Gen. Keith Alexander, Cyber Command (Colin Kelly/Staff)
WASHINGTON — After three years of grueling internal debate, the chairman of the Joint Chiefs is poised to approve new rules empowering commanders to counter direct cyberattacks with offensive efforts of their own — without White House approval.
Once signed, the new cyber rules contained in the US military’s new standing rules of engagement (SROE) — the classified legal document that outlines when, how and with what tools America will respond to an attack — will mark a far more aggressive tack than envisioned when the process started in 2010, or even much more recently. To date, any cyber action requires the approval of the National Security Council (NSC).
A defense spokesman said that much of the focus on cyber has revolved around defensive action, and that pre-emptive offensive action would still require presidential approval.
Sources said the new rules are vital to address a rapidly developing domain that should be integrated into normal military rules, but still remains largely closed to outside observers by heavy layers of classification. Because the SROE is classified, conversations about its composition and details of deliberations are all considered very sensitive, and sources who participated declined to be named.
The new rules were supposed to have been implemented in late 2010, but were delayed as top government lawyers debated how aggressively the US should respond to cyberattacks, and what tools commanders could use, according to current and former White House, defense and intelligence officials.
Now complete, the rules are undergoing a final “internal bureaucratic process,” a defense official said.
Lawyers from the Joint Staff and US Cyber Command (CYBERCOM) gathered in Washington to try to update the Defense Department’s standing rules of engagement in late 2010, with two major policy areas remaining as subjects of debate: rules regarding deployed ships and rules about cyberwarfare.
The cyber discussion resulted in a draft cyber policy that was gerrymandered, larded with legalese, and had become almost unintelligible because of the many hands from multiple agencies involved in its writing. An interagency process had been started because cyber concerns confront a variety of agencies, the intelligence community and DoD as well as State, Homeland Security and other departments, with each expressing views on how the domain would be treated.
That effort aimed to update rules crafted in 2005 that did not address broader questions regarding cyber, but were in need of updates as cyber threats escalated. Recent reports from the security company Mandiant and from DoD indicate the Chinese cyberattacks began to increase in 2006.
With the SROE process having stalled, three lawyers attending the conference decided to start over, redrafting the language on cyber over a lunch break during the conference. Huddled around a table they created what they thought was a simple, clean approach that could gain broad support. They presented it to the other attendees, and the new version was passed up the chain of command for review by senior officers.
Not long afterward, that draft was rejected by a deputy of Gen. Keith Alexander, head of CYBERCOM and director of the National Security Agency, because it fell short of where “the SecDef wanted it to go,” said a former defense official.
The problem was that the document didn’t allow for a sufficiently assertive response, the official added. In its efforts to achieve balance, the draft didn’t accommodate the strong stance the administration, and specifically CYBERCOM, wanted to take.
So the rules were drafted again, designed to be “forward leaning,” permitting a stronger response. Once again they were rejected.
Nearly three years later the rules still haven’t been signed. Defense officials said they expect the newest version to be formalized shortly, but there is always the possibility that further policy concerns will stall the process.
While several sources pointed to the desire by some, especially Alexander, to take a more assertive stance, not everyone agrees that the delay was caused by internal dissent. A senior defense official said the process was slowed by the administration’s need to develop larger cyber policies to make sure the military rules fit the larger whole.
“As we were developing our standing rules of engagement and going through that interagency process we were recognizing that there’s a natural progression, a natural sequencing of making sure that the presidential policy was finalized and signed out, then making sure that the doctrine and other procedures are in place, and finally the next logical step is the standing rules of engagement,” the senior defense official said.
According to the former defense official with knowledge of earlier drafts, the version on the verge of completion is “way far” from previous versions, authorizing far more assertive action than had been previously considered.
Use of cyber weapons will still be the domain of US Cyber Command, with geographic combatant commanders requesting action through locally stationed cyber support elements. But the debate about the rules of engagement, what authorities they should permit and who should have them, stems from a larger issue about normalizing cyberwarfare that was complicated by the concentration of cyber authority within the NSC, a concentration that is the byproduct of an inter-agency dispute dating to the Iraq war.
What the US does as it begins to normalize cyber will have a big effect on how cyber is treated globally, said Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council.
“Without a doubt what we do gets copied,” he said. “The fact that we’re including this in rules of engagement and pushing this down to lower levels, [means that] then the military of another country will try to convince its leaders to do the same thing.”
Concentration of Power
In 2003, with the launch of the war in Iraq, cyber capabilities weren’t very advanced compared to some of the elegant tools at the military’s disposal today. But that doesn’t mean that various intelligence and defense agencies weren’t interested in using them.
When the squabbling over who would be in charge of cyber began, President George W. Bush signed a classified presidential directive in 2004 requiring that all cyber decisions be funneled through the NSC.
That prevented any single agency from laying claim. But it didn’t end the disagreements.
“It became an issue with cabinet and deputy cabinet level officials in there hacking it out,” said a former senior intelligence official, describing debates in the White House Situation Room.
In every instance where cyber was involved, the NSC had to be involved. That helped settle some of the disputes between agencies by limiting any independent application of cyber capabilities, but was useful neither for expediting any cyber action nor for integrating cyber into larger military capabilities. Several sources said that this has slowed the integration of cyber into broader military tactics, possibly giving rivals without the same hesitation, like China, a chance to become more adept at military cyber.
Some decisions by the NSC on the use of cyber were easier than others. In an individual theater of combat, such as Afghanistan, their use was more easily authorized if the effects were limited to the region. If anything resembling a cyberattack or intrusion came from the area, a response was also likely authorized.
But when it came to more complicated issues, like international intrusions, the standards got hazy.
Because every decision had to be run through the West Wing, potential political blowback limited the use of cyber tools, the former senior intelligence official said. “If they can’t be used without a discussion in the West Wing, the president’s got no place to run if something goes wrong when he uses them,” he said. Those decisions included what to do if the US confronted a cyberattack.
The rules of engagement review proceeded in 2005 with limited cyber concerns integrated into the final version. Not until 2010 did the larger debate pick up steam.
The rejection of the drafts developed at the end of 2010 by CYBERCOM officials was part of a larger push to increase the authority vested in Alexander, the former senior intelligence official said. “When we had these dialogues with the Fort Meade population, it was often the rest of the intelligence community cautioning the Fort Meade guys not to be so aggressive,” he said. NSA and CYBERCOM are at Fort Meade in Maryland.
Several sources cited these interests as slowing the process, and causing several compromises to be rejected.
Not everyone agrees that the process has been slowed by dissent or efforts to increase authority by any one group. The senior defense official who described the delays as being the result of larger policy development pointed to the difficulty in crafting a new policy in a new area of warfare.
“It was much less about a turf war than it was about us wanting to make sure that the department’s role was right in defending it, and that the level to which the authority was delegated was appropriate and something with which the secretary and the chairman and the White House was comfortable,” he said. “If this is the first time ever that we’re talking about SROEs that are outside of DoD networks, it should be expected that it’s a very complicated thing. There’s no precedent, there’s no clear understanding on some of the issues.”
A defense spokesman who was asked about Alexander’s role in eliminating earlier versions of the cyber language noted that there were multiple officials involved in the development process.
“The standing rules of engagement are a product of many minds, of which Gen. Alexander is one,” a statement from the spokesman read. “He has worked tirelessly with senior department leadership to develop appropriate SROEs that for the first time will define the legal framework for how the United States would respond if attacked by, through or with the cyber domain.”
To be sure, even when an SROE document is signed, it will not grant the authority to wage cyberwar to low level military personnel. Even the cyber capabilities that might be employed to respond to an attack will require orders from senior officials.
But the document is a move that begins to standardize cyber, folding some areas into more typical military rules and hashing out concerns about how cyber should be treated.
The use of cyber is more a question of political influence in the West Wing, a process that favors those like Alexander who have access to decision-makers. If cyber capabilities become more readily accepted, their implementation could become more democratic, based more on need than on politics.
More importantly, by authorizing immediate action against cyberattacks, the SROE will greatly cut down on the reaction time. By eliminating the often laborious process of NSC deliberations, an attack will likely be countered sooner and potentially result in less damage.
“If you have time to run it through the NSC you don’t really need a standing requirement,” a former defense official said.