Military officials have consistently asserted cyber by itself is no different from the other traditional domains of warfare.
However, given how new cyber operations are within the military sphere, the force is still facing growing pains in some areas, one in particular authorities.
Traditionally, the authority to conduct offensive and defensive remote cyber operations abroad – governed by an Obama administration directive known as Presidential Policy Directive-20 – has triggered an approval process that rests with the president and can be delegated to lower levels.
“It’s a work in progress in terms of the way that we’ve approached getting approvals,” Lt. Gen. Paul Nakasone, commander of Army Cyber Command said in response to a direct question during congressional testimony March 13 about if PPD-20 works. “Is the process perfect? No it’s not, but this is a constant dialogue that goes on between ourselves, certainly Cyber Command and the Department of Defense and then the National Security Council.”
Nakasone said there has been success with ongoing operations the cyberoffensive effort against ISIS, known as Joint Task Force-Ares.
“Go back to the early stages when the secretary of defense said ‘get at ISIS.’ I think you’re aware there were a lot of concerns in the interagency process that said ‘no, you can’t do this. N o,you don’t have the authority,’” Nakasone’s deputy, Ronald Pontius, told Fifth Domain recently. “But we were able to work that discussion by not having a generic or philosophical discussion but said here’s the specific capability. We end up calling mission packages, here’s the capability we’re proposing and then we were able to have the right conversation in the interagency that said, ’Okay, I understand that.’”
While there has long been a discussion about evolving these authorities, some said the current construct has not prevented action.
The policy directive “has not kept us from delivering effects when we’ve been required to deliver them,” Vice Adm. Michael Gilday, commander of 10th Fleet/Fleet Cyber Command told the Senate Armed Services Cyber Subcommittee alongside Nakasone. “It was intended to be a very deliberate process in determining when and how we would deliver cyber effects … I think as an overarching policy, I think that it’s a good framework. There are built in mechanisms within that framework to accelerate authorities if we need them.”
Despite how well the process has worked to date, not only is the DoD’s cyber force gaining in capability and capacity, but the world around it is changing as well.
“When I first came into the domain in 2012 that’s when we were writing PPD-20,” Maj. Gen. Christopher Weggeman, commander of 24th Air Force/Air Forces Cyber, told the committee. “Think about the maturation and the pace of change since then. Six years later we still have the same PPD-20.”
Weggeman said while the government started out with an authorities driven policy, the direction now is driving toward more of a mission and risk informed policy “that allows us a broader spectrum to authorities and risks that would allow us the pace, the timing and tempo of operations to match our adversaries in cyberspace.”
There has to be a new approach to certain aspects of cyberspace operations in the context of longstanding concepts such as sovereignty, Weggeman said, given the domain is man-made with actors laying claim to certain parts of it.
“If we want to compete, deter and win in cyberspace we have to get…more oriented on mission outcomes and risk models and threat driven operations that allow us to become the challenger instead of the challenged in this domain,” he said. “Becoming the challenger is going to require us to be more of a 21st century information operations/information warfare cogent organization or group of interagency partners that wants to then do the things that are happening to us to impose cost, to deny benefit, to demonstrate stake and to convey the legitimacy of those actions to our citizenry as well.”