Plans to review and potentially scale back a Trump-era rule providing broad authorities to the Department of Defense to launch offensive and defensive cyber operations without White House permission sparked concern from legislators at a Senate Armed Services Committee hearing Tuesday.
National Security Agency and U.S. Cyber Command leader Gen. Paul Nakasone testified at the hearing, responding to concerns from senators troubled by CyberScoop reporting last week that the White House has launched an “interagency review process” with an eye on taking back some of the broad authorities Cyber Command has held since the Trump administration issued National Security Policy Memorandum-13 (NSPM-13) in September 2018.
Sen. Angus King, I-Maine told Naksone at the open session hearing that he was very concerned about a potential scaling back of NSPM-13, which he called “a grave mistake [that] would undermine deterrence at the worst possible moment.”
Other senators also expressed worry about a possible weakening of NSPM-13, with Sen. Mike Rounds, R-S.D., pointedly asking Nakasone if losing the authority to use “persistent engagement” to defeat adversaries in cyberspace would harm national security.
Nakasone said that prior to Cyber Command receiving NSPM-13 cyberspace authorities, his agency was forced to do less to defend American interests in cyberspace. Specifically, Nakasone said he is unaware of any examples of so-called cyber effects operations — which DOD defines as operations “where the primary purpose is to externally defend or conduct force projection in or through cyberspace” — prior to Cyber Command gaining NSPM-13 authorities in 2018. Nakasone also told Rounds that NSPM-13 authorities helped protect the 2018 and 2020 U.S. elections from cyber interference by hostile foreign governments.
While careful to say he’ll review the proposed changes from the White House before making a final judgment, Nakasone allowed that, “significant changes to that NSPM, it could affect what we need to do.”
King’s remarks opposing revisions to NSPM-13 followed a letter to President Joseph Biden that he and Rep. Mike Gallagher, R-Wis., sent Monday in their capacity as chairs of the congressionally created panel designed to recommend cybersecurity legislation and best practices that was formerly known as the Cyberspace Solarium Commission. The executive director of the commission, Mark Montgomery, previously relayed his objections to CyberScoop.
“One of the most important improvements in our national cyber capability over the past four years has been the development of effective, timely planning processes for the execution of offensive cyber operations,” the letter says. “As the co-chairmen of the National Cyberspace Solarium Commission we are very concerned by press reporting that your administration may be considering changes to the governing policy document, National Security Policy Memorandum-13, with an intent to limit the Secretary of Defense’s freedom of action to plan and conduct offensive cyber operations.”
In their letter, King and Gallagher hailed NSPM-13 for allowing more “agile” cyber operations. They said the policy enabled the Department of Defense to better thwart Russian information operations in the 2018 and 2020 elections and asserted that it plays an important role in “signaling our willingness to use cyber capabilities, a key aspect to an effective national cyber strategy.”
“Any effort to weak and possibly alter NSPM-13 signals to our adversaries a lack of credible willingness to use offensive cyber capabilities which undermines the credibility of our deterrent,” the letter concluded.
The remarks from lawmakers reflect the negative views held by some cybersecurity experts who oppose scaling back the authorities. However, other cyber authorities believe that the Trump administration gave too much power to the DOD to launch cyber operations without White House permission.
These proponents of scaling back NSPM-13 assert that it is dangerous for DOD to make cyber decisions without the benefit of diplomatic and strategic objectives known to the White House and other agencies. They say NSPM-13 gives DOD unprecedented power that is unlike anything in American history and for which there is no parallel in most other countries.
Clarified 4/6/22: to include defensive cyber-operations as an example of the type of authorities the Department of Defense could lose.