Days after CyberScoop exclusively reported the White House is considering scaling back a Trump-era policy giving the Department of Defense and U.S. Cyber Command broad authorities to launch cyber-operations, conflict erupted in Washington about the wisdom of such a move.
More than three years after the Trump administration gave DOD those authorities, White House officials have launched an “interagency review process” to hammer out revisions to NSPM-13 with an eye on scaling it back and returning some control over cyber ops to the White House.
Cybersecurity experts debated the merits of the White House’s plans to revise NSPM-13, with some asserting that cyber operations will be dangerously slowed down if the White House becomes involved in the process. Others argued that the White House has to take back control. Those in the latter camp say it is unsafe for DOD to act without knowledge of political and diplomatic considerations — and they questioned how effectively the DOD has wielded its broad authority to undertake offensive cyber operations.
The case against scaling back
Mark Montgomery, a former Republican Senate Armed Services staffer who helped craft the 2018 legislation laying the groundwork for the Trump national security policy memorandum known as NSPM-13, said that before former President Donald Trump gave DOD broader cyber authorities operational decisions arrived at a glacial pace.
“We were very slow,” Montgomery said. “We were not agile and effective in integrating cyber into our war plan [or] into our targeting efforts.”
Montgomery called former Obama officials’ concerns about DOD holding onto the authority it gained to launch cyber ops in 2018 “old think.” The Obama officials, including the State Department’s former top cyber diplomat Christopher Painter, have said they fear that if DOD continues to operate in a vacuum, without White House control, the agency could make dangerous decisions without the benefit of relevant diplomatic and political information.
President Barack Obama naively believed he could negotiate the Chinese and Russians into a more passive cyber posture, Montgomery said.
“President Obama’s thinking probably was wrong for his time,” Montgomery said. “It’s definitely wrong for the threat environment we find ourselves in now.”
Authoritarian regimes already have too many advantages in the fast-moving cyber environment, said Montgomery, who recently ran the Cyberspace Solarium Commission and now serves as the senior director for the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
He said the United States must allow the national security apparatus to move quickly or risk “giving yet another advantage [to] the authoritarians. They usually get to initiate the crisis, they get to make the first decisions … If you also make your defense, your ability to respond, less agile and less effective, you’re really creating a lot of risk.”
It’s a view that senior national security leaders from the Trump administration share. When National Security Adviser John Bolton unveiled the Trump administration’s aggressive new cyber strategy at a September 2018 press conference, he proclaimed of the new authorities: “Our hands are not tied as they were in the Obama administration.”
Many in the Defense Department worry about how losing its authority would impact Cyber Command’s policy of persistent engagement — the idea that in order to fight the enemy in cyberspace the United States must continuously engage and contest adversaries to create uncertainty in what a 2018 Defense Department strategy document called “the interconnected battlespace.”
Former Cyber Command General Counsel Gary Corn described the significance of NSPM-13’s provision for DOD authority to more speedily launch cyber ops in an article in the Journal of National Security Law and Policy last year. Corn has served in four presidential administrations, including as Staff Judge Advocate (General Counsel) to Cyber Command under Presidents Obama and Trump.
“NSPM-13 was aimed precisely at adapting the national security decision-making cycle to the realities of cyberspace,” Corn wrote. “NPSM-13 enables faster, more agile decision-making better adapted to the strategic threat. It does so not only by allowing delegations of authority, but by reinforcing those delegations with a coordination and approval process run by the delegee [Cyber Command], not the NSC [White House National Security Council].”
The case for scaling back
Not all Republicans agree with Montgomery and Corn. Tom Bossert, former homeland security adviser to Trump, said he understands why other agencies “want a method and process for appeal” of what the DOD decides in cyberspace. Bossert said he would support the White House taking back control from the Defense Department so long as such an outcome “also contains a set of values to guide decision making.”
Jason Healey, now a senior research scholar at Columbia University’s School for International and Public Affairs, served as director of cyber infrastructure protection in the George W. Bush White House. He argues that the White House must control decisions on when to launch cyber ops to ensure they are coordinated and balance other agencies’ strategic imperatives. More fundamentally, he asserts that DOD hasn’t proven its broader authority has been effective.
“We’ve allowed them [DOD] to do it,” Healey said. “It’s not obvious there has been any kind of change in the direction and magnitude” of cyberattacks.
Healey said he believes the White House needs to be involved in authorizing ops because of the complicated dynamics embedded in relationships with authoritarian powers like China and Russia.
“There’s got to be a political lever,” Healey said. “The president has to be able to say, ‘You know what, I’m meeting [Chinese President] Xi Jinping and I want to tell him to ratchet these down. I don’t want you to be persistently engaging.'”
Neil Jenkins, who served in the Department of Homeland Security under the Obama administration, said he has long been concerned that DOD may not “totally understand the possible blowback from their operations or the side effects their operations could cause.”
Jenkins, now the chief analytic officer at the nonprofit Cyber Threat Alliance, said it should be possible to speed up interagency coordination. Jenkins said the FBI and DHS work together quickly to counter terror threats and there is no reason that DOD and the White House can’t do the same.
“We can certainly find ways within the US government to make rapid coordination and then cyber-operations happen,” Jenkins said. “Interagency collaboration around cyber operations is necessary, and it’s possible.”
DOD is right that before NSPM-13 became policy, decisions on cyber-operations came too slowly, said Jim Lewis, director of the strategic technologies program at the Center for Strategic and International Studies. But he said that was a product of unique Obama administration dynamics and said that decisions to use offensive force is a political decision the White House has to make.
“The problem before was that State refused to budge and the White House refused to roll them,” Lewis said. “That left DOD frustrated and Trump’s solution was to cut State out. Make a few decisions on where sovereignty applies, bring some discipline back to the interagency, and put decisions back at the White House.”
Updated 4/5/22: to include more details of Corn’s government work.