The drafting, negotiation, and passage of the National Defense Authorization Act (NDAA) is an annual event that sets the annual budget for the Department of Defense. During this time Congress is able to exert control over the priorities, guiding principles, and issues that will be addressed by the department in the coming year. The 2018 incarnation of the NDAA, which has just been signed into law by the president, includes, nested in Title XVI, Subtitle C, provisions, a requirement that the White House and the DOD meaningfully investigate, consider, and establish national standards and guidance in the cybersecurity and cyber-warfare space. They must explore the development of a national posture for these issues.
Title XVI, Subtitle C, which is referred to as “Cyberspace-Related Matters,” contains several provisions, suggestions and requirements which range from prohibiting Kaspersky Lab products on federal systems (Section 1634) to studying the application of blockchain technologies for the DOD (Section 1646), and even authorizing the department to help states assess and detect cyber vulnerabilities in state elections (1638). Additionally, Congress wants DOD to concentrate on increasing America’s leadership role in the development of international legal norms for cyber warfare. While these are all important aspects of the U.S. national cybersecurity posture, they are constituent elements of a much larger query: what is the U.S. cyber posture and position. Fortuitously, this section contains provisions that require the DOD to analyze, study and propose answers to these questions which play a unique role in preserving America’s national security into the twenty-first century. Congress has used its power of the purse to ensure heightened engagement with these essential issues. This article seeks to present and consider Congress’ priorities in this space as they were made manifest in the 2018 NDAA.
Section 1631 & 1632—Developing Legal Norms in Cyber Warfare
We begin this analysis at the beginning, namely Section 1631. The Section requires that the secretary of defense “submit to the [House and Senate Armed Services and Appropriations Committees (“Defense Committees”)] notice in writing of any sensitive military cyber operation conducted [ . . . ] no later than forty-eight hours following such operation.” The section proceeds to define a “sensitive military action” as either an offensive cyber operation or a defensive cyber operation that takes place outside of the DOD network (in layman’s terms, a “hack back”). In either case, the operation must be carried out by the U.S. Armed Forces and it must occur in a geographic area where the United States is either involved in hostilities or has declared hostilities.
Clearly, Congress has chosen to expand its oversight role with regard to the DODs actions in the cyber domain. Far more interestingly, Congress has also expanded the tools used by U.S. cyber operators. The NDAA mandates that DOD produce “the aggregated results of all reviews of the capability for legality under international law” with respect to any cyber capability that is intended for use as a weapon. If the capability has already been approved for use under applicable international law, then the defense committees must be notified within forty-eight hours from when that capability has been used as a weapon.
In Section 1632, Congress altered its guidance for DOD briefings to the defense committees to include updates on cyber operations undertaken by each of the combatant commands. Congress specifically requires that the Secretary of Defense provide “[a]n overview of authorities and legal issues applicable to the operations, including any relevant legal limitations.” Combining the provisions of Sections 1631 and 1632, it is undeniably clear that Congress is deeply concerned with the evolution of international legal norms applicable to cyber warfare.
These provisions reflect an increased interest on the part of Congress to inform itself and engage with the international legal issues impacting the DOD’s cyber operations and the nation’s cybersecurity posture more broadly. Of particular note is Congress’ focus on the DOD’s process for reviewing the legality of its cyber capabilities. While there has been remarkable progress on developing international legal norms in the cyber domain, the United States has not taken adequately clear and forceful positions on many of these issues. Congress has clearly recognized this deficiency and has positioned itself to more effectively monitor and engage with the issues and to start the process of developing America’s positions on these issues. While the enhanced oversight requirements are a far cry from promulgating a polished, developed U.S. position on these matters, it is an important first step in the process and reflects Congress’ increased interest in engaging with these issues.
Section 1633, 1637, 1640—Defending the Nation
In the Fiscal Year 2018 NDAA Congress did not only focus on cyber warfare and offensive operations, it also worked to induce the Executive Branch to develop a national cybersecurity defense plan. Specifically, Congress has mandated the development of a national cyber policy, and lawmakers are willing to spend forty percent of the Defense Information Systems Agency’s budget on the development of such a policy. Congress has directed the executive to focus on five key elements when developing the national policy: