Lawmakers bluntly asked military leaders for a regulatory wishlist Tuesday, in a move that could open the door for policy changes concerning when warfare units are allowed to launch hacking operations.
Over the last several years, top military brass has been frustrated by the legal barriers that complicate military-led computer network attacks. Military organizations largely lack the authorities to act independently in cyberspace. Approval usually begins with a interagency review and ends with direct permission from the president. Historically, this arrangement has led to a long line of denials.
One lawmaker, Sen. Ben Sasse, R-Neb., described the current approval process as being “slow as molasses.”
A bipartisan effort by lawmakers in recent weeks has seen Congress vocally criticize the Trump administration for its lackluster response to Russian offensive cyber-operations and misinformation activities. Part of this outrage stems from two prior congressional hearings where intelligence leaders, including Director of National Intelligence Dan Coats, openly claimed that he had yet to be ordered by the White House to strike back.
During a Senate Armed Service Committee hearing Tuesday, the country’s top cyberwarfare generals answered questions and provided status updates on their forces.
“PPD-20, Presidential Policy Directive 20, the methodology by which we get approval for offensive cyberspace operations, is a work in progress,” said Army Cyber Command’s leader, Lt. Gen. Paul Nakasone. “Is the process perfect? No, it’s not. But this is a constant dialogue that goes on between ourselves, certainly Cyber Command, and the Department of Defense and National Security Council.”
While the frustration seems to be shared by generals and lawmakers alike, a path forward is less clear.
“I fear for American democratic institutions if we do not attack,” said Sen. Bill Nelson, D-Fla.
The fundamental framework, U.S. Code Title 10, which limits the military from operating outside a defined war zone, inherently complicates hacking operations because the internet is borderless. In an apparent attempt to bridge the divide and find answers, senators asked for advice.
“Could you give us some examples for where our allies have some delegated authorities which you’d like for us to take a look at,” questioned Sasse. “I think there are a number of us who would like to follow up on this and be tutored by you … those of us in a policy making role know well that we need tutorials from the people who are living this day in and day out.”
Sen. Claire McCaskill, D-Mo., also pledged her assistance to the generals.
“I would really appreciate it if there are things we could add to the [National Defense Authorization Act (NDAA)] this year, to give you more tools, to recruit and retain … we have got to up our game in cyberwarfare,” McCaskill said. “If there are specific things we could do to give you additional flexibility or tools I’d really appreciate it if you would share them with us before we begin our consideration of the NDAA this year.”
The NDAA, the yearly overarching bill that funds the military, can also be seen as an indicator for how the U.S. government conceptually defines modern warfare.
“I understand from earlier hearings that you don’t feel like you have the authority from the president,” said Sen. Kirsten Gillibrand, D-N.Y. “What I would like to hear is for recommendations to this committee about if you were given this authority, what you you’d like to implement and what resources you would need.”
She added, “I feel like your hands have been tied.”