Marc Losito
Milton Friedman, the late-Nobel laureate, used the analogy of "a fool in the shower" to describe the scalding consequence of policy overcorrection. When the fool in a shower attempts to reach the proper water temperature, they make repeated minor corrections, expecting immediate change. Hotter water is on the way, but the fool is impatient, thinking each turn of the dial will bring the desired end. The result is foolish overcorrection and scalding consequence making its way through the pipes. Cyber policies in response to the shock of September 11th, the failure to enact the Cybersecurity Act of 2012, and Russia's election meddling portend a potential "fool in the shower" attempting to address the looming threats in the cyber domain. The policy choices in response to these events have unequivocally moved the military closer to cyberwarfare with less oversight by elected civilian leaders, which is a departure from the civil-military norm. Further, these corrections have slowly increased the water temperature over time, and we may already be engaging in cyber warfare without Congress's delegated war power approval.
The Homeland Security Act of 2002
Arguably, the first correction in the modern cyber policy era was the U.S. national security establishment's response to the shock of September 11th. The federal government rightly acknowledged inequities in how the nation was postured to defend its citizens against terrorism and cyber-attacks. The U.S. responded with the Homeland Security Act of 2002, which consolidated 22 diverse agencies and bureaus into the Department of Homeland Security (DHS); the act also established the Homeland Security Council as a statutory component of the National Security Council. The Homeland Security Act of 2002 marked the largest reorganization of the federal government in more than half a century, responding to new, post-Cold War vulnerabilities. Chief among these vulnerabilities were U.S. critical infrastructure sectors with special concern for cyberterrorism and securing cyberspace. Consequently, the Homeland Security Act of 2002 included the addition of a centralized cybersecurity organization within DHS. The National Cyber Security Division (NCSD) was created as an amalgamation of previously existing federal directorates performing disparate functions without coordination or communication.
While the policy reaction was appropriately achieved within a strict framework through congressional legislation, organizational and leadership challenges plagued policy implementation. The Homeland Security Act of 2002 imbued the NCSD with inherent contradictions, likely due to committee compromises required for passage. As the first significant restructuring of federal cybersecurity functions in the United States, the Act failed to provide consistent language and delineate authorities of cybersecurity functions. Namely, the act identified DHS's first responsibility as preventing terrorism and cyberattacks in the United States but only assigned DHS an analytical and advisory role for intelligence activities concerning terrorism and cyber activity. In addition, the Act's language made clear the Federal Bureau of Investigation (FBI) maintained investigatory and prosecution authorities. In this same vein, the Act gave DHS a broad mandate to minimize damage to U.S. critical infrastructure but only limited authority to share information and coordinate with the private sector—a major stakeholder in the operation of U.S. critical infrastructure.
In the wake of September 11th, Congress and the Executive branch violently turned the shower gauge seeking immediate change. Unfortunately, guided by righteous intent, the policy correction was fraught with inadequacy, contradictions, authority and delineation issues, and compromise resulting in inept organizations standing guard in our cyber defense. Punctuated by legislative and policy challenges, the newly created NCSD would be excoriated by the DHS Inspector General as an organization without vision or tangible results. The U.S. Government would need to go back to the tap, adjust the temperature again, and wait for warmer water.
The Cybersecurity Act of 2012 and Executive Policy Actions
The second correction occurred in response to Congress's failure to enact the Cybersecurity Act of 2012, which bears mentioning because it appeared to be the policy correction we'd needed all along. This comprehensive proposal, from Senator Joseph Lieberman (I-CT) and Susan Collins (R-ME), sought to protect both government and private industry from foreign cyberattacks by achieving three ends: (1) new threat-information-sharing between government and private industry, (2) better protection of critical infrastructure, and (3) DHS authority to unite federal resources to lead U.S. cybersecurity. Given the disjointed state of cybersecurity at the federal level, partly due to the Homeland Security Act of 2002, the overarching policy goals of the Cybersecurity Act of 2012 appeared to right-size ten years of legislation and policy neglect toward a unified cyber defense. In response to Congress's inability to move this keystone legislation across the goal line, President Barrack Obama used executive authority to end-run the gap by establishing Presidential Policy Guidance 20 (PPD-20).
In lieu of a defensive framework, PPD-20 directed an offensive framework directing the Pentagon to take aim at our enemies with cyberweapons and set the stage for DoD cyber "mission creep" into foreign locations that are not combat zones. This clever use of executive policymaking marked a momentous departure from civilian execution of U.S. cyber defenses, albeit unclear which civilian agency led the cyber enterprise, to consolidated military execution with civilian oversight of cyber defenses. Now declassified, PPD-20 imposed a strict regime of civilian oversight on military cyber operations requiring intense interagency vetting of planned operations. Moreover, PPD-20 tacitly advanced a militaristic lexicon and the notion of the cyber domain as a battlefield requiring capabilities for the "full spectrum of conflict." This lexicon was further crystalized in the 2018 National Cyber strategy as "continuous competition…in cyberspace" and the 2018 Department of Defense Cyber Strategy in a concept known as "defend forward." The failure to pass the Cybersecurity Act of 2012 and implementing the offensive military framework of PPD-20, despite intense interagency vetting and a rigorous legal regime, would set U.S. cyber policy on a foolish trajectory toward militarization of the cyber domain.
With three executive policy actions—PPD-20, the National and Defense Cyber Strategies—the water temperature may change, but to what end? The fool, continually increasing the temperature, never expects to be scalded, but the over-militarization of cyber policy portends scalding results. Up to this point, the militarization of cyber policy is contained within executive policymaking, which is tenuous at best. Executive policies are routinely rescinded, repealed, or stricken down by the courts. The final correction would have to be through legislation to determine the fool's fate.
John S. McCain National Defense Authorization Act and NSPM-13
The final corrections in modern cyber policy were in tandem with the cyber strategies and direct response to the Russian election meddling in the 2016 U.S. Presidential election. Collectively, the John McCain National Defense Authorization Act (NDAA'19) and President Donald Trump's National Security Presidential Memorandum 13 (NSPM-13) snatched cyberwarfare away from the purview of U.S. elected civilian leadership and placed the DoD firmly in charge of cyber activities abroad with only post-facto oversight—referred to as "defend forward.” Then-National Security Advisor John Bolton best summarized these consequences when he outlined how the President Trump’s cyber strategy and forthcoming NSPM had replaced restrictions on the use of offensive cyber operations with a legal regime that enabled the DoD and other relevant agencies to operate with a greater authority to penetrate foreign networks and deter hacks on U.S. systems. Bolton dropped the civil-military bomb that “decision-making for launching [cyber] attacks will be moved down the chain of command from requiring the president's approval.” This was a wholesale change from the PPD-20 legal regime with authority withheld at Presidential levels and was a dramatic wrenching of the hot water tap.
The legal concept of “defend forward” builds on the offensive notion underpinning NSPM-13 and the policy pretexts of the national cyber documents; more importantly, it contemplates DoD cyberwarfare activities that are not part of an armed conflict. First, Section 1632 of NDAA’19 eliminates all doubt that DoD is precluded from conducting unattributed cyber operations with effects outside of combat zones. Historically, unattributed operations outside of combat zones required a covert action finding and congressional notification under Title 50. Therefore, Section 1632 is an unprecedented shift in civil-military balance, categorizing DoD offensive cyber operations outside of combat zones as Traditional Military Activity (TMA) which does not require a finding or prompt congressional notification. Second, Section 1642 of NDAA’19 provides expressed authority—referred to as “active defense”—for DoD “to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter” cyberattacks involving China, Russia, Iran, and North Korea, previously enumerated as the “Big 4” cyber competitors. At first glance, Section 1642 reads as a Cyber Authorized Use of Military Force (AUMF) prescribing pre-authorized cyberwarfare actions based on Section 1642 criteria. Section 1642 should sound alarm bells as the cyber-version of the 60-word AUMF, written just hours after September 11, 2001.
Finally, the notification and reporting requirements levied by NDAA’19 for cyber warfare activities considered “active defense” should give pause and concern. NDAA’19 requires Commander, U.S. Cyber Command to provide a quarterly, post-facto summary of cyber warfare activities to congressional defense committees and an annual, post-facto summary to congressional intelligence committees and the Senate Foreign Relations committee. Considering the ever-changing political and technical dynamics involved in cyber warfare, vis-à-vis election meddling or theft of national security information, post-facto reporting of cyberwarfare activities seems too great a tradeoff for “active defense.” Speed is often quoted as the quintessential element of preparedness against cyberattacks. However, the environment is less like a battlefield and more like a china shop, where care and calculation matter. For all its flaws, specifically as the impetus for this militarized trajectory, PPD-20 did adhere to a rigorous vetting process and intense legal regime, missing in NDAA’19 and NSPM-13.
The Right Temperature is Nigh but Not Quite
Milton Friedman’s analogy of the fool in a shower paints a cartoonish picture of a buffoon scalded by his own actions. A similar fate is approaching within U.S. cyber policy the cyber domain. While we may not have scalded ourselves yet, the militarization of cyberspace—such as the de facto Cyber AUMF of Sections 1632 and 1642 of NDAA’19—foretell a forever war in the cyber domain familiar to the 2001 AUMF being exercised across the globe. We must restore civil-military normalcy in cyberspace, less we be the fool in the shower.
Admittedly, we’ve seen a positive trend of returning to civil-military normalcy in the cyber domain. This is in part due to the Cyberspace Solarium Commission’s (CSC) sobering assessment that despite authorities granted in NDAA’19 and NSPM-13 to conduct offensive cyber operations abroad, the U.S. continues to struggle to secure its interests in cyberspace. The commission identified “defend forward” as a step short of the whole-of-government approach to a “layered cyber defense” that requires more than the military instrument of national power. Accordingly, subsequent NDAAs incorporated essential recommendations from the commission that strengthen diplomatic, information, and economic instruments of power while normalizing the military instrument of power. NDAA’20 leverages Defense and Congressional oversight to place a governor on U.S. military operations in the cyber domain. NDAA’21, a hallmark piece of legislation and the namesake of Congressman William “Mac” Thornberry, recertified the concept of a layered cyber defense utilizing non-military instruments. Finally, NDAA’22 included amendments focused on strengthening civilian executive agencies through an improved cyber workforce, capacity, and organizational structures. Moreover, these pieces of legislation incorporate 33 bipartisan Cyberspace Solarium Commission recommendations to reform the U.S. Government’s organization for cyberspace and strengthen non-military tools. We have yet to see the measurements of effectiveness of these efforts, but we can be sure that they have not limited the U.S. military’s autonomy in cyberspace.
Likewise, President Joseph Biden’s National Security Strategy signals a return to tech diplomacy to navigate digital challenges. The strategy signals a significant pivot back to a sustainable path in the cyber domain by calling for renewed cyber cooperation among allies and partnering to combat Chinese and Russian influence on tech and the internet. President Biden’s impending National Cybersecurity Strategy, not yet released but gaining public fanfare, will be a critical indicator of how much autonomy the military will have in cyberwarfare activities. While the strategy will undoubtedly ask more of private industry, it must highlight and adjust civil-military relations in the cyber domain. The strategy will be all but complete unless it reflects the cyber paradigm of a healthy democracy with a division of labor between military leaders—who are trained to follow orders and win battles—and civilian ones, who are tasked with asking hard questions about why those battles are being fought in the first place.
At a minimum, President Biden’s National Cybersecurity Strategy needs to address three problems to restore civil-military normalcy. First, the strategy should address the Pentagon’s sprawling ecosystem of cyber-related entities and advisors by establishing civilian control. The Cyberspace Solarium Commission entertained the idea, but now is the time to establish a “service like” secretary—Assistant Secretary of Defense for Cyber—as a principal staff assistant with full access to the same fora that the service secretaries have. Second, the strategy should frame internal coherence by addressing the competing roles and responsibilities of federal agencies in cyberspace. Our adjustments of cyber policy over time have created a patchwork of byzantine line-and-block charts creating uncertainty of how these roles would interact in the face of an incident response. Last, the strategy should advance the non-military cyber instruments of power to reflect the President’s National Security Strategy shift of restoring faith in diplomacy. Ideally, the State Department’s newly created Bureau of Cyberspace and Digital Policy would take the lead in addressing national security challenges abroad.
No comments:
Post a Comment