The Biden administration has forged a new agreement under which the State Department will have more ability to weigh in on certain kinds of cyber operations, according to two sources familiar with the discussions between the White House and the agencies.
The sources said the negotiating parties reached consensus on a policy that gives the State Department greater ability to monitor and weigh in on “third-party notifications,” defined as whether and how the U.S. government alerts countries if it plans to enter their cyberspace to interrupt adversaries’ cyber operations.
Because the president has not yet signed the agreement the situation remains fluid, but the sources said both the Defense and State departments feel they won important pieces of the fight. The sources were unwilling to discuss additional details about the substance of the agreement.
A spokesperson for the National Security Council, which is leading the negotiation process, declined to comment.
CyberScoop reported in March that the White House had initiated an “interagency review process” meant to pare back the unprecedented authorities to launch and manage cyber operations that the Trump administration gave the DOD under National Security Presidential Memorandum-13.
NSPM-13, which became policy in 2018, allowed the delegation of “well-defined authorities to the secretary of defense to conduct time-sensitive military operations in cyberspace,” according to a 2020 speech given by Paul Ney, then the general counsel for the DOD.
In a potential third-party notification scenario, the U.S. might need to take out a Russian server that is wreaking havoc and is physically located in a separate, uninvolved and often unaware country. The State Department and the Defense Department had been at odds since NSPM-13’s advent because State wanted to have more say than the Defense Department is currently soliciting when determining whether and how often to let other countries know about cyber operations happening within their borders.
DOD officials and those sympathetic to DOD — including several lawmakers — have recently asserted that substantial changes to the authorities that NSPM-13 gave to DOD would significantly hamper operational speed and agility while also potentially compromising operational security. National Security Agency Director and U.S. Cyber Command leader Gen. Paul Nakasone warned Congress last month that “significant changes to that NSPM, it could affect what we need to do.”
Third-party notifications are particularly fraught for a Defense Department now accustomed to running cyber operations without having to consult the State Department and White House beyond the pro forma briefing provided at the outset of a given operation.
DOD alumni say the White House review of NSPM-13 is troubling because the agency needs to retain as much authority as possible to manage cyber operations without consulting the White House and other agencies on a case-by-case basis, which they say would slow things down, hinder success and potentially jeopardize operational security.
But State Department and White House alumni argue that any potential slow down is more than offset by what’s gained by allowing White House, State Department and other officials in on decision-making. They also say that NSPM-13 set dangerous precedents by giving unprecedented authorities to the Defense Department to conduct offensive cyber operations.
The case for paring back NSPM-13
There are good reasons to take back some of the authority Trump bestowed on the DOD in 2018, according to Obama administration officials and outside experts. The DOD emphasis on speed and agility does not do enough to account for other significant concerns, Michael Daniel, the cybersecurity coordinator on the National Security Council staff in the Obama White House, said in an email to CyberScoop.
“Diplomatic risk (the likelihood a country would believe we have violated its sovereignty while carrying out an operation against an adversary), norm setting (what the U.S. does, every other country can argue it has a right to do as well) and likely effects (physical destruction vs. temporary service disruption vs. adversary loss of access to co-opted infrastructure) should also factor into the decision-making process,” said Daniel, who is now president and CEO of the Cyber Threat Alliance, a member organization focused on cybersecurity. “The higher the diplomatic risk, the more disruptive or destructive the effect or the greater likelihood of establishing a ‘norm’ for offensive cyber activity, the broader and more senior the review of the proposed activity should be.”
Many U.S. allies have long bristled at American cyber operations and a perceived lack of structure around U.S. Cyber Command’s activities, said Trey Herr, the director of the Atlantic Council’s Cyber Statecraft Initiative. Many allies also have concerns about being dragged into tensions between the U.S. and an adversary if Cyber Command runs an operation in their cyberspace that provokes tensions, Herr said.
“There’s a reason that there has been push back from others in NATO and the French, I think, would be the ones I put toward the top of that list,” Herr said. “There’s a lack of understanding of what the parameters of U.S. strategy are, what it’s meant to accomplish or how they’re going to accomplish it.”
Herr said the White House and the State Department are contending with a perception that the U.S. strategy in this space is “embracing operations willy nilly across foreign infrastructure without due care and notice to those states.”
DOD’s case for preserving NSPM-13
Delegation and operational flexibility are critical for Cyber Command to be agile and effective, said Gary Corn, the former general counsel to Cyber Command and an expert on national security law.
Corn, who left his position with Cyber Command in 2019, said that during his tenure NSPM-13 was key to Cyber Command’s success because it delegated authority to the Department of Defense to make decisions about certain cyber operations without having to go back to the White House in each case.
Now a law professor at American University, Corn said that the DOD reviews all proposed operations to ensure compliance with law. Corn noted that he is not a participant in any potential NSPM-13 deliberations and therefore can’t comment on their status but when asked if third-party notifications are a problem he said, “as a matter of policy, not categorically. But if you embed pieces into the process that require case-by-case determinations at the NSC level, you’re basically undermining the objective of delegation.”
Former DOD and Trump White House officials say that NSPM-13 does not give the Pentagon blanket authorities, though many people wrongly assume otherwise. The policy includes “checks and balances,” according to Sean Plankey, who served in the Trump White House as the National Security Council director for maritime and Pacific cybersecurity policy and previously was the offensive weapons and tactics chief at U.S. Cyber Command.
“The common mistake on NSPM-13 is the theory that it gives DOD unilateral authorities to act in cyberspace,” Plankey said via text message. “It doesn’t.”
Ambassador John Bolton served as Trump’s national security adviser and wrote about the administration’s path to implementing NSPM-13 in his book “The Room Where It Happened.” He paints a picture of a Defense Department paralyzed by too much oversight from other agencies.
“The interagency process was frozen solid. The Department of Homeland Security and others wanted to keep a stranglehold on the Defense Department, as did the intelligence community,” Bolton wrote of the Trump administration’s infighting as it created NSPM-13. “The Pentagon didn’t want oversight from anyone, including the White House, and took an ‘all or nothing’ approach in negotiations that only infuriated everyone else involved.”
Bolton emailed a comment on CyberScoop’s latest NSPM-13 reporting: “If the Biden White House reverses the changes we made to allow more offensive cyber operations, they will be putting America at grave risk,” Bolton wrote. “This is ideology at work, pure and simple.”
Before former President Donald Trump gave DOD broader cyber authorities, operational decisions came very slowly, said Mark Montgomery, a former Republican Senate Armed Services staffer who helped craft the 2018 legislation laying the groundwork for NSPM-13.
“If it’s true that the State Department has been introduced back in this will be challenging for Cyber Command,” said Montgomery, now senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “We won’t know that this was an overcorrection until we fail to execute an operation in a smooth and effective manner.”