Military Cyber Operations: The New NDAA Tailors the 48-Hour Notification Requirement

The soon-to-be-enacted National Defense Authorization Act for Fiscal Year 2020 (NDAA fiscal 2020) includes a provision that will fine-tune the range of military cyber operations subject to the 48-hour notification requirement associated with “sensitive military cyber operations.” Here’s an explainer.

1. What is the status quo with respect to “sensitive military cyber operations”?

Congress for many years has been building a domestic legal framework to govern military cyber operations. Specifically, it has used the NDAA process to clarify the U.S. military’s affirmative authority to conduct operations in the cyber domain, to establish that these operations do not constitute “covert action” for purposes of U.S. domestic law even when conducted on a deniable basis, and to subject some such operations to a custom-designed notification-to-Congress rule that is akin to the more familiar one used for covert action. See here for a post, last summer, in which I summed up much of this work.

Let’s unpack that last part, regarding notification to Congress.

The relevant rule, enacted in 2017, is codified as 10 U.S.C. § 395. It defines a category called “Sensitive Military Cyber Operations” (SMCOs), and it requires the secretary of defense to give written notification of any such activity to the Senate and House Armed Services Committees within 48 hours. This is modeled on the covert-action oversight rule, of course, but without the element of likely interagency involvement that comes from the covert-action requirement of presidential authorization, and with the oversight running to the armed services committees rather than intelligence committees.

So, what is in scope for this rule? That is, what constitutes an SMCO?

As defined in 10 U.S.C. § 395(b), an operation must satisfy these three elements to constitute an SMCO:

1. The operation must be either an “offensive cyber operation” or a “defensive” one taking place outside of the DoDIN (Department of Defense Information Networks) in order “to defeat an ongoing or imminent threat”
2. It must be conducted by U.S. armed forces
3. It must be intended to have “cyber effects” in a location other than locations where U.S. armed forces are engaged in hostilities (or where hostilities have been declared by the U.S.)

In short, SMCOs are those non-DoDIN military cyber operations that are meant to impact systems outside zones of hostilities. Given that such circumstances are likely to be of some diplomatic and legal sensitivity, and that other statutory developments ensured these operations would not count as covert action, it is easy to see why Congress wanted to ensure some customized form of notification requirement for them.

2. What about the other military cyber operation notification rules?

Notably, the SMCO rule is not the only congressional notification requirement for military cyber operations. Therein lies some complexity that we should address before moving on to see how the new NDAA will change the sensitive military cyber operation notification rule.

First, since 2013 the Defense Department has been subject to a general requirement of quarterly reporting to the armed services committees regarding all offensive operations and all “significant defensive” operations conducted by the military in the cyber domain.

Second, and more intriguingly, another 2017 statute creates a separate 48-hour notification requirement, one that appears to have significant overlap with the SMCO notification rule. 10 U.S.C. § 396 concerns the military’s “weapons review” process (i.e., the process of conducting a serious review of the compatibility of a weapon or weapons system with international law). Section 396(a)(1) requires quarterly briefings to the armed services committees regarding application of the weapons review process to “a cyber capability that is intended for use as a weapon.” And then Section 396(a)(2) imposes a 48-hour notification requirement whenever any “cyber capability that has been approved for [use as a weapon] under international law by a military department” actually then is used as a weapon.

This raises an important question: Is the entire SMCO discussion superfluous on the theory that any SMCO also will constitute a “weapon” use that triggers 396(a)(2)’s own 48-hour notification rule? The answer is no.

A helpful way to come to grips with the nuances here is to consider Army Regulation 27-53 (“Legal Review of Weapons and Weapon Systems,” September 2019), which provides a clear treatment of this issue.

AR 27-53 first defines “cyber capability subject to legal review” as:

any device or software payload, not including command line interface techniques, intended to perform a cyberspace attack, as that term is defined in Joint Publication 3-12[.]

Joint Publication 3-12 in turn defines “cyberspace attack” to include actions that “create noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial effects in the physical domains[.]” So far, so good. But note that our specific concern in relation to Section 396(a)(2) is not with cyber capabilities and cyber attack in general, but with cyber capabilities employed “as a weapon” in particular. This is an important distinction. AR 27-53 defines “cyber weapon or cyber weapon system” much more narrowly than the broader category of cyberspace attack. A cyber weapon or cyber weapon system constitutes:

[a] cyber capability which, by means of cyber effects, is intended to injure or kill personnel, or physically damage or destroy property. This does not include capabilities that passively enable cyber effects, but do not directly cause or significantly impact such effects (for example, payload-agnostic servers or similar infrastructure). [emphasis added]

Plainly, a wide swath of “cyberspace attack” operations might be undertaken without implicating the weapon/weapon-system categories. And it follows, therefore, that there might be an array of SMCOs that would not also trigger Section 396(a)(2)’s 48-hour notification rule. (For more on the complexities associated with weapons review for cyber capabilities, see this recent article in International Law Studies by Jeffrey Biller and Mike Schmitt.)

3. How does the NDAA fiscal 2020 narrow the definition of SMCO?

Section 1632 of the new NDAA will amend the definition of SMCO found in 10 USC § 395(b), in two ways.

a. Eliminating the language limiting the range of “defensive” operations that can count as an SMCO

First, the new NDAA cuts some language out of the first element of the SMCO definition quoted above (i.e., the requirement that the operation be either offensive or else a defensive one that is outside the DoDIN and conducted “to defeat an ongoing or imminent threat”). Well, the new NDAA will simplify that definition considerably, because it will eliminate the language “outside the [DoDIN] to defeat an ongoing or imminent threat.” Notice that, as a result, the first element will then consist of a requirement that the operation be either an “offensive cyber operation” or a “defensive cyber operation,” full stop. And since that does seem to cover the waterfront, I think it’s fair to say that the first element no longer will be doing any work in defining what counts as an SMCO.

Will this matter much in practice? At first blush I was doubtful, for my instinct was to say that (a) defensive activities outside the DoDIN Defense Department’s information network mostly can be characterized as meant to defeat ongoing or imminent threats, and (b) there would not be within-DoDIN activities that would likely be intended to have effects elsewhere. But on reflection, I can see how the latter might not be true. In particular, I can see how someone might argue that certain honeypot traps (especially attacks that involve tempting files placed in a DoDIN system, which, when exfiltrated and opened, will execute code on an external system and cause some particular effect) might have presented an SMCO definitional question under the status quo language.

At any rate, any such disputes will now be settled in favor of SMCO coverage—pending, that is, satisfaction of the new SMCO definitional element described below.

b. Narrowing the SMCO definition by adding certain risk and risk-threshold requirements

Second, the new NDAA will add an important new element to the SMCO definition, one that will tend to eliminate relatively unimportant, low-risk operations from the scope of the notification obligation.

In particular, an operation that otherwise would qualify as an SMCO will no longer do so unless the military has determined that the operation in question poses one of five types of risk:

(i) “a medium or high collateral effects estimate”

(ii) “a medium or high intelligence gain or loss”

(iii) “a medium or high probability of political retaliation, as determined by the political military assessment contained with the associated concept of operations”

(iv) “a medium or high probability of detection when detection is not intended”

(v) a determination that the operation will have “medium or high collateral effects”

The above are quoted from Section 1632(2) with emphasis added.

Is this a desirable change? That depends on whether the list of risks is sufficiently broad, and whether the calibration of risk probability (excluding “low”-risk scenarios) is the correct one. Let’s consider both those questions briefly.

Set aside that the first and fifth items on the list seem to be the same. Is this the “right” list of risks? I see no obvious gaps. The underlying reason to want congressional oversight is the general concern that such operations may generate unintended-but-painful consequences, just as in the covert-action oversight paradigm. And in this context, that would include situations in which the operation might cause serious repercussions with another state, harm to third parties, disruption of intelligence-collection equities or general embarrassment to the United States—that is, precisely the categories identified above.

What about the calibration of the risk threshold, setting it as the medium-or-higher level? Excluding de minimis risk makes some sense. The trickier question is whether it makes sense to exclude “low”-risk scenarios, bearing in mind that these are not mathematically precise distinctions and that there will be some play in the joints when it comes to distinguishing low from medium risk. That flexibility draws attention to the risk that this threshold will be construed too broadly in some cases. Yet there is a real cost, too, to the status quo insofar as truly low-risk activities might have been clogging the notification pipeline, consuming both military and congressional resources in ways that might even undermine the effectiveness of oversight in more important circumstances. Indeed, the very existence of this provision in the new NDAA suggests that some observers have come to the view, through the course of practice since Section 395 became law in 2017, that too much effort was being consumed in this way. All that said, I’m in no position to judge; I’m just speculating.

The bottom line? Congress continues to do little-heralded but important work fine-tuning the domestic legal architecture within which U.S. Cyber Command performs its increasingly important mission. As in similar contexts such as the covert-action framework, this involves constant balancing and rebalancing that one hopes will achieve and preserve an optimal compromise between efficiency and responsible oversight. The new NDAA appears to be a thoughtful contribution to that project.

That’s it for now. As always, I’m happy to hear from anyone by email if you feel there are aspects to this analysis that are incorrect, incomplete, etc.