A Notification Requirement for Using Cyber Weapons or for Unauthorized Disclosure of a Cyber Weapon

The chairman and ranking minority member (RMM) of the House Armed Services Committee and the chairman and RMM of the its emerging threats and capabilities subcommittee are proposing legislation that would require the Defense Department to notify congressional defense committees within 48 hours of the conduct of “any sensitive military cyber operation.”

In turn, this term is defined to mean an action that is “intended to cause effects outside a geographic location where United States armed forces are involved in hostilities,” and includes offensive cyber operation and defensive cyber operations outside the DOD information networks to defeat an ongoing or imminent threat. Such a term explicitly does not refer to cyber operations conducted under the covert action rubric.

My take—it’s about time, so hurray for the leadership of the HASC on this matter. In 2009, a report of the National Research Council (Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities) made the following recommendation:

(Recommendation 5.) The U.S. government should provide a periodic accounting of cyberattacks undertaken by the U.S. armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more comprehensive understanding of these activities. Such an accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees.

The proposed legislation is silent on the content of the notification, but the 2009 NRC report said that

For understanding policy and for exercising oversight, such an accounting would describe the purposes served by any given cyberattack, the intended target(s), the outcome, the difficulties encountered in conducting the attack, the rules of engagement relevant to that cyberattack, and both the anticipated and the actual value of the attack in serving U.S. national interests.

So, the proposed legislation is a very promising start on this recommendation (made 8 years ago!). But, of course, it does not address notification requirements for agencies other than the Department of Defense (how could it—the bill to which it will be attached is the defense authorization bill). And in particular, it does not cover the intelligence community.

One ambiguity in the proposed legislation is what counts as an offensive cyber operation—and in particular, whether or not offensive cyber operations include cyber exploitations. I suspect not, based on a reading of PPD-20, a document that is still classified but which was leaked as part of the Snowden trove. That document distinguishes between cyber effects and cyber collection—cyber effect refers to “The manipulation, disruption, denial, degradation, or destruction of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.” (This definition is unclassified in the original.) The definition of cyber collection in PPD-20 is classified Confidential, but refers to what one would expect “collection” to mean and is thus the same as cyber exploitation.

A second ambiguity in the proposed legislation is potentially troublesome. The legislation also calls for notification of congressional defense committees immediately “in the event of an unauthorized disclosure of a cyber capability covered by this section.”

The spirit and intent of this requirement is spot-on. In fact, I’d advocate a stronger version—any such disclosure worth notification of a congressional defense committee should also be reported to the vendor so that the underlying vulnerability or vulnerabilities can be fixed.

But what counts as an “unauthorized disclosure”? How does one know that an “unauthorized disclosure” has occurred? There are two dimensions of ambiguity: when and what?

• On the “when,” we have all had experiences in which we have thought we lost something but it turned out we had not. (I go through this with my watch in the morning in my living quarters at least twice a week.) That is, it takes some time to determine that something is truly missing or has been disclosed. The moment of “unauthorized disclosure” would necessarily include the time at which information about the capability appears on Wikileaks or Github. But by that time, it’s really too late. So the moment of “unauthorized disclosure” has to be sometime between suspicion and worry that something has been disclosed and the time it appears publicly. To implement this requirement, a clear threshold needs to be established, such as “the moment of first access to the capability in question by an unauthorized party.” Whether is this is the right threshold can be argued, but I offer it as a starting point for discussion.
• On the “what,” it is unclear what counts as a disclosure of a capability. For example, does disclosure have to refer to actual code? What about a highly detailed textual description of the capability? A general description of the capability? The code word associated with the capability? (I’d say yes, probably yes, maybe, and no.) Again, clarity is needed for implementation.

All in all, a worthy piece of legislation that will take some important steps forward in facilitating effective oversight of U.S. cyber capabilities, both offensive and defensive. Two next steps: expand the notification requirement to the intelligence community responsible for covert action and to the law enforcement community.