating story by Chris Bing at CyberScoop on Wednesday. Bing reports that unidentified personnel within the National Security Council “are pushing to rescind Presidential Policy Directive 20” (issued in May 2012 in order to ensure interagency coordination in cyber matters) as part of a larger effort “to create a more streamlined channel for military leaders to get their offensive cyber operations greenlit.” Not surprisingly, this effort has met resistance from intelligence agencies that anticipate the disruption of their collection efforts, and from other unspecified agencies. (I would guess the State Department, among others.) 

This is, of course, a familiar tension. Usually it comes up under the heading of plans to separate leadership of Cyber Command from that of the National Security Agency (that is, the “dual-hat” issue). A couple of years ago, commanders involved in the conflict with the Islamic State grew increasingly frustrated by intelligence community’s resistance to proposals to manipulate, disrupt, or destroy online assets linked to the Islamic State. Collectors wanted to preserve the ability to collect, while commanders wanted to try to shut down enemy communications. Because a single person (at that time, Adm. Mike Rogers) commanded Cyber Command while directing NSA, the collection-disruption tension to some extent could be resolved, for better or worse, through him. And for those who felt collection equities won out too often, this became an additional argument for separating the dual-hat. (See here for my detailed chronology of the back-and-forth on this issue, and how Congress has responded to it.)

But the deconfliction process has never been an issue solely about the dual-hat. As Bing’s story about PPD-20 reflects, there are larger interagency processes in place. There is no doubt that these processes provide a vehicle for ventilating the broad array of considerations that come into play with out-of-network cyber operations. In addition to the clash of collection and disruption equities, diplomatic and legal issues abound when the operational effect will occur in the territory of a third party. One can readily imagine the degree to which resolution of such questions takes up time, and why military commanders might wish to be freed from the resulting friction. Yet that friction exists for a reason; these are serious issues implicating many equities. 

I have no idea what the particulars of the current interagency processes are, but I am quite willing to believe they might be streamlined while still properly accounting for the full range of America’s interests in these situations. That said, it’s obvious that such steps must be taken carefully. The fact that both Tom Bossert and Rob Joyce recently have left the National Security Council does give me pause from that perspective.

A final note: In the debate over separation of the NSA-CYBERCOM dual-hat, I have often expressed concern that the separation might destabilize the process of deconflicting collection and disruption equities. In response, some have argued that this concern is adequately addressed by the existence of larger interagency deconfliction mechanisms. Not knowing the details, I’ve been prepared to assume that this is indeed so. And perhaps it will continue to be so even if the current procedures are streamlined in some significant way, as Bing says some are seeking. But the combination of those two changes would certainly raise the risk of a pendulum swinging too far in the opposite direction. One hopes that the intelligence committees and the armed services committees are watching closely.