[Infowarrior] - Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now

[Richard Forno]

(c/o JH)

Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now

By: emptywheel Tuesday May 10, 2011 5:21 am
http://emptywheel.firedoglake.com/2011/05/10/congress-to-dod-you-must-start-briefing-us-on-cyberwar-now/


Robert Chesney notes that the HASC Mark on the Defense Authorization
bill includes a section on cyberwar. Here’s the entire section:

This section would affirm that the Secretary of Defense has the
authority to conduct military activities in cyberspace. The committee
recognizes that because of the evolving nature of cyber warfare, there
is a lack of historical precedent for what constitutes traditional
military activities in cyberspace.

In particular, this section would clarify that the Secretary of
Defense has the authority to conduct clandestine cyberspace activities
in support of military operations pursuant to the Authorization for
the Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note)
outside of the United States or to defend against a cyber attack on an
asset of the Department of Defense.

The committee notes that al Qaeda, the Taliban, and associated forces
are increasingly using the internet to exercise command and control as
well as to spread technical information enabling attacks on U.S. and
coalition forces in areas of ongoing hostilities.

While these terrorist actions often lead to increased danger for U.S.
and coalition forces in areas of ongoing hostilities, terrorists often
rely on the global reach of the internet to communicate and plan from
distributed sanctuaries throughout the world. As a result, military
activities may not be confined to a physical battlefield, and the use
of military cyber activities has become a critical part of the effort
to protect U.S. and coalition forces and combat terrorism globally.

In certain instances, the most effective way to neutralize threats and
protect U.S. and coalition forces is to undertake military cyber
activities in a clandestine manner. While this section is not meant to
identify all or in any way limit other possible military activities in
cyberspace, the Secretary of Defense’s authority includes the
authority to conduct clandestine military activities in cyberspace in
support of military operations pursuant to an armed conflict for which
Congress has authorized the use of all necessary and appropriate force
or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities
and the need for more rigorous oversight, this section would require
quarterly briefings to the congressional defense committees on covered
military activities in cyberspace.

While Chesney focuses on the use of “clandestine” in this passage
(which I’ll return to), I think one of the key phrases is simply the
requirement that DOD brief the Armed Services Committees quarterly on
what it’s doing in cyberspace. As the AP reported in January, the SASC
complained during the confirmation hearings of Michael Vickers that
they weren’t getting briefed on clandestine cyberwar activities.
Vickers claimed in response that the law only required that DOD brief
Congress on human clandestine activities.

The Senate Armed Services Committee voiced concerns that cyber
activities were not included in the quarterly report on clandestine
activities. But Vickers, in his answer, suggested that such emerging
high-tech operations are not specifically listed in the law — a
further indication that cyber oversight is still a murky work in
progress for the Obama administration.

Vickers told the committee that the requirement specifically calls for
clandestine human intelligence activity. But if confirmed, he said, he
would review the reporting requirements and support expanding the
information included in the report.

So this section appears to close Vickers’ loophole, now requiring that
DOD brief Congress on its activities in its quarterly clandestine
activities reports.

In addition to legally demanding briefings, the section appears to
affirmatively approve–as clandestine activities–cyberattacks against
an AUMF-authorized target (so, al Qaeda and people like Anwar
al-Awlaki we claim to be included in AUMF), and cyberdefense against
an attack on an asset of DOD.

By the way, anyone want to speculate whether a Specialist allegedly
downloading several databases onto a Lady Gaga CD constitutes a
cyberattack on a DOD asset? Because if this permission includes
WikiLeaks, then this section might be retroactively authorize
attacks–say, DNS attacks on US-based servers–on WikiLeaks (note that
DOD can attack outside the US, but such geographical limits are not
placed on defensive actions).

In any case, as Chesney emphasizes, this section specifically
authorizes attacks on AUMF-authorized targets and defense against
attacks on DOD targets. Chesney notes that by calling these activities
“clandestine,” it makes them a Traditional Military Activity.

That is to say, the language in § 962 refers to DOD authority to
engage in cyber operations which are mean to go undiscovered but not
meant to be denied.  That alone would presumably keep them from being
categorized as a “covert action” subject to presidential finding and
SSCI/HPSCI notification requirements.  Yet one can imagine that this
does not quite suffice to solve the boundary dispute, insofar as it
might not be clear on the front end that one would be willing to
acknowledge sponsorship of an operation publicly if it becomes
known…and indeed it might well be that the activity is very much meant
to be both concealed and denied, making it hard at first blush to show
that the activity is not a Title 50 covert action after all.  But in
at least some instances there is a separate reason it should not be
deemed a covert action: i.e., when the action is best understood as a
high-tech equivalent to a traditional military activity (the “TMA”
category being an explicit exception to the T50 covert action
definition).  And that appears to be the case with the two categories
explicitly described above, or at least arguably so.

The explanatory statement accompanying § 962 supports this reading.
It opens by stating that

[t]he committee recognizes that because of the evolving nature of
cyber warfare, there is a lack of historical precedent for what
constitutes traditional military activities in cyberspace.

So, to summarize, this section appears to affirmatively authorize two
types of activities, defining them as clandestine operations, and
mandating that Congress get quarterly briefings on them.

But note this clause: “this section is not meant to identify all or in
any way limit other possible military activities in cyberspace.”

So, it appears, there may be these two types of explicitly authorized
clandestine operations, and then the stuff John Rizzo warned about.

I did want to mention–cause I find this interesting–cyberwarfare, on
the issue of cyberwarfare. Again, increasing discussion there clearly
is an active arena, will continue to be active. For us lawyers,
certainly for the lawyers in the intelligence community, I’ve always
found fascinating and personally I think it’s a key to understanding
many of the legal and political complexities of so-called cyberlaw and
cyberwarfare is the division between Title 10, Title 10 operations and
Title 50 operations. Title 10 operations of course being undertaken by
the Pentagon pursuant to its war-making authority, Title 50 operations
being covert action operations conducted by CIA.

Why is that important and fascinating? Because, as many of you know
being practitioners, how these cyber-operations are described will
dictate how they are reviewed and approved in the executive branch,
and how they will be reported to Congress, and how Congress will
oversee these activities. When I say, “these activities,” I’m talking
about offensive operations–computer network attacks.

This issue, this discussion, has been going on inside the executive
branch for many years, actually. I mean I remember serious discussions
during the Clinton Administration. So, again, this is not a post-9/11
phenomenon. Now, I’m speaking her from a CIA perspective, but I’ve
always been envious of my colleagues at the Department of Defense
because under the rubrik of Title 10, this rubrik of “preparing the
battlefield.” They have always been able to operate with a–to my mind
[?] a much greater degree of discretion and autonomy than we lawyers
at CIA have been, have had to operate under, because of the various
restrictions and requirements of Title 50 operations. Covert actions
require Presidential Findings, fairly explicit reports to the
Intelligence Oversight Committees. We have a very, our Intelligence
Committees are … rigorous, rigorous and thorough in their review. I’ve
never gotten the impression that the Pentagon, the military, DOD is
subject to the same degree of scrutiny for their information warfare
operations as CIA. I’m actually very envious of the flexibility
they’ve had, but it’s critical–I mean I guess I could say interesting
but critical how–I mean if there were operations that CIA was doing,
they would be called covert actions, there’s no getting around that.
To the extent I’ve ever understood what DOD does in this arena, they
certainly sound like covert actions to me but given that I’ve had more
than my hands full over the years trying to keep track of what CIA’s
doing at any given time, I’ve never ventured deeply into that area.
But I think it’s fascinating. [my emphasis]

Now, maybe this section just politely puts the kibosh on all of this
Title 50 masquerading as Title 10 stuff, stuff done under the auspices
of DOD to avoid the oversight requirements that Title 10 intelligence
operations would require. Maybe this section limits DOD’s activities
to its two authorized clandestine activities.

But I doubt it. With the language about not limiting DOD to these two
functions, you can pretty much assume there’s some Special Access
Programs (like the kind the Air Force refuses to talk to Congress
about) not safe to be mentioned in public documents like laws.

Look on the bright side, though: Congress is at least requiring that
DOD brief Congress on some of the secret stuff they’re doing in
cyberspace.

Update: Specialist corrected per Ralph.