Department of Defense officials say new authorities and policies have allowed cyber operators to move faster and execute new operations in recent months.
“Over the last six months we’ve been given sufficient authorities that allow us to implement the approach of defending forward,” Lt. Gen. Vincent Stewart, deputy commander of Cyber Command, said during a presentation at the CyCon conference in Washington Nov. 14. “We can no longer have policy that runs all the way to the very senior levels of our organizations before we can take action. We need the flexibility to act as we see emerging threats and opportunities in this space.”
U.S. Cyber Command say they must be persistently engaged in cyberspace providing constant contact against adversaries on a daily basis. Part of this approach involves what officials are also deeming “defend forward," or fighting the cyber battle on someone else’s turf as opposed to fighting it at home by gaining access to adversary networks or infrastructure to get insights into what they might be planning.
Traditionally, cyber authorities and operations have required approval at the highest level of government, leading, in many cases to limited use and even the stymieing time-sensitive operations.
“I would say authorities have been delegated down to the appropriate levels … the interagency process has really been streamlined,” Maj. Gen. Robert Skinner, commander of 24th Air Force/Air Forces Cyber, told Fifth Domain in a November interview. He added that forces, in conjunction with Cyber Command, have been executing these authorities and are “very happy with the progress we’ve made in the last year.”
Clark Cully, cyber adviser within the Office of the Secretary of Defense, said Nov. 1, that new authorities have been effective and allowed the Defense Department to move at what is commonly described as the speed of relevance.
“This is a new learning process that we’re just working through but the signs are encouraging and we think we have what we need to be able to respond in a much more effective manner,” he said.
Others officials echo that sentiment.
“We’re seeing those authorities are giving us a lot more agility to go on target but a lot more persistent ability as well so we can, as the adversary tries to maneuver, we can actually stay with the adversary,” Gregg Kendrick, executive director at Marine Corps Forces Cyberspace Command, said Nov. 1.
Help from Congress
While much of the attention to new authorities has surrounded the White House’s revocation of an Obama administration-era policy directive known as Presidential Policy Directive 20, Congress also gave the Pentagon specific authorities that make cyber operations easier to plan and execute.
Specifically, the National Defense Authorization Act for fiscal 2019, clarifies what qualifies as an exemption to the covert action statue, listing “clandestine” cyber operations as a traditional military activity and excluding it from this restriction. According to a joint explanatory statement from the Senate Armed Services Committee. lawmakers appeared concerned that DoD faced difficulties in obtaining mission approval from other agencies.
“One of the challenges routinely confronted by the Department is the perceived ambiguity as to whether clandestine military activities and operations, even those short of cyber attacks, qualify as traditional military activities as distinct from covert actions requiring a Presidential Finding,” according to the statement.
Actions that fall within DoD’s scope in cyber include those conducted for the purpose of preparation of the environment, force protection, deterrence of hostilities, advancing counterterrorism operations and in support of information operations or information-related capabilities.
Stewart told Fifth Domain that this better postures Cyber Command to make necessary preparations prior to some operations.
“It recognizes the fact that there [are] certain things you must do in order to prepare for operations and you can’t wait until the operations begin,” he said. “That’s freed us up to do some of the things, the operational preparation of the environment, that we were limited from doing outside of the counterterrorism mission and now can do much more broadly against all of our peers and competitors.”
By clarifying that most of the actions DoD ― and by extension Cyber Command ― take in cyberspace going forward is a traditional military activity will make approval processes faster, a U.S. government official, speaking under a non-attribution agreement, said.
Congress also provided DoD broad authorization for use of force in cyberspace, albeit limiting it to four specific countries. The new law authorizes the Secretary of Defense “to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter … active, systematic, and ongoing campaign of attacks against the Government or people of the United States” by Russia, China, North Korea or Iran.
This includes cyber operations and information operations.
The New York Times recently reported that Cyber Command had individually targeted Russian cyber operators ahead of the 2018 midterm elections to deter them from spreading misinformation a la the 2016 presidential election.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.