Are DOD’s rules of engagement in cyberspace too limited?
Amid the increasing scale, scope and speed of threats in cyberspace, the rules of engagement to respond could be limiting the ability of America’s digital warriors to hit back in a timely manner, according to a top lawmaker.
“I also have learned that within the executive branch there are very limiting rules of engagement on what Cyber Command can do in response,” Rep. Don Bacon, R-Neb., said during a June 12 House Armed Services Committee hearing.
Bacon serves as the chair of the panel’s subcommittee that oversees Department of Defense cyber operations, forces and policies, giving him unique insights into this matter.
“I’m the chairman of the committee and I’ve talked to multiple layers, they are restricted based off the rules of engagement. Maybe they’re appropriate. I just hope we relook at them because if China can attack our energy grid, our Wall Street grid, our hospitals, I think we should be reviewing, okay, is our responses adequate? I just want to submit that for you to think about and consider,” he told the committee’s witnesses that day, Secretary of Defense Pete Hegseth and Chairman of the Joint Chiefs of Staff Gen. Dan Caine.
He implored them to review the current rules of engagement and consider if they need to be revamped.
In a statement, he later emphasized that while Russia and China are infiltrating systems, rules of engagement are hindering U.S. Cyber Command from responding properly, urging a more aggressive posture.
“China has surpassed Russia as our biggest cyber threat. With malicious intent, they’re attempting to – and largely succeeding in – infiltrating everything from our energy grid and cell phones to our financial institutions, and health care networks. While we have good cyber intelligence, China is no longer deterred in the cyber domain, and I believe our own rules of engagement are holding us back,” Bacon said. “We need to start imposing heavy costs on these cyber actors, including nation states like China and Russia, to establish better cyber deterrence. In some cases, this could mean allowing Cyber Command to fight fire with fire, in other cases this might mean applying targeted non-cyber response like significant economic or diplomatic sanctions or perhaps covert action. Regardless of how we do it, I think everyone can agree that the status quo (of continued cyber attacks) is not acceptable or sustainable: some level of cyber deterrence has to be established.”
When asked if DOD is reviewing its rules of engagement for cyberspace, a department spokesperson on Friday said they had nothing to announce.
For many years, restrictive rules of engagement and improper analogies handicapped the military’s ability to conduct cyber operations. It used to be that U.S. military offensive cyber actions were considered on par with nuclear weapons in terms of requiring presidential sign-off for employment, for fear that effects could lead to escalation and possibly unintended consequences.
The nuclear analogy proved to be a flawed model for cyber, as history has borne out. In 2018, a series of congressional and executive actions cleared the way for smoother cyber operations approval. Those included a clarification that cyber action is a “traditional military activity,” removing interagency barriers that might have previously required an exemption to the covert action statue, effectively allowing Cybercom to operate more freely. Congress also included what essentially boiled down to an authorization to use force in cyberspace against Russia, China, North Korea or Iran to “disrupt, defeat, and deter … active, systematic, and ongoing campaign of attacks against the Government or people of the United States.”
On the executive branch side, the first Trump administration repealed the Obama administration era policy for approvals, issuing what was known as Nation Security Presidential Memorandum-13, which delegated authorities to the secretary of defense to conduct timely cyber operations. The still classified policy also included components to deconflict cyberspace with other government agencies to avoid fratricide among different organizations and equities.
“In line with the shift to a more proactive cyber strategy … NSPM-13 enables faster, more agile decision-making better adapted to the strategic threat. It does so not only by allowing delegations of authority, but by reinforcing those delegations with a coordination and approval process run by the delegee, not the NSC,” Gary Corn, director of the Technology, Law and Security Program and an adjunct professor of cyber and national security law at American University and former Staff Judge Advocate at Cybercom, wrote in a paper in 2021.
Prior to 2018, the military conducted very few cyber operations. Some experts that spoke to DefenseScoop noted that the primary restriction and limitation to engage in offensive cyber action was the lack of clear authorities, but after 2018 it was the lack of a sufficient man, train and equip function to present Cybercom with enough trained, capable personnel to carry out the mission.
The second Trump administration’s pick for assistant secretary of defense for cyber policy noted last month in her confirmation hearing that it’s likely time to begin reassessing some of these authorities from 2018.
“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department,” Katie Sutton told the Senate Armed Services Committee in May. “As you’re well aware, in 2018 there was a series of activities that enabled the offensive posture that the department is undergoing today; both establishment by President Trump of NSPM-13, the process to do cyber operations, as well as this committee’s definition of traditional military authorities for cyber. I believe we’re at a point where we need to reevaluate those and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI.”
Sutton served as a staff member on the Senate Armed Services Subcommittee on Cybersecurity and most recently chief technology advisor to the commander and director of Pentagon operations at Cybercom, giving her relevant insights into cyber operations.
Despite some criticism regarding the current rules of engagement, officials have indicated new rules have significantly increased the ability to conduct cyber operations.
“NSPM-13 is a repeatable, sustainable, agile process that is recognized across the Department of Defense and across the interagency that allows us to move at the speed and agility that’s required based on our intelligence, based on operational requirements, and it has increased our ability to execute cyber operations tenfold,” Lt. Gen. William Hartman, acting commander of Cybercom, told a Senate subcommittee during an April hearing.
Sources that spoke to DefenseScoop noted that after the first Trump administration gave new authorities, the Biden administration came into office with some folks that worked in the Obama White House, and there was still resistance to some actions in cyberspace — which led to efforts to walk back what the Trump team had put in place.
As President Donald Trump was coming back into power for his second term, officials associated with the transition and administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.
According to some, while there are standing rules of engagement for combatant commands to respond with force if necessary, cyber is a bit different given the risk profile and some policymakers’ lack of understanding about the digital realm.
As such, over time, certain presidential polices have limited that pre-authorization to use offensive measured except under certain defined circumstances, according to sources.
Legal experts agreed that the president has authority to act as commander-in-chief and respond to activities in America’s self defense. However, for some, response in cyber is a little more opaque.
“There’s been longstanding policy that, consistent with international law, if somebody starts shooting at us, we can shoot back. That is murkier in cyber because of a number of factors, part of which is less than clear lines in international law about what the thresholds are and what types of cyber activities cross those thresholds, and also concerns about escalation dynamics and risks,” Corn said in an interview. “We’ve gotten better at the risk side of it as compared to 10 years ago when there were lots of senior officials who were talking about any out-of-network cyber operations in terms of nuclear conflict.”
Speeding up decision space
One way in which operations under the current framework could be slowed down is if activity needs to be coordinated across the interagency at a time when most civilian government employees are offline and away from their desks.
Cybercom operates 24/7, monitoring threats across the globe and planning for operations. If something were to happen in the middle of the night or on a weekend and the command wants to coordinate with the interagency on the target set to be a good partner, the command could be in a situation where the options are to either violate the framework to complete the mission or delay until personnel are back at work, a former military cyber official explained.
This type of setup can also affect the command’s ability to campaign in cyberspace, that is, looking at sustained and persistent activity to set conditions rather than just conduct one-off operations. The current framework has allowed for those types of one-off engagements, but can hinder ongoing campaigning efforts that require persistence, the former official noted.
Going faster might not necessarily be about changing the framework itself as much as evaluating coordination across the interagency at a faster pace.
“[A]n effective decision-making process should be designed to aid the designated decision-maker in rendering a decision. A process that allows participants to effectively usurp decision authority without the attendant accountability is a design flaw, not a feature,” Corn wrote in 2021. “Imposing process for process’ sake is a fool’s errand, unless the objective is to drive interminable debate and bureaucratic inertia. Process is a means to an end, not an end in itself, and so it should always be designed to fulfill an objective. In the case of national security decision-making, the objective is to achieve the most well-informed decision possible under a given set of circumstances, including acceptable risk parameters and time available. The increasingly complex, fastmoving, and dynamic nature of modern national security threats requires disciplined decentralization of action consistent with centralized intent.”
Also at play now and especially into the future is the speed at which adversaries will likely execute operations employing AI and machine learning capabilities.
Experts referred to the notion of machine-on-machine competition in the future, necessitating the requirement to operate at high speed and be effective in defense and offense. The question for policymakers is if the current policy framework meets those challenges.
As such, some experts noted the need to relook cyber authorities on a more frequent basis than other areas of military operations given the dynamic environment and shifts in tactics.
“Cyber is definitely an area where authorities need to be looked at more frequently than the kinetic space. Obviously, not the idea of layering on more statutory or executive level guidance, but for tightening the OODA [observe, orient, decide and act] loop and coming up with ways to provide the higher level transparency and control that has to be there without sacrificing too much operational capability,” Tom Wingfield, a senior international and defense researcher in RAND’s Department of Defense and Political Sciences who served as deputy assistant secretary of defense for cyber policy from 2019 to 2021, said in an interview. “Part of that would need to be looking at the role AI can play in providing that transparency and tightening the OODA loop. There’s a lot of opportunity there to know what we’re talking about and to build in limitations so that we don’t have clunky 20th century techniques for reporting and waiting for permission.”
Corn noted that there’s a need to constantly assess if authorities and policies are fit for purpose given the risk environment, but acknowledged that lawmakers helped clarify some things a few years ago.
“What Congress did in the end of 2018 was more about clearing some hurdles that were perceived to exist in law from a domestic law perspective, like lifting a potential interagency objection to something that would constitute covert action versus a traditional military activity,” he said.
Ultimately, the more operations cyber forces conduct, the more comfortable national level leadership will be, similar to many of the other domains of warfare.
“The three main problems that really drive most of the oversight [in cyber] are first, the ability to know what needs to be hit. The second is having a weapon or an access that’s able to hit it. And the third is the ability to limit the knock-on effects of that attack to just the immediate area of the attack,” Wingfield said. “Each of those three things is a capability that, as it gets sharpened, would require less oversight and fewer packing peanuts around an operation. So as you do those three specific things better, then you can move much more quickly, much more like the kinetic areas of warfare.”
