The drafting, negotiation, and passage of the National Defense Authorization Act (NDAA) is an annual event that sets the annual budget for the Department of Defense. During this time Congress is able to exert control over the priorities, guiding principles, and issues that will be addressed by the department in the coming year. The 2018 incarnation of the NDAA, which has just been signed into law by the president, includes, nested in Title XVI, Subtitle C, provisions, a requirement that the White House and the DOD meaningfully investigate, consider, and establish national standards and guidance in the cybersecurity and cyber-warfare space. They must explore the development of a national posture for these issues.
Title XVI, Subtitle C, which is referred to as “Cyberspace-Related Matters,” contains several provisions, suggestions and requirements which range from prohibiting Kaspersky Lab products on federal systems (Section 1634) to studying the application of blockchain technologies for the DOD (Section 1646), and even authorizing the department to help states assess and detect cyber vulnerabilities in state elections (1638). Additionally, Congress wants DOD to concentrate on increasing America’s leadership role in the development of international legal norms for cyber warfare. While these are all important aspects of the U.S. national cybersecurity posture, they are constituent elements of a much larger query: what is the U.S. cyber posture and position. Fortuitously, this section contains provisions that require the DOD to analyze, study and propose answers to these questions which play a unique role in preserving America’s national security into the twenty-first century. Congress has used its power of the purse to ensure heightened engagement with these essential issues. This article seeks to present and consider Congress’ priorities in this space as they were made manifest in the 2018 NDAA.
Section 1631 & 1632—Developing Legal Norms in Cyber Warfare
We begin this analysis at the beginning, namely Section 1631. The Section requires that the secretary of defense “submit to the [House and Senate Armed Services and Appropriations Committees (“Defense Committees”)] notice in writing of any sensitive military cyber operation conducted [ . . . ] no later than forty-eight hours following such operation.” The section proceeds to define a “sensitive military action” as either an offensive cyber operation or a defensive cyber operation that takes place outside of the DOD network (in layman’s terms, a “hack back”). In either case, the operation must be carried out by the U.S. Armed Forces and it must occur in a geographic area where the United States is either involved in hostilities or has declared hostilities.
Clearly, Congress has chosen to expand its oversight role with regard to the DODs actions in the cyber domain. Far more interestingly, Congress has also expanded the tools used by U.S. cyber operators. The NDAA mandates that DOD produce “the aggregated results of all reviews of the capability for legality under international law” with respect to any cyber capability that is intended for use as a weapon. If the capability has already been approved for use under applicable international law, then the defense committees must be notified within forty-eight hours from when that capability has been used as a weapon.
In Section 1632, Congress altered its guidance for DOD briefings to the defense committees to include updates on cyber operations undertaken by each of the combatant commands. Congress specifically requires that the Secretary of Defense provide “[a]n overview of authorities and legal issues applicable to the operations, including any relevant legal limitations.” Combining the provisions of Sections 1631 and 1632, it is undeniably clear that Congress is deeply concerned with the evolution of international legal norms applicable to cyber warfare.
These provisions reflect an increased interest on the part of Congress to inform itself and engage with the international legal issues impacting the DOD’s cyber operations and the nation’s cybersecurity posture more broadly. Of particular note is Congress’ focus on the DOD’s process for reviewing the legality of its cyber capabilities. While there has been remarkable progress on developing international legal norms in the cyber domain, the United States has not taken adequately clear and forceful positions on many of these issues. Congress has clearly recognized this deficiency and has positioned itself to more effectively monitor and engage with the issues and to start the process of developing America’s positions on these issues. While the enhanced oversight requirements are a far cry from promulgating a polished, developed U.S. position on these matters, it is an important first step in the process and reflects Congress’ increased interest in engaging with these issues.
Section 1633, 1637, 1640—Defending the Nation
In the Fiscal Year 2018 NDAA Congress did not only focus on cyber warfare and offensive operations, it also worked to induce the Executive Branch to develop a national cybersecurity defense plan. Specifically, Congress has mandated the development of a national cyber policy, and lawmakers are willing to spend forty percent of the Defense Information Systems Agency’s budget on the development of such a policy. Congress has directed the executive to focus on five key elements when developing the national policy:
1. The Executive Branch must identify the tools that can be used to deter or respond to malicious cyber activities by a foreign actor that targets the United States.
2. The Executive Branch must develop the United States’ national incident response plan in the event of a full range of potential cyber attacks by a potential adversary.
3. It must determine how the United States plans to defend, mitigate, and interrupt (including technical and other means) attacks on infrastructure critical to the political integrity, economic security, and national security of the United States.
4. It must consider how the United States can use the cyber domain to impose costs on foreign powers seeking to engage in cyber hostilities against the United States, its citizens, or American companies.
5. It shall develop programs dedicated to: (a) enhancing the cyber resilience of critical U.S. strike systems (both cyber and kinetic) in order to preserve the United States’ mutually assured destruction and deterrence capabilities; (b) offensive cyber capabilities, including identifying targets of value to potential enemy foreign powers; and (c) strengthening attributions and cyber threat intelligence to effectively detect, disrupt and expose malicious cyber activities.
While these items don’t represent every element of a comprehensive national cyber policy, and the merits of some of the approaches are hotly contested, it is clear that Congress has chosen to take an active role in the process of crafting America’s cyber posture and will not leave the project solely to the prerogative of the executive. Congress’ particular focus on deterrence and the imposition of costs on cyber malefactors. Congress clearly believes that deterrence is a core element of any prudent national cyber defense posture, but scholars have deep differences on the viability of a deterrence approach to cyberspace.
Proponents of a deterrence theory argue that it can be tailored to cyberspace through some combination of defense and resiliency (limiting the ability of a cyber attack to succeed, which would limit motivation to perpetrate an attack) and ensuring the imposition of sufficient costs and punishments after a cyber attack (ensuring the costs exceed the benefits). Critics of the deterrence approach in cyberspace argue that the idiosyncrasies of the cyber domain, namely that “[cyberspace] is structurally interconnected,” create a “condition of constant contact on a terrain that is both the space in which one contests and the means with which one contests.” Cyberspace, after all, “is constantly shifting with every new version of software/hardware and system process.” While the focus of this article is not on the viability of deterrence theory, it is clear that Congress wants to explore the issue in greater depth, and integrate these findings into the United States’ national cyber policy.
In addition to developing a national cyber policy, the Fiscal Year 2018 NDAA offers several additional provisions to help facilitate the DOD’s mission to strengthen our national security in the cyber domain. For example, in Section 1637, Congress directs the DOD to establish processes and procedures to “integrate strategic information operations and cyber-enabled information operations across the elements of the Department of Defense.” With this provision, Congress hopes to create an environment at the DOD and throughout the U.S. Armed Forces that is conducive to the development of “integrated Defense-wide strategy, planning, and budgeting with respect to the conduct of such operations by the Department.” The hope is that this provision will ensure that cyber becomes a “baked-in” concept throughout the DOD, planned from the inception of all projects and thoroughly integrated into all aspects of the department.
Additionally, Congress has attempted to specifically address some of the issues that arose during the 2016 presidential election; for example, Congress tasks the official in charge of these efforts with the “[d]evelopment of guidance for, and promotion of, the capability of the Department of Defense to liaison with the private sector, including social media, on matters relating to the influence activities of malign actors.”
In another section, Section 1640, Congress calls for the creation of the “Strategic Cybersecurity Program,” which would be comprised of DOD and Department of Energy personnel from a variety of backgrounds with a focus on improving the cybersecurity of systems: “(A) Offensive cyber systems; (B) Long-range strike systems; (C) Nuclear deterrent systems; (D) National-security systems; or (E) Critical infrastructure of the Department of Defense.” The group would be tasked with reviewing and reporting on the cybersecurity posture of the federal government’s systems and infrastructure.
Section 1644—Reviewing Where We Are
The NDAA, in Section 1644, calls for a comprehensive review of the United States’ existing posture on a variety of subtopics in cybersecurity. There are eight specific issues that the DOD’s review and report should examine.
1. “The role of cyber forces in the military strategy, planning, and programming of the United States.”
2. “The role of cyber operations in combatant commander operational planning, the ability of combatant commanders to respond to hostile acts by adversaries, and the ability of combatant commanders to engage and build capacity with allies.”
3. “The law, policies, and authorities relating to, and necessary for the United States to maintain, a safe, reliable, and credible cyber posture for responding to cyber attacks and for deterrence in cyberspace.”
4. “A declaratory policy relating to the responses of the United States to cyber attacks of significant consequence.”
5. “Proposed norms for the conduct of offensive cyber operations for deterrence and in crisis and conflict.”
6. “Guidance for the development of a cyber deterrence strategy.”
7. “The steps that should be taken to bolster stability in cyberspace and, more broadly, stability between major powers.”
8. “Whether sufficient personnel are trained and equipped to meet validated cyber requirements.”
Many of the issues discussed in earlier sections of the NDAA—such as deterrence—reappear in this review, only this review will serve as a central guiding document for how to evaluate the position of the United States, as well as blaze the trail for the path forward. Congress is also applying pressure on the Defense Department by threatening to withhold fifteen percent of its public affairs office pending an on-time delivery of the DOD’s report.
In the Fiscal Year 2018 NDAA, Congress has clearly made cybersecurity and cyber warfare a priority for the DOD, and, more importantly, it has firmly inserted itself into the process of developing America’s policy, practice and posture in the domain. It has been over a decade since the first documented nation-state cyberattacks in Tallinn, Estonia, and it has been nearly half a decade since cyber topped the director of national intelligence’s Worldwide Threat Assessment. Finally, we are beginning to tackle these in a holistic inter-branch manner. While this first attempt may not yield perfect results, we are beginning to turn a corner on understanding and dealing with the cyber risks that we face, and we hope that this is the beginning of a long and difficult—but deeply important—conversation.
Benjamin Dynkin is a Law Clerk at Grauman Law Group in their Cybersecurity practice group. Barry Dynkin is the head of Grauman Law Group’s Cybersecurity practice group.