How the Pentagon is Shaping Cyber Tool Use

snagfilms-a.akamaihd.netcyber-school-e499e3dbda4a86a0689655e7d6a6f7bbf34e81c8.jpg

This is Part II of a two-part series. Read Part I.

One critique of the way in which cyber operations are managed is that it limits the responsiveness and overall options for a commander. Part I of this two-part series focused on the underlying dilemma surrounding the cyber authorities question. Here, we consider how the White House and the Department of Defense could shape the discussion surrounding the effects of cyber capabilities.

“The discussion that’s going on is what collateral affects,” Maj. Gen. Burke “Ed” Wilson, deputy principal advisor to the Secretary of Defense, told C4ISRNET following his remarks on authorities at the Office of the Secretary of Defense (OSD) level. The crux of discussions focuses on an effects-based approach.

Read Part I: Authorities complicate the use of cyber capabilities.

This effects approach “has been our focus and trying to capture how we define those effects with a high degree of confidence,” Wilson said.

“If we’re going to have something that’s going to have tremendous collateral effect in a time of war, obviously it has to go to a very high level. But if there’s no collateral effect and it’s tactically minded in terms of a battlefield in an area of hostilities, that should be delegated,” he added.

“I think Secretary [of Defense Ash] Carter, you’ve seen, has been very forceful in pushing for more Title 10 cyber operations,” Lt. Gen. Jack Shanahan, director for defense intelligence (warfighter support), said in December regarding efforts to counter the Islamic State group.

Shanahan also hit on another facet of the cyber rules discussion: Title 10 war fighting and Title 50 intelligence regulations from the intel community and the National Security Agency. This is especially pertinent as cyber operations and capabilities are becoming more normalized as war fighting capabilities from what was traditionally primarily intelligence. A prime example includes standing up Cyber Command and the recent elevation of the command to a full combatant command.

To that end, and with the effects-based discussion in mind, cyber capabilities can be used for non-destructive espionage. “A cyber weapon can be dual use, and that’s particularly true in the cyber arena. So what we focused on instead of cyber weapons is we looked at effects,” Christopher Painter, the State Department’s coordinator for cyber issues, told the Senate Foreign Relations Committee in a May hearing.

Painter told the lawmakers that it’s important to consider effects and endpoints, noting that when an attack is mounted against critical infrastructure, it’s essential one look at the intent and endpoint. “I think researchers will tell you they use malware … to try to protect our systems,” he said.

“Cyber operations may pose challenging legal questions because of the variety of effects they can produce,” according to the DoD Law of War manual. “For example, cyber operations could be a non-forcible means or method of conducting hostilities (such as information gathering), and would be regulated as such under rules applicable to non-forcible means and methods of warfare. Other cyber operations could be used to create effects that amount to an attack and would be regulated under the rules on conducting attacks.”

Moreover, another set of challenging issues may arise when considering whether a particular cyber operation can be regarded as a seizure or destruction of enemy property and should be assessed as such.

Wilson noted that
cyber teams’ counter-ISIS activities provide a model for employing cyber capabilities on the battlefield.

“DoD constantly reassesses the delegation of authorities for military operations, for what is most appropriate depending on the specific operations undertaken,” a spokesman from OSD told C4ISRNET regarding the details of these authorities discussions.

Further complicating matters, and what may be a contributing factor to the overall top-down approval process of employing offensive cyber tools from an administration that has demonstrated extreme caution in international relations on several occasions, is the nature of connected networks needed for these operations that pass through other nations. Sometimes, “you have to use some other nation’s infrastructure in order to mount” a cyberattack, Director of National Intelligence James Clapper told Congress on Jan. 5. “That gets into, as I’ve learned, complex legal issues involving international law,” leading to the judgement often times to impose costs other than a direct cyber retaliation, such as sanctions. These types of decisions are typically undertaken at the National Security Council level rather than the operational level.

Along these same lines, the director of the Air Forces Cyber Forward, Col. Robert Cole, described how offensive cyber capabilities can act as a strategic deterrent — something that has not been seen from at least a public perspective, especially in light of alleged Russian hacks surrounding the 2016 U.S. presidential election and the subsequent response. He questioned at an AFCEA NOVA event hosted in December why cyber capabilities can’t be utilized to curb an adversary’s behavior as sanctions are in diplomatic affairs.
Why can’t it be that cyber takes down a port, he asked, adding that this would have an impact on China, for example. From a cyber perspective, depending on the effect, this metric, just like sanctions, could be reversible if the target curbs its behavior.

James McGhee, the legal adviser for Special Operations Command North, says the reversible aspect of cyber — as opposed to blowing up an asset in an airstrike — makes cyber capabilities an important tool.

It is still unclear how the incoming Trump administration might view this current debate. The transition team did not respond to multiple requests. One way, however, the new administration could affect the policy discussion would be to give more authority to commanders at the operational level, essentially amending or even doing away with the requirements set out in Presidential Policy Directive 20.

“Regardless of whether the current administration separates Cyber Command from Strategic Command, the next administration should evaluate Cyber Command’s authorities and ensure it can set its own requirements for acquisitions,” according to a recent report published by the Center for Strategic and International Studies that outlined a cybersecurity agenda for the Trump administration. “It should also be authorized and resourced to acquire needed capabilities as rapidly as possible. The next president should assess how these forces are assigned and consider alternate constructs that may reflect the experience that comes with four years of building the cyber mission force.”