Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now

Robert Chesney notes that the HASC Mark on the Defense Authorization bill includes a section on cyberwar. Here’s the entire section:

This section would affirm that the Secretary of Defense has the authority to conduct military activities in cyberspace. The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

In particular, this section would clarify that the Secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations pursuant to the Authorization for the Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) outside of the United States or to defend against a cyber attack on an asset of the Department of Defense.

The committee notes that al Qaeda, the Taliban, and associated forces are increasingly using the internet to exercise command and control as well as to spread technical information enabling attacks on U.S. and coalition forces in areas of ongoing hostilities.

While these terrorist actions often lead to increased danger for U.S. and coalition forces in areas of ongoing hostilities, terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world. As a result, military activities may not be confined to a physical battlefield, and the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally.

In certain instances, the most effective way to neutralize threats and protect U.S. and coalition forces is to undertake military cyber activities in a clandestine manner. While this section is not meant to identify all or in any way limit other possible military activities in cyberspace, the Secretary of Defense’s authority includes the authority to conduct clandestine military activities in cyberspace in support of military operations pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.

While Chesney focuses on the use of “clandestine” in this passage (which I’ll return to), I think one of the key phrases is simply the requirement that DOD brief the Armed Services Committees quarterly on what it’s doing in cyberspace. As the AP reported in January, the SASC complained during the confirmation hearings of Michael Vickers that they weren’t getting briefed on clandestine cyberwar activities. Vickers claimed in response that the law only required that DOD brief Congress on human clandestine activities.

The Senate Armed Services Committee voiced concerns that cyber activities were not included in the quarterly report on clandestine activities. But Vickers, in his answer, suggested that such emerging high-tech operations are not specifically listed in the law — a further indication that cyber oversight is still a murky work in progress for the Obama administration.

Vickers told the committee that the requirement specifically calls for clandestine human intelligence activity. But if confirmed, he said, he would review the reporting requirements and support expanding the information included in the report.

So this section appears to close Vickers’ loophole, now requiring that DOD brief Congress on its activities in its quarterly clandestine activities reports.

In addition to legally demanding briefings, the section appears to affirmatively approve–as clandestine activities–cyberattacks against an AUMF-authorized target (so, al Qaeda and people like Anwar al-Awlaki we claim to be included in AUMF), and cyberdefense against an attack on an asset of DOD.

By the way, anyone want to speculate whether a Specialist allegedly downloading several databases onto a Lady Gaga CD constitutes a cyberattack on a DOD asset? Because if this permission includes WikiLeaks, then this section might be retroactively authorize attacks–say, DNS attacks on US-based servers–on WikiLeaks (note that DOD can attack outside the US, but such geographical limits are not placed on defensive actions).

In any case, as Chesney emphasizes, this section specifically authorizes attacks on AUMF-authorized targets and defense against attacks on DOD targets. Chesney notes that by calling these activities “clandestine,” it makes them a Traditional Military Activity.

That is to say, the language in § 962 refers to DOD authority to engage in cyber operations which are mean to go undiscovered but not meant to be denied.  That alone would presumably keep them from being categorized as a “covert action” subject to presidential finding and SSCI/HPSCI notification requirements.  Yet one can imagine that this does not quite suffice to solve the boundary dispute, insofar as it might not be clear on the front end that one would be willing to acknowledge sponsorship of an operation publicly if it becomes known…and indeed it might well be that the activity is very much meant to be both concealed and denied, making it hard at first blush to show that the activity is not a Title 50 covert action after all.  But in at least some instances there is a separate reason it should not be deemed a covert action: i.e., when the action is best understood as a high-tech equivalent to a traditional military activity (the “TMA” category being an explicit exception to the T50 covert action definition).  And that appears to be the case with the two categories explicitly described above, or at least arguably so.

The explanatory statement accompanying § 962 supports this reading.  It opens by stating that

[t]he committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

So, to summarize, this section appears to affirmatively authorize two types of activities, defining them as clandestine operations, and mandating that Congress get quarterly briefings on them.

But note this clause: “this section is not meant to identify all or in any way limit other possible military activities in cyberspace.”

So, it appears, there may be these two types of explicitly authorized clandestine operations, and then the stuff John Rizzo warned about.

I did want to mention–cause I find this interesting–cyberwarfare, on the issue of cyberwarfare. Again, increasing discussion there clearly is an active arena, will continue to be active. For us lawyers, certainly for the lawyers in the intelligence community, I’ve always found fascinating and personally I think it’s a key to understanding many of the legal and political complexities of so-called cyberlaw and cyberwarfare is the division between Title 10, Title 10 operations and Title 50 operations. Title 10 operations of course being undertaken by the Pentagon pursuant to its war-making authority, Title 50 operations being covert action operations conducted by CIA.

Why is that important and fascinating? Because, as many of you know being practitioners, how these cyber-operations are described will dictate how they are reviewed and approved in the executive branch, and how they will be reported to Congress, and how Congress will oversee these activities. When I say, “these activities,” I’m talking about offensive operations–computer network attacks.

This issue, this discussion, has been going on inside the executive branch for many years, actually. I mean I remember serious discussions during the Clinton Administration. So, again, this is not a post-9/11 phenomenon. Now, I’m speaking her from a CIA perspective, but I’ve always been envious of my colleagues at the Department of Defense because under the rubrik of Title 10, this rubrik of “preparing the battlefield.” They have always been able to operate with a–to my mind [?] a much greater degree of discretion and autonomy than we lawyers at CIA have been, have had to operate under, because of the various restrictions and requirements of Title 50 operations. Covert actions require Presidential Findings, fairly explicit reports to the Intelligence Oversight Committees. We have a very, our Intelligence Committees are … rigorous, rigorous and thorough in their review. I’ve never gotten the impression that the Pentagon, the military, DOD is subject to the same degree of scrutiny for their information warfare operations as CIA. I’m actually very envious of the flexibility they’ve had, but it’s critical–I mean I guess I could say interesting but critical how–I mean if there were operations that CIA was doing, they would be called covert actions, there’s no getting around that. To the extent I’ve ever understood what DOD does in this arena, they certainly sound like covert actions to me but given that I’ve had more than my hands full over the years trying to keep track of what CIA’s doing at any given time, I’ve never ventured deeply into that area. But I think it’s fascinating. [my emphasis]

Now, maybe this section just politely puts the kibosh on all of this Title 50 masquerading as Title 10 stuff, stuff done under the auspices of DOD to avoid the oversight requirements that Title 10 intelligence operations would require. Maybe this section limits DOD’s activities to its two authorized clandestine activities.

But I doubt it. With the language about not limiting DOD to these two functions, you can pretty much assume there’s some Special Access Programs (like the kind the Air Force refuses to talk to Congress about) not safe to be mentioned in public documents like laws.

Look on the bright side, though: Congress is at least requiring that DOD brief Congress on some of the secret stuff they’re doing in cyberspace.

Update: Specialist corrected per Ralph.

image_print
  1. DWBartoo says:

    Are we to imagine that Congress has found something it is actually vexed about, or is this yet another episode of sternly-worded play-acting to convince the rubes that Congress is doing what Congress, according to some vague, quaint notion is supposed to do?

    If there IS a serious question, and several seem evident, with what you have raised in this post, EW, then Congress is most daintily dipping the very end of its big toe into the refreshing chill of actual engagement.

    However, the manuevering required to get things things in proper “order”, in this looking forward time, is of necessity, with all due deference to national security, ponderous and, seemingly, pointless. Yet, things will “line up” and the deed will be done.

    One imagines that both “sides” will soon find common, and, shall we say sufficient shared, if slippery, “principle” to affect a happy compromise, of the, “Don’t ask and we won’t tell”, variety. Well, to be honest, it isn’t “variety”, as agreements between the porportedly “overseen” and the alledged “over-seers” seem to all be the same, for quite some considerable time …

    Really, it is quite touching just how trusting Congress allways is, when it gets right down to it, whether “it” is “war”, or “cyber-war”, or just “the secrets that must-not-be-known”. That “separation” thingie, at work, and the fawning treatment of sacred cows at play, undoubtedly.

    If Congress has ANY serious reservations about almost ANYTHING, then it would be very difficult to accuse them of it … as there is NO clear and unambiguous evidence.

    Maybe this time, it is different?

    DW

    • emptywheel says:

      I think often what happens in stuff like this is outrage over the principle (although this was less intense), but then the agency tells the committee, “well, but, we don’t want this to be included.” And the committee says, “oh, okay.” And writes something covering the principle (here, that DOD’s clandestine online work has to be briefed) while institutionalizing the exception to the principle.

      • DWBartoo says:

        Yes.

        Congress IS doing precisely what it is intended that it do.

        The main role of Congress, institutionally, among the branches, is now, simply, to put the imprinture of propriety on whatever is being done, while preening and slapping themselves on the back for doing such a well-done job.

        When called upon, or simply so motivated, the Courts may also, apparently, be relied upon to do their part of sanctifying the legality and high principle behind everything that is being done, or, “not” done.

        Frankly, the purpose of the branches, altogether now, is to maintain the semblence of a “functioning” hierarchy while civil society is destroyed in the name of a perverse “security” which, somehow, is heaping windfalls of wealth upon those doing the offical looting.

        With a certain impending departure, how many enforcement agencies in this nation remain viable, in direction or number of “agents”, to do any of what enforcement was cynically(?) intended? The deliberate and calculated unwillingness, of the executive, even to bring the judicial appointments to the number clearly necessary, suggests a concerted willingness to play to appearance and slight substance, as few Americans, seemingly, are the wiser.

        At some point, the tabulation of ongoing failure might better be replaced with some forword thinking about future forms of governance and democracy which reasonable and rational beings will need, simply to survive with some humanity intact, not to mention some visions of a “system” which might afford the possibility of the majority of human beings actually having the opportunity to thrive.

        Unless the potential of ALL human beings is soon seen as not be merely worth maximizing as moral principle, but understood as fundamentally critical to the real FUTURE even being worth having … we shall continue to drift toward that neo-feudalism which you so well have depicted.

        DW

  2. WilliamOckham says:

    I think this is an attempt by Congress to settle a long-standing dispute between the CIA and DoD about who is in charge of “cyberspace” activities. It’s more about money and bureaucratic power than anything else. Back in 2008 there was a kerfluffle about whether the military or CIA was going to be in charge of an operation directed against a site that was allegedly being used to recruit foreign fighters to fight in Iraq. The site (which was originally set up as a “honeypot” by the CIA and the Saudis) was attacked and taken down by the military (over CIA objections). Unfortunately, there were a lot of sites in Texas that were taken down as unintentional collateral damage. News reports were very vague about how that happened. However, there are a couple of Texas-based hosting operations that are favorites of radical websites of all stripes that suffered outages at about that time.

    That episode shows the real danger of our current cyberspace thinking. The military thinks of “cyberspace” as a real domain (on a par with land, sea, air, and space). That very conveniently allows them to ignore national borders. It is just one more step to permanent war inside our country.

    • emptywheel says:

      When you say “radicals websites of all stripes,” do you mean left, right, white, and brown?

      And what’s your take on the outcome here, then? Clearly, CIA’s still in cyberspace, or DiFi wouldn’t have been so furious they weren’t monitoring social media.And CIA certainly seems to still be trolling the extremist sites.

      • WilliamOckham says:

        Not sure if anyone is still reading this thread, but the military got what it wanted: clear congressional approval for its network warfare. They will now use their budget and organizational prowess to muscle the CIA out of the way. The next Stuxnet will be from the DoD.

        And yes, the cheap hosting providers serve the needs of the all sorts of radicals, but I am only aware of right-wing types (brown and white, Christianists and Islamists).

  3. rugger9 says:

    I’ll be impressed once the DOD IT security is fixed, supposedly in a couple of years’ time. I’m sure the PRC will wait to go digging until then, it’s more sporting that way.

  4. bobschacht says:

    I think this is another example about how the AUMF is being used to further erode civil rights in the name of Keeping Us Safe. Right now, I view the AUMF as THE main problem. It has become like Lady MacBeth’s “damn spot” that she can’t wash away. I think it will be recognized in history as the beginning of America’s Perpetual War.

    Bob in AZ

  5. Ralph says:

    Bradley Manning was not a private at the time he is alleged to have downloaded information onto a CD. At that time he was a Specialist. His rank was subsequently reduced to Private First Class.

    • rugger9 says:

      Even so, there is no reason a Specialist (depending upon the grade, but on the corporal level) should have had as free an access as he did. Where are the senior enlisted and the officers’ heads on spikes for the breaches? That could be done now, and needs to be done to send the message.

      And, put Manning on trial, what else are they waiting for here, another Wikileaks dump? The DOD already knows what was compromised. Try Manning on that.

  6. JohnLopresti says:

    I have yet to read why Jane Harman (HPSCI) decided to leave the House of Representatives; ?ennui?

    • bobschacht says:

      IIRC, her husband had significant health problems? Also, Pelosi blocked her from the committee chairmanship she coveted the most, and then the Republicans took over the House.

      Bob in AZ

      • JohnLopresti says:

        Yes, family health.

        Still, emptywheel chronicled in fine detail Harman*s sidelining from notifications, and Bushco*s ex parte system of briefing or even skipping some gang of 4 or G of 8. I wonder if the current Obama administration is bargaining now with notification completeness issues like those. If I recall, G4 has become the new standard. It is easy to see in what emptywheel has aggregated in the post that even G4 is getting parsed out of oversight.

  7. earlofhuntingdon says:

    Congress has been enforcing its rights to oversee the executive across the board the last ten years, hasn’t it. A pallet-load of cash can probably be found at more places than the back-end of a hangar in Baghdad or at Andrews.

  8. virtualnaut says:

    Just caught up to this thread. Thinking about the recent news in re. Team Themis, H.B. Gary specifically, making pitches to pro-business groups to target journalists like Greenwald of Salon with what can only be described as cyber-harassment. Wondering how long these companies, apparently trained in service to the government initially, have aimed to “mitigate effect of adversarial groups” using social-media and web mining to “discredit, confuse, shame, combat, infiltrate and fracture” said groups.

    To me, because I’m older, it sounds so much like what came out in the 1970s about the CIA, who (according to Tim Weiner’s National Book Award winning study Legacy of Ashes) spied on the left, wiretapped newspaper reporters, placed them under surveillance, conducted illegal searches. Congress spent a year investigating SOME of the facts of what else went on (Kissinger called the report “the horrors book,” some of the activities clearly illegal.) Questions should be asked by Congress about this new era and use of the internet IMHO. Here’s a quote:

    “Though he had served a decade on the small CIA subcommittee in the House of Representatives, President Ford had never heard a whisper of these secrets – domestic spying, mind control, assassination attempts.”

    Damage control went to a young Republican operative named Rumsfeld.