Cybersecurity

Trump’s Secret Order on Pulling the Cyber Trigger

By Dakota S. Rudesill
Wednesday, August 29, 2018, 10:30 AM

As Bobby Chesney recently discussed, President Trump on Aug. 15 reportedly substituted a new classified order for a classified Obama-era presidential directive governing the interagency review and decision process for cyber operations. Trump administration officials were quoted describing the new rules for pulling the cyber trigger as adding flexibility and providing “an offensive step forward.”

Chesney’s post provides a great overview of several definitional, legal and process issues at stake in the change. What bears additional emphasis is the consistency of Trump’s reported cyber order with a number of trends in national security governance, all of which provide agencies greater latitude and in some ways reduce the president’s personal accountability.

  1. Driving Decision Responsibility Down

It is by now clear that the Trump administration is pursuing a broad project of driving responsibility for national security decisions down the chain of command, and reducing review by the White House’s National Security Council (NSC) interagency process. The result is to empower agency-level actors, particularly cabinet secretaries, the directors of the NSA and CIA, and military commanders.  But decision devolution also drives up risks of uncoordinated government activity. Ultimately, the president is coming to bear less practical responsibility, and potentially less political responsibility, even as he retains ultimate constitutional and moral responsibility for what happens on his watch.

The Wall Street Journal reported that the Obama-era directive—which has been leaked but evidently remains classified—“required U.S. agencies to gain approval for offensive [cyber] operations from an array of stakeholders across the federal government.” The Trump administration has reportedly eliminated much of that interagency review, and has provided the Defense Department and its U.S. Cyber Command (USCYBERCOM) with greater solo decision-making power.

This recalls the Trump White House’s move last year to give the Defense Department more and faster decision-making authority in using force against the so-called Islamic State, to loosen rules of engagement, and bring fewer issues to the National Security Council. Trump also set aside much of the Obama-era interagency “playbook” for off-battlefield counterterror kill or capture operations. Trump’s “Principles, Standards and Procedures” reduce interagency and White House review, give the Defense Department and the CIA greater independent decision-making authority, and allow use of lethal force off-battlefield not just against high-value targets but also against lower-level members of terror organizations.

The decision to give agencies more freedom in national security operations, and reduce interagency review and presidential decision responsibility, has significant pros and cons. These issues deserve careful consideration by the public and Congress.

On the one hand, less interagency process and presidential review can mean faster decisions by agencies. They have expertise and are operating in the field, whether that field is in the physical world or cyber realm. More freedom for agencies can mean fewer missed opportunities against fleeting targets and rapid incoming attacks. More freedom allows greater agility, initiative and creativity at the agency level. These virtues make intuitive sense in the fast-moving counterterror context, and even more sense in the cyber realm, where attacks move at the speed of light across fiber networks and where the attacker often has the advantage. Less personal involvement by the president also saves the chief executive’s time for other matters. And less process at the White House can avoid micromanagement by the president and National Security Council staff, about which defense secretaries and others complained during the Obama administration.

On the other hand, less interagency review can mean lower-quality decisions. The interagency process facilitates consideration of all agency equities, with the benefit of information in the hands of all agencies. As reflected in the statute establishing the National Security Council and related presidential memoranda, interagency review at the apex of the executive branch can coordinate consideration of not just military factors but also intelligence, diplomatic, law enforcement, legal and homeland security factors as well. In a complex world in which cyber and counterterrorism decisions can have implications in all these realms, having everyone at the table makes sense.

There are often tough trade-offs, too, among eliminating a threat, continuing to collect intelligence on it and asking a foreign partner to handle it. Similarly, conceptualizing a threat as a military danger, espionage, terrorism or criminal activity can carry different implications for the U.S. response, and which government actors are in charge. Less interagency coordination can mean a lack of unified executive branch decisions on these matters. Less interagency coordination can also mean less opportunity to do deconfliction, meaning a higher risk that different agencies in separate classified programs will accidentally or even knowingly work at cross-purposes. Duplication, waste, harm to innocent people and their property, and even friendly-fire deaths can result. Anyone who has spent a day in government, or studied it, knows that agencies tend toward group-think, narrowed focus and parochial self-interest. If the interagency process is working well, important issues are assessed in all their aspects, assumptions are identified and challenged, and a full range of options is developed and evaluated for the NSC principals and the president.

Pushing responsibility away from the president has potential hazards, too. Greater agency autonomy means less real necessity for the nation’s chief executive to confront and take ownership of hard national security choices, practically and morally. That is problematic for a republic in which the president is the single actor in the executive branch’s national security chain of command who is electorally accountable.

As one reads about the president’s moves on cyber, it is hard not to recall newly inaugurated President Trump blaming the military when a special operations mission he approved resulted in the death of a Navy SEAL. Trump later shifted blame for deaths in another special operations mission in Africa as well. It is reasonable to wonder whether Trump shares President Harry Truman’s view that “the buck stops here.”

Of course, concern over accountability transcends administrations. During any administration, use of the nation’s sword—be it conventional, cyber or nuclear—carries inherent risk of failure, American losses, and unintended harm to noncombatant persons and property. (Indeed, civilian casualties from U.S. military operations during Trump’s tenure appear to be way up.) Devolving the hard calls down to the agency level puts a president in a politically advantageous position: Agencies take the blame for failures, while the president can still take credit for any successes on their watch.

There are some particular benefits for Trump and his unique operating style. With the agencies doing the hard day-to-day work on their own, the president may feel more free to float and abandon positions without agency review, or to take positions opposed to those of the agencies he supervises. Trump’s decision to scrap the interagency review process he inherited on cyber, counterterror operations and other issues is a continuation of his efforts to dismantle the legacy of President Barack Obama, who valued painstaking review of national security operations and readily assumed and deeply felt the moral weight of decision-making. Any action undoing Obama’s work usually plays well with Trump’s strongest supporters, as does more latitude for the military—at risk of greater militarization of U.S. foreign policy and national security.

  1. Secret Cyber Law

A second trend evident in President Trump’s change to the decision process for cyber operations is one that has been apparent during the last several presidencies. That is the secret law problem: use of legal authorities that are classified or otherwise unpublished. As my review of the public record in all three branches found, secret law is a limited but important exception to the norm of publication of the law.

Media accounts indicate that Obama established the interagency cyber-operations decision process through a presidential directive, a type of document that like an executive order has legal force. Absent congressional or judicial action, it takes one presidential order to repeal or replace another—which is what Trump appears to have done. And like the superseded Obama order, Trump has kept his directive classified.

It is inevitably problematic in a republic of popular sovereignty for the president—or any other government actor—to be able to change law and policy without public notice. Use of secret law removes the accountability provided by public scrutiny. Add in decreased interagency review, and agencies will inevitably be tempted to perceive even more latitude to act, and to flexibly interpret their secret authorities. Here, the secret law in question concerns who in the executive branch can authorize cyber operations—which are notoriously hard to contain in the internet age, and (as the Wall Street Journal story indicated) could have domestic ramifications.

As my study “Coming to Terms with Secret Law” explored, one can imagine situations in which, for operational security reasons, the nation decides to tolerate some amount of secret law. For example, it makes sense to keep secret a legal authorization to execute a specific cyber intrusion (at least initially) so as not to tip off the target. But what Trump just altered is something else—the order establishing the overall executive branch decision process for pulling the cyber trigger. Presumably, no particular operations are mentioned in Trump’s order. And it is already a matter of public law that the president and Defense Department have legal authority to conduct cyber operations (more on that below). No matter who is in the White House, it is not clear why a decision process order—and therefore who is accountable for cyber operations—should be kept from the public.

If we are rightly uncomfortable with secret law, then either it should be abolished, or else we need some rules of the road for living with it. I will mention here applications of several especially relevant principles and rules for permitting some limited amount of secret law on the cyber decision process.

For example, our legal system’s presumption against secret law should be reflected in early declassification. The date for automatic declassification of documents with legal force should be earlier than for secret documents generally. Similarly, any secret law should carry a fairly near-term sunset date. In the meantime, transparency would be improved by releasing an unclassified summary or redacted version of Trump’s new cyber order, as Congress in the 2015 USA Freedom Act stipulated for significant legal interpretations by the Foreign Intelligence Surveillance Court.

Additionally, publication of a brief notice in the Federal Register would ensure that any new secret presidential directive or other non-published legal authority would be only a “shallow secret”—the secret’s exact contents remain hidden, but the fact of creation of the secret law, its creator, general subject matter (“cyber operations”), and effective date and sunset dates would be known to the public. (In contrast, a “deep secret” keeps both the secret and its existence unknown.) The Federal Register notice would avoid the hazards of relying on leaks. Such a published “bell ringer” would allow enough public awareness to track secret legal documents, to have a sense for how much secret law the government is creating, and to know how often the government changes the secret rules it writes for itself regarding its growing cyber capabilities. The public could then ask their congressional representatives to go behind the curtain and have a look—without compromising classified sources, methods or information. Either in Public Law or in the classified legislative addenda that Congress gives the force of law, lawmakers could then rein in the president or an agency if members of Congress did not like what they saw.

  1. Legislated Rules for Cyber Operations

Trump’s efforts to push responsibility down the chain of command and his use of secret law come in the context of a third trend: congressional efforts in Public Law to organize legal authorities, decisions and reporting regarding cyber operations. Congress, too, is providing greater latitude for action at the agency level.

In Section 954 of the 2012 National Defense Authorization Act (NDAA), Congress affirmed that the Defense Department “upon direction by the President may conduct offensive operations in cyberspace” subject to the law of armed conflict and War Powers Resolution. Based on media accounts, it sounds like Obama’s order on cyber decision process—and, even more so, Trump’s order—represent delegations of this authority. Subsequent NDAAs underscored the Defense Department’s authority and stipulated 48-hour and quarterly reporting requirements at the agency level. According to Section 1642 of the most recent NDAA (for 2019, signed Aug. 13, and named for the late John McCain), if the “National Command Authority” (the president and the secretary of defense) determines that Russia, China, North Korea, or Iran are conducting an “ongoing campaign of attacks … in cyberspace, including attempting to influence American elections,” the military can “take appropriate and proportional action in foreign cyberspace” in response. In Section 1632 of the new NDAA, Congress stipulates that “clandestine military activity or operation in cyberspace” shall be considered a “traditional military activity.” This provides an exception to the covert action statute and the decision and reporting obligations that prior law assigns specifically to the president. (For more on the recent NDAA’s important cyber provisions, read Bobby Chesney’s terrific analysis).

As I argue in my scholarship, statutes of this kind on cyber operations amount to constitutional “Rules for the Government and Regulation of the land and naval Forces.” Along with appropriations and other constitutional powers, this Article I, section 8, clause 14 power also gives Congress authority—in the context of the Youngstown-centered separation of powers doctrine—to structure the executive branch decision-making process. As it did in the covert action statute, Congress could place more responsibility on the president personally for decision and reporting regarding cyber operations. In the wake of the Trump White House’s controversial elimination of the position of National Security Council cyber coordinator, for example, Congress could codify in statute for cyber operations an analogue to the requirement for NSC review of all proposed and ongoing covert actions found in Sections 1.2(a) and (b) of Executive Order 12333 (2008). Congress could also stipulate greater public reporting of the guidelines, processes and legal documents that structure executive branch decision-making and accountability regarding cyber operations.

***

Congress’s legislative productivity overall has declined during this century as its dysfunction has worsened. But Congress regularly legislates on national security: the NDAAs, intelligence authorization acts and defense appropriations bills still get passed. Congress has so far provided the Defense Department both latitude for action and some important rules for cyber operations, and lawmakers could just as easily use congressional  powers to manage the decision devolution and secret law trends spurred onward by President Trump’s reported cyber order.

With the Joint Chiefs of Staff warning that permanent U.S. “global cyberspace superiority is not possible due to the complexity of cyberspace,” the country needs swift decisions on cyber operations. It also needs good decisions. And the public must be able to hold elected officials accountable for use of cyber weapons that are uniquely hard to control in a computer-dependent, networked world. In this context, Trump’s reported order offers more agency-level agility and freedom, but also potentially less responsibility for the president and less coordination among the multiple executive branch actors with cyber equities. And the newest decision-process rules from the president remain classified, without any readily evident reason to conclude that they need to be hidden from the public.

These considerations suggest that Congress should give greater focus to decision devolution and secret law, along with how they operate together. Congress must also be willing to legislate new decision processes and operational rules to get the balance right among speed and agility, interagency coordination, presidential accountability, secrecy and transparency.

***

Disclaimer: The views expressed in this publication are the author’s and do not imply endorsement by the Office of the Director of National Intelligence or any other U.S. Government agency.

Topics: