The NDAA FY'18's Cyber Provisions: What Emerged from Conference?

The next National Defense Authorization Act (the NDAA FY’18) is nearing the finish line. A Conference Report is now available, and so the time has come for a closer look at some of the key provisions of interest to Lawfare readers. My colleague Scott Anderson is going to post a broad overview shortly. For my part, I’d like to walk you through the “Cyberspace-Related Matters” section (sections 1631-1649C).

Actually, let me start with something that is NOT there: a provision from an earlier draft that would have required the United States (at least as a default matter) to give notice to (and seek help from) other governments when malicious activity routed through their territory (though the provision did include express reference to unilateral action where the other government is unwilling or unable to act). That somewhat surprising provision drew asharp objection from Secretary Mattis. Message received, Mr. Secretary; that provision is now out.

Now, which provisions did make it out of the conference process? Here is a (very casual) run-down, with comments on some but not all:

Section 1631: Notification Requirements for Sensitive Military Cyber Operations and Cyber Weapons

The first major part of this section will add to the growing SASC/HASC oversight legal architecture, adapting the “sensitive military operations” system applicable to kill/capture operations outside areas of active hostilities and applying it to certain cyber operations. As I’ve noted previously, it helps to think of these SASC/HASC notification systems as analogous to the notification requirements (running to SSCI and HSPCI) relating to covert action.

So, what would section 1631 require? SecDef will have 48 hours to give written notice to SASC and HASC of a qualifying “sensitive military cyber operation.” But what counts?

An SMCO is a cyber operation that meets these conditions:

1. Carried out entirely by the armed forces

2. With the intent to have a “cyber effect outside a geographic location” where US armed forces are “involved in hostilities” or where “hostilities have been declared by the United States”

3. Offensive in nature, or else a defensive measure conducted outside DOD networks in order to “defeat an ongoing or imminent threat”

4. Not a training exercise conducted with consent of impacted nations

5. Not covert action.

Note that this would pick up some but not all CYBERCOM operations constituting “traditional military activities” (TMA being an important exception to the covert action definition, and thus a category allowing for unacknowledged operations without reporting to SSCI & HPSCI). I say that because you could have a TMA-qualifying computer network operation that does not meet the offense/defense requirement noted above.

Also note that there is a clause at the end of this section confirming that it is not intended to be read as conferring any new authority to act, nor as altering War Powers Resolution obligations (of course, under prevailing executive branch understandings of the WPR’s triggers, a computer network operation would not likely set off those triggers anyway!).

And what about the second major part of 1631? It would create an obligation for DOD to give SASC and HASC written notice, quarterly, of DOD reviews of the compatibility of cyber weapons with international law, as well as specific notice of the use of such reviewed cyber weapons within 48 hours of that use. Looks to me like SASC and HASC are concerned about the international law analyses arising during these weapons reviews. Perhaps something to do with third-country effects?

Section 1632 – Modification to Quarterly Cyber Operations Briefings

What about DOD computer network operations that don’t qualify as SMCOs? Well, there is still the quarterly briefing process under 10 USC 484, which under this new section 1632 would become more granular in terms of describing (on a command-by-command basis) cyberspace operational activity that the commands conducted and that were directed at the command, along with an “overview of authorities and legal issues” associated with those operations. Seems an excellent idea for smoking out legal obstacles (including the possibility of confusion over the applicable law, which I suspect is part of what motivated that language).

Section 1633 – Policy of the United States on Cyberspace, Cybersecurity, and Cyber Warfare

It’s sometimes tempting to ignore Congressional statements of preferred national policy, but not where (as here) the statute in question holds up substantial funding pending the White House coughing up a requested report detailing progress on establishing the sought-after policy. Here, Congress is holding at risk 40% of the funds for the Defense Information Systems Agency if the White House does not submit the requested report. The report itself must address a variety of (sensible) topics, which I won’t recap here other than to say that the entire exercise bespeaks Congressional frustration with a perceived failure of both the last administration and this one to act aggressively and visibly to establish a strong deterrence posture relating to cyber activities.

Section 1634 – Prohibition on Use of Products and Services Developed or Provided by Kaspersky Lab

First, this one bars all federal agencies – not just DOD ones – from using “any hardware, software, or services” from Kasperksy, with a deadline of October 1 next year. No great surprise there.

Second, and more interestingly, this section requires a DOD report that would explore in some detail DOD’s capacity to spot and address risks of the kind that Kaspersky has come to symbolize. Happily, they specify that there must be an unclassified version of that report (though there can be a classified annex).

Skipping 1635 (house-cleaning provision)

Skipping 1636 (addresses the acquisition workforce)

Section 1637 – Integration of Strategic Information Operations and Cyber-Enabled Information Operations

This one requires a plan (and appointment of a senior official to be responsible for said plan) to integrate the activities mentioned in the title, both in terms of how the United States might conduct such operations and (for obvious reasons) how we respond to counter and deter Russia “malign actors” from doing such things to us. Again, you can just feel Congressional frustration with the Executive Branch here.

Section 1638 (encourages DOD to work with states to run exercises that would include National Guard assistance to defend state-administered election systems)

Section 1639 (further efforts to secure DOD’s industrial control systems from cyber attack)

Section 1640 – Strategic Cybersecurity Program

This one requires DOD to assign personnel to work on improving the security of a variety of DOD (or DOE) systems, including the systems for “offensive cyber” activities, “long range strike systems,” “nuclear deterrent systems,” “national security systems,” and DOD critical infrastructure.

Section 1641 (pushing DOD to coordinate with Asian allies on cybersecurity matters)

Section 1642 (pushing DOD to emphasize agile/iterative acquisition practices relating to cybersecurity)

Section 1643 – Assessment of Defense Critical Infrastructure

The interesting item here, I think, is the request that DOD explore “isolating military infrastructure from the national electric grid and the use of microgrids.”

Section 1644 – Cyber Posture Review

This one is very much in the spirit of pushing the executive branch to think and plan much more thoroughly about deterrence concepts relating to cyberspace (reflecting the well-known concerns of members such as Senator McCain). It contains a really useful roadmap of subtopics that need to be addressed; students, take note!

Also note: the DOD Public Affairs operations cannot obligate or expend more than 85% of their funds if the required report is not delivered on time.

Section 1645 (report on adequacy of the Army Combat Training Centers)

Section 1646 (briefing on “cyber application of blockchain technology)

Section 1647 (more study of and planning to improve adequacy of cyber training)

Section 1648 – Report on Termination of Dual-Hat Arrangement for Commander of the United States Cyber Command

Ah, back to the stuff I follow more often. This is about the ongoing saga of the dual-hat structure in which Director NSA also is Commander CYBERCOM. Following past practice, Congress once again is asking for a progress report on the break-up plan, with an emphasis on the potential costs involved. Think of it as the periodic reminder that the break-up still has not actually happened, and that Congress is worried about the cost implications.

Section 1649 (tweaking the system of funding and centers of excellence (including scholarships) relating to cybersecurity studies, along with authorization calling for $10m funding level for FY18)

Section 1649A (cybersecurity training at community colleges)

Section 1649B (further cybersecurity education scholarship adjustments)

Section 1649C (adjustments to definition of cybersecurity teachers)