Restrictions Removed from Cyber Command – Is the U.S. Ready to Hack Back?

In August 2018, the U.S. President rescinded the former administration’s Presidential Policy Directive 20 (PPD-20) – the authority that dictated how the United States engaged in cyber operations, which was leaked by National Security Agency leaker, Edward Snowden

As revealed by one online news outlet, the directive not only dictated how the U.S. government would engage in various levels of offensive cyber operations, but revealed that agency stakeholders had input in the approval and deconfliction of such operations.  The repeal of PPD-20 subsequently eliminated the inter-agency process that allowed agency stakeholders input into offensive cyber activity.

The lifting of such restrictions frees up the military to engage in cyber operations without requiring other agency buy-in.  In this way, the Administration is empowering the military’s cyber equivalent to be able to execute decision-making authority to conduct operations as the combatant commander (in this case, the head of Cyber Command) sees fit without prior White House approval.  This is a notable and important improvement allowing the commander to execute retaliatory attacks against hostile actors in a timely fashion and against the infrastructure being used by the hostile actor.  Waiting until later risks capitalizing on being able to strike immediately against the hostile actors before switch command and control architecture or any other digital asset that used by the attackers.

There are some not convinced that such a move is a positive development.

According to one blog, the former way of vetting and approving cyber operations was not fully successful or efficient.  On one hand, getting the input from various diplomatic, economic, and military stakeholders provides a holistic picture of the potential benefits and pitfalls of a cyber operation.  Just because an operation can achieve military objectives, doesn’t mean it would achieve diplomatic ones.  However, the decision-by-committee approach is notoriously slow and often logjammed by contrasting inputs and desired outcomes.  In a domain in which attacks occur within seconds, slow-rolling decisions to engage in cyber attacks risks losing hitting the adversary promptly.

To a certain extent, other combatant commanders echo these feelings of uncertainty, but for different reasons.  According to one military news source, these commanders do not yet fully trust the military’s cyber and space assets.  Per a general cited in the article, “Those commanders need to have the confidence that it will work, and it will be available at their fingertips.”  Considerable personnel, material, and fiscal investment has been made into a U.S. Cyber Command that reached full operational capability with its 133 teams in May 2018, and it appears that these leaders need to see an example of how this asset can be used to support their needs in their theaters.  Cyber Command will have to pull the digital trigger at some point to justify the budget and prove their capabilities.

This is why allowing the cyber commander to be able to execute offensive cyber strikes on his own judgment is crucial particularly as a proof-of-concept and deserves closer consideration due to the fact that these largely remains untested waters.  Prior, the president had to give final approval, which would be subject to a host of other considerations that could positively or negatively influence his decision to approve an attack.  The political chess game would begin trying to ascertain the president’s decision-making calculus and allow other foreign leaders to rely on their behavioral and cognitive profiles to judge likely reaction to cyber attacks.  With the authority squarely in the hands of the military that in early 2018 had complained about not yet having been given the executive approval for conducing operations to be “able to change the behavior” of an adversary, hostile actors are now forced to rethink if their actions are going to elicit a swift and prompt response.

Unlike in 2016 when the United States opted not to respond to Russian election meddling, the cyber commander is now empowered to execute his authorities on his own judgment.  This is very important when taking into account that per news reporting, many intelligence officials believe that Russia is already trying to undermine the 2018 mid-term elections.  What remains to be seen is what will be that enigmatic “straw that broke the camel’s back” that determines the warranting of a retaliatory cyber strike.

Once crossed, that red line will invariably change the course of how state-led or -conducted offensive operations occur.  And if anything is sure in cyber space, it won’t be as anyone had anticipated.  What happens after retaliation is anyone’s guess.  Like a boxer that delivers a counter punch, there is hope that adversary behavior will change because the blow was powerful enough to make him take notice.  But it might not. And like any fight, there is always a counter to the counter, and the blow back might just be as potent, and if you’re not careful, might slip in unseen.

About the author

Is a U.S.-Russia Cyber Security Working Group Silly? TechNativeEmilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter