Section 1644—Reviewing Where We Are
The NDAA, in Section 1644, calls for a comprehensive review of the United States’ existing posture on a variety of subtopics in cybersecurity. There are eight specific issues that the DOD’s review and report should examine.
1. “The role of cyber forces in the military strategy, planning, and programming of the United States.”
2. “The role of cyber operations in combatant commander operational planning, the ability of combatant commanders to respond to hostile acts by adversaries, and the ability of combatant commanders to engage and build capacity with allies.”
3. “The law, policies, and authorities relating to, and necessary for the United States to maintain, a safe, reliable, and credible cyber posture for responding to cyber attacks and for deterrence in cyberspace.”
4. “A declaratory policy relating to the responses of the United States to cyber attacks of significant consequence.”
5. “Proposed norms for the conduct of offensive cyber operations for deterrence and in crisis and conflict.”
6. “Guidance for the development of a cyber deterrence strategy.”
7. “The steps that should be taken to bolster stability in cyberspace and, more broadly, stability between major powers.”
8. “Whether sufficient personnel are trained and equipped to meet validated cyber requirements.”
Many of the issues discussed in earlier sections of the NDAA—such as deterrence—reappear in this review, only this review will serve as a central guiding document for how to evaluate the position of the United States, as well as blaze the trail for the path forward. Congress is also applying pressure on the Defense Department by threatening to withhold fifteen percent of its public affairs office pending an on-time delivery of the DOD’s report.
In the Fiscal Year 2018 NDAA, Congress has clearly made cybersecurity and cyber warfare a priority for the DOD, and, more importantly, it has firmly inserted itself into the process of developing America’s policy, practice and posture in the domain. It has been over a decade since the first documented nation-state cyberattacks in Tallinn, Estonia, and it has been nearly half a decade since cyber topped the director of national intelligence’s Worldwide Threat Assessment. Finally, we are beginning to tackle these in a holistic inter-branch manner. While this first attempt may not yield perfect results, we are beginning to turn a corner on understanding and dealing with the cyber risks that we face, and we hope that this is the beginning of a long and difficult—but deeply important—conversation.
Benjamin Dynkin is a Law Clerk at Grauman Law Group in their Cybersecurity practice group. Barry Dynkin is the head of Grauman Law Group’s Cybersecurity practice group.