The Biden administration is reviewing whether and how to change a Trump-era policy that gave unprecedented authority to the Department of Defense and U.S. Cyber Command to authorize cyber-operations without White House approval, two sources briefed on the discussions said.
The administration has launched an “interagency review process” paving the way for revisions to the Trump-era National Security Presidential Memorandum-13 (NSPM-13), one of the sources said. The White House National Security Council is spearheading the effort, according to the sources.
NSPM-13, which became policy in 2018, allowed the delegation of “well-defined authorities to the secretary of defense to conduct time-sensitive military operations in cyberspace,” according to a 2020 speech given by Paul Ney, then the general counsel for the DOD.
A spokeswoman for the National Security Council declined to comment.
NSPM-13 has long been controversial, and many Washington insiders called its 2018 implementation an unusual response by the Trump administration to historically slow decision-making in the cyber realm, particularly during the Obama administration. NSPM-13 built on the principle of persistent engagement, which Ney described as “continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” NSPM-13, which is classified, also was reportedly amended by another classified memo, NSPM-21, and figured into President Donald Trump’s draft executive order directing the defense secretary to seize voting machines, according to POLITICO.
“Persistent engagement recognizes that cyberspace’s structural feature of interconnectedness and its core condition of constant contact creates a strategic necessity to operate continuously in cyberspace,” Ney said in his remarks, which were made at the Cyber Command Legal Conference in March 2020. “As [Cyber Command chief] Gen. [Paul] Nakasone has said, ‘if we find ourselves defending inside our own networks, we have lost the initiative and the advantage.'”
One of the sources briefed on the administration’s plans to review NSPM-13 said that White House officials want to “regularize cyber operations.” The source described the Trump administration’s delegation of broad cyber authorities to the Defense Department as highly unusual.
“No other kind of weapon system [or] attack system do we do that so it’s unprecedented,” the source said of the Trump decision to allow DOD to launch cyber-operations without White House approval. “If you’re not in combat, the commander is supposed to check in with White House and the president. That’s how we’ve done it before. That’s how we usually do it … The White House should normally have control. That’s how it works. That’s how it works in most other countries.”
The lack of precedent underpinning many cyberwar scenarios makes the delegation of authority to the Defense Department even riskier, said Michael Daniel, a former Obama administration cybersecurity official who now runs the Cyber Threat Alliance, a cybersecurity nonprofit. Daniel pointed out that when it comes to traditional operations such as flying over another country’s airspace there is clear agreement on how high a plane can fly to respect other nations’ sovereignty. No such clarity exists for cyber operations, Daniel said.
“We have very clear rules in the physical world that we don’t have in cyberspace yet,” Daniel said. “That lack of clarity is part of the problem … and why there’s an argument for being careful about and having oversight over offensive cyber operations.”
Daniel, who served as cybersecurity coordinator on the National Security Council staff from 2012-2017, conceded that the Obama administration sometimes moved slowly making cyber decisions but said that 2012 was a different era than today. He rejected complaints by some that the Obama administration moved excessively slowly, however, and said it is important to remember the broader context before assessing these types of complaints.
“The fact that [an ally] may have been able to move faster than us is not necessarily a sign that that was the right speed to be going and their risk-benefit calculus is different than ours,” Daniel said.
From one administration to the next
The Trump administration decided to overturn Obama-era cyber authorities in order to allow the Department of Defense to move more quickly. John Bolton, Trump’s national security adviser, wrote about the administration’s path to negotiating NSPM-13 in his book “The Room Where It Happened.”
“The interagency process was frozen solid. The Department of Homeland Security and others wanted to keep a stranglehold on the Defense Department, as did the intelligence community,” Bolton wrote of the Trump administration’s infighting as it created NSPM-13. “The Pentagon didn’t want oversight from anyone, including the White House, and took an ‘all or nothing’ approach in negotiations that only infuriated everyone else involved.”
Bolton wrote that some in the intelligence community did not fully support NSPM-13, with many at the CIA envious of the Defense Department’s new authority.
“This reflected a long-standing, almost existential, CIA-Pentagon tension,” Bolton wrote.
Bolton did not return a call seeking comment for this story.
Christopher Painter, the former top cyber official in the Obama State Department, acknowledged that sometimes decisions took time to arrive at, but he said often DOD shared some of the blame.
“There were times when things were simply slower than they would like,” Painter said of the DOD in that era. “I think sometimes that was their own fault.”
Painter said the White House should take back control of cyber authorities so that no one agency is operating in a vacuum. He said it is important for the government to coordinate across agencies so that all tools — economic, diplomatic and military — can be used. He argued that by having the White House determine how and when to act on cyber operations, and by allowing the White House to deploy multiple tactics at once, strategic advantages will follow.
“If the flaming ball of cyber death is coming toward you you have to respond immediately,” Painter said. “But we also have some ability to plan and figure out how we’re going to respond and what tools we’re going to use … Having all of those tools together and doing them strategically as part of a plan, I think really does require the White House to be calling the shots.”
Others pointed to the balance of powers that is threatened when anyone who’s at an agency gets a level of authority which others lack. Tom Bossert, who was a homeland security adviser to Trump, said the debate is fueled in large part by how different government entities relate to each other as they vie for authority.
“There’s a trade off between acting on intelligence to further our national interests or foil a plot and tipping your hand, losing often fragile intelligence channels or burning human sources. In cyber, different agencies have different opinions on when and why we should break things or spy on them,” Bossert, now president of the threat prevention firm Trinity Cyber, said. “U.S. Cyber Command has the authority to weigh the various considerations and equities and other agencies sometimes disagree.”