A soldier from the Army’s offensive cyber brigade during an exercise at Fort Lewis, Washington.
AFA: The Trump administration has ended Obama-era micromanagement of military cyber operations, but the result won’t be a free-for-all, a one-star general said today. The White House has replaced the Obama-era process, not simply revoked it, and the Joint Staff is now working out the details of delegating select, prescribed authorities to Cyber Command, said Brig. Gen. Alexus Grynkewich, deputy director for global operations on the Joint Staff.
Brig. Gen. Alexus Grynkewich
“It’s subject to certain policy constraints. It’s not a blanket, ‘hey, go out and do whatever you want,'” Brig. Gen. Grynkewich told me after his remarks to the Air Force Association conference here. “I can’t get into the specifics of what the authorities are, but broadly speaking, some things are always going to stay at the presidential level and some things are going to be delegated. And it really comes down to a policy decision and a risk discussion among the highest levels of our government about what is appropriate for DoD (the Department of Defense) to be doing in a particular mission area.”
Does the new order apply only to offensive cyber operations (aka hacking), I asked, or does it apply to cyber across the board? “It applies across the entire spectrum,” the general told me. That said, he continued, “defensive authorities are fairly robust (already). Defending our own networks, we do that well now….Other things get more difficult.”
By process of elimination, of course, if defensive authorities were basically okay, the changes must focus on the offensive side – which has raised concerns among a range of commentators. It’s this unnerved audience that Grynkewich’s comments today were meant to reassure.
Combined Air Operations Center (CAOC), Al Udeid Air Base, Qatar
“It Makes All The Difference”
“For years, now much of the authority has been held at the presidential level,” under Obama’s Presidential Decision Directive PDD-20, Grynkewich had explained to the conference audience. “There was recently a rewrite of that policy, (and) NSPM-13 is the new coin of the realm.” (That’s short for National Security Presidential Memorandum – each administration feels compelled to change what these orders are called).
“Basically,” Grynkewich said, “it provides a way, within certain policy constraints, for the president to delegate to the secretary of defense certain cyberspace authorities to do cyber effects operations for a particular mission.”
The old PDD-20 required an “interagency process that went through the National Security Council and all the way up from a policy coordination committee to a deputies’ committee to a principals’ committee,” Grynkewich said. “In effect, anyone could stop the process at any point.”
Under NSPM-13, Grynkewich continued, “you still have to do interagency coordination, but it’s not through a National Security Council process. Instead it’s through a Department of Defense process. It seems like a minor distinction, but it makes all the difference in the world in terms of the speed we need to move.”
Speedy is particularly vital to the kind of multi-domain operations envisioned by today’s panel at AFA, in which the military overwhelms a given target with (for example) a rapid-fire combination of computer hacking, airstrikes, and ground assault. I’ve heard an Army officer describe how the US was recently able to do this against the Islamic State – but on a relatively small scale, after weeks of laborious coordination. The new process could speed that up.
But fast doesn’t meant out of control. Both with the AFA audience and one-on-one with me afterwards, Grynkewich took pains to emphasize that civilian oversight remains intact and the Pentagon’s role will be rigorously defined.
“It’s based on a policy decision that DoD will have a certain role in cyberspace in a particular mission area,” he told me (emphasis mine). “Then some level of authorities will be delegated with that — and that level can also change depending on what the mission is.”
So, I asked, we’re not going to see sergeants pressing the button to hack someone 100 yards away?
“It’ll be a while before authorities start getting delegating that far down,” Grynkewich said dryly. “I think we’ll start (by ensuring) that the secretary of defense can exercise the authorities appropriately and delegate them to the combatant commanders. Then, just like anything else, it’s the combatant commanders having a discussion with the secretary.”
