22 May 2022

President Biden’s Policy Changes for Offensive Cyber Operations

Herb Lin

On May 13, a Washington Post story indicated that changes to U.S. policy regarding offensive cyber operations are imminent. These changes would refine the Trump administration policy as promulgated under National Security Presidential Memorandum 13 (NSPM-13) in 2018. To understand the story underlying this change, it is helpful to review the history of presidential guidance and policy regarding offensive cyber operations.

The first known White House statement on this topic was articulated in Presidential Policy Directive 20 (PPD-20), established by the Obama administration in 2012. The text of PPD-20—still technically classified—was made public in 2013 by the Snowden disclosures and is widely available online. By contrast, the text of NSPM-13, also classified, is not public. One public source indicates that the major change between NSPM-13 and PPD-20 was an “offensive step forward” from a policy that required consensus in a U.S. government interagency process that included the departments of Defense and State, among others. Reportedly, NSPM-13 provides “for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace.” According to statements made by a member of the Joint Staff, NSPM-13 enabled faster, more agile decision-making by allowing delegations of authority and enabling the delegatee (the party to whom authority was delegated) to make coordination and approval decisions that would otherwise be made by the National Security Council.

What revisions to NSPM-13 are being contemplated by the Biden administration? Publicly, concerns had revolved around the possibility that the approval process for offensive cyber operations would become more cumbersome by giving greater weight to the concerns of other non-Defense agencies. In particular, the State Department was reportedly set to gain a “greater ability to monitor and weigh in on ‘third-party notifications,’ defined as whether and how the U.S. government alerts countries if it plans to enter their cyberspace to interrupt adversaries’ cyber operations.”

According to the Washington Post story referenced above, the key change is to a policy established by the Trump administration. Previously, “the Pentagon could override the State Department’s objection to an [offensive cyber] operation without explanation and without the White House’s knowledge … [but] now, the Defense Department will have to keep both the White House and State Department apprised of Cyber Command’s rationale for proceeding.” Overall, the rationale for the change is said to be preventing offensive cyber operations that pass through third-party nations (not the United States and not the nation that is the focus of those operations) from conflicting with intelligence-gathering efforts or interfering with State Department efforts to maintain good relations with those nations.

More broadly, the chairs of the Cyberspace Solarium Commission have expressed concerns that go beyond the State Department and have interpreted proposed changes as being intended “to limit the secretary of defense’s freedom of action to plan and conduct offensive cyber operations.” Commision co-chair Rep. Mike Gallagher has separately expressed concern that “efforts by the Administration to pull back the delegation and provide additional oversight and interagency input in the midst of the execution phase risks undermining our national security.”

Such concerns raise an interesting and important question—is the choice a binary one simply between White House involvement in approving any offensive cyber operation or leaving approval authority in the hands of the Defense Department? I suggest this question is a poor framing of the problem.

Let’s move outside the cyber domain for a moment. No one really questions the fact that only the president has the authority to order the use of nuclear weapons. (Whether the president should be able to order the use of nuclear weapons without the concurrence of a second party is a different matter not addressed in this post.) Although there is at least one known instance in which this authority was delegated to someone else (the commander of North American Aerospace Defense Command, or NORAD, for some years was delegated the authority to use nuclear weapons against Soviet bombers that were attacking the U.S. homeland), the delegation of such authority is today generally regarded as a bad idea.

Why should the use of nuclear weapons entail the involvement and approval of the president? I suggest it is because the use of nuclear weapons is widely believed to have broad strategic implications that involve trade-offs between a variety of conflicting objectives and entail some risk of significant escalation, depending on the situation in which such use is contemplated. It is this escalation—and the possibility of much more widespread use—that poses the most danger, rather than the first initial use of a nuclear weapon. And the authority to make strategically significant trade-offs properly on behalf of the nation should lie with its highest elected officials rather than simply the Defense Department.

But cyber weapons (or, more generally, offensive cyber operations) are not like nuclear weapons. A nuclear explosion is an unambiguous event, but it is entirely possible for the use of a cyber weapon to have entirely minimal and barely noticeable effects. Indeed, the effects of using a cyber weapon are to a considerable degree under the control of the attacker (analogously, imagine a kinetic weapon whose yield was continuously variable from zero to its maximum).

If the use of a cyber weapon (more likely, the use of many cyber weapons) in a particular scenario could reasonably be expected to cause effects of strategic significance, a case could be made for requiring presidential authority. But the vast majority of offensive cyber operations will not rise to this level, and requiring presidential authority for such operations makes little sense indeed. Rather, there needs to be a clear delineation of the few instances in which presidential authority should be necessary and where such authority is not needed.

In fairness, it has been reported that NSPM-13 does indicate where presidential authorities are needed and where authority will be delegated to levels below the president. A member of the Joint Staff noted in 2018 that “broadly speaking, some things are always going to stay at the presidential level and some things are going to be delegated. And it really comes down to a policy decision and a risk discussion among the highest levels of our government about what is appropriate for DoD (the Department of Defense) to be doing in a particular mission area.” This claim is consistent with what I have heard from others who are familiar with or who were involved with the formulation of NSPM-13.

But it is also fair to say that this aspect of NSPM-13 has not received much public attention, and simply to say that “some things remain in the hands of the president” and “some things do not” is not particularly reassuring. In an April Wall Street Journal article, my Hoover Institution colleague Jacquelyn Schneider downplays the risks of escalation from offensive activity in cyberspace and argues that norms that inhibit escalation are beginning to take hold. I disagree with much of her argument, but she and I wind up in the same place regarding what a Biden policy on offensive cyber operations should entail—we both believe policy on offensive cyber operations should provide clarity on what the Department of Defense can and cannot do with its own delegated authority.

Thus, a Biden-led revision of NSPM-13 (which would be called National Security Memorandum No. “something or other”) could break new ground by providing more detail and/or examples of what would be in each category. For example, I believe the policy should indicate that offensive cyber operations that could reasonably be expected to affect an adversary’s nuclear command-and-control (C2) capabilities should require explicit presidential authority. I’d argue that cyber operations that affect space-based systems would not necessarily need presidential authority unless they implicated nuclear C2 capabilities. Others could make reasonable cases for setting the bar for requiring presidential authority differently. But the important point is that the Biden administration could do much to promote public confidence if it were willing to be less opaque than the previous administration about what the new policy entails.

No comments: