A subcommittee mark of the upcoming National Defense Authorization Act requires the military to notify Congress when using its expanded offensive cyber authorities.
Members of the House Armed Services Committee want Congress to be kept in the loop when the executive branch launches offensive operations in cyberspace.
In a legislative draft of the upcoming National Defense Authorization Act, the House Armed Services Subcommittee on Intelligence and Emerging Threat Capabilities is seeking to amend Title 10 of U.S. law to require that the Secretary of Defense notify congressional defense committees whenever the department engages in sensitive military cyber operations.
The draft bill would also include additional parameters that further define what offensive or defensive operations constitute a "sensitive military cyber operation."
"The committee notes that the Department's definition of and threshold for sensitive military cyber operations notifications is not aligned with the intent of the committee," the report states. "As military cyber operations increase in frequency and scope, the committee expects to be continually notified and kept fully and currently informed, in order to conduct oversight."
The provision indicates that members of the committee believe they aren't being kept fully and currently informed on how the Department of Defense is using its new authorities in cyberspace, said Jamil Jaffer, a former staffer for the Senate Foreign Relations Committee and current Cybersecurity Vice President for Strategy and Partnerships at IronNet.
The language represents "an attempt by the committee to reassert Congress's authority to be apprised of such actions, even when the Department of Defense doesn't think they meet the current requirements of the statute" provided in last year's NDAA, Jaffer said.
"Oversight is impossible without transparency, and the White House's continued refusal to share documents impedes Congress's ability to ensure both law and policy are being followed," Stuart Malec, communications director for Subcommittee Chair Jim Langevin (D-R.I.), told FCW.
Last year, the Trump administration rescinded Presidential Policy Directive 20, an Obama administration interagency framework for approving offensive cyber operations abroad. That policy was replaced with National Security Memorandum 13, a new classified policy that White House National Security Advisor John Bolton said wouldn't tie the hands of the administration or military as it seeks to more aggressively push back against adversaries in cyberspace.
Michael Daniel, former White House Cybersecurity Coordinator under President Obama and President and CEO of the non-profit Cyber Threat Alliance, told FCW that Congress has a legitimate role overseeing and setting legal parameters around how military operations are conducted, whether they're cyber or kinetic.
"Because cyber operations are still relatively new, U.S. government actions are precedent setting – our actions as a nation are helping to define what's acceptable and what's not," said Daniel. "Given this uncertainty, lack of understanding, and potential for setting precedents, Congress naturally wants more insight into what's going on [in cyberspace] than in some other areas."
Since the Trump administration announced its policy, only two offensive cyber operations carried out under the new structure have come to light: an operation in October 2018 to track, identify and directly message Russian operatives to warn them against meddling in the upcoming mid-term elections and another operation in November that involved U.S. Cyber Command blocking Internet access for the Russian troll factory Internet Research Agency in the days following the election.
Both operations have received criticism in some quarters for being overly mild, but Jason Healey, former White House Director of Cyber Infrastructure Protection under President George W. Bush and Senior Research Scholar at Columbia University, noted in February after the IRA operation was publicized that small, targeted actions against clear and present threats with little potential for collateral damage are precisely the kind of operations U.S. Cyber Command should be using its new authorities to undertake.
Healey, who often warns that the U.S. stands to lose more in an aggressive, escalating cyber war than many of its biggest adversaries, said that sometimes "conflict is straightforward and you just have to stop adversaries from punching you in the mouth."