Want CNET to notify you of price drops and the latest stories?

Wording in cyberwar bill begs question: Who's in charge?

House committee approves bill that appears to give the Defense Department power to conduct military activities in cyberspace, including clandestine operations, without running it by the president.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
7 min read

The House Armed Services Committee yesterday approved an amended version of the National Defense Authorization Act that removes language requiring presidential authorization for military offensive operations in cyberspace to defend the country.

Congressional sources working with House Armed Services Committee Chairman Howard "Buck" McKeon said the move did not grant the secretary of defense any additional powers and dismissed fears as unwarranted.

"We don't interpret this to mean that Congress is giving the Department of Defense new authorities," said a committee source. "It would all be within the context of the Authorization to Use Military Force (50 U.S.C. 1541) which typically requires the request of the President."

Still, the loose wording has nonetheless raised concerns that the law might be misinterpreted as the United States Cyber Command prepares for the day when it has to wage virtual combat across the world's computer networks.

It is unclear why the language pertaining to presidential permission was not included in the new version approved by the House committee this year or last year, though the wording was in the final version signed into law last year. Sources said it is possible that the wording could end up being modified in this year's version as it winds its way through the Senate.

Some of the concern doubtless stems from the fact that this subject remains uncharted territory -- both for the military and its civilian bosses. Another question for some is the how chain of command will work out in practice.

As the latest committee draft now stands, however, Gordon Adams, a professor at American University, said he is concerned about what might happen in the meantime and what it might suggest about presidential oversight of the military.

"What this legislation appears to do is extend the arm of the secretary of defense so that the White House need not necessarily be involved and offensive cyber operations can be conducted in various places and may be stretchable at the margins," said Adams, a foreign policy expert who also worked in the Clinton White House.

Let's look at the language in question in the bill, which overall authorizes $554 billion for national defense.

The law, which comes up for approval every year, was written this way last year (PDF):

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE. Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to-- (1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

The language as approved by a 56-5 vote in the House Armed Services Committee reads (PDF):

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE. (a) AFFIRMATION.--Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace. (b) AUTHORITY DESCRIBED.--The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace-- (1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or (2) to defend against a cyber attack against an asset of the Department of Defense. (c) RULE OF CONSTRUCTION.--Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.'

Mike Masnick at TechDirt blogged about the language change before the vote earlier this week and questioned the intent of the committee. "While we may not have much faith that the President wouldn't let the DoD do such things, giving such blanket approval upfront, rather than requiring specific direction is a pretty big change," he wrote.

Pentagon and covert actions
Robert Chesney, an international relations expert and law professor at the University of Texas, said he believes that the language was designed to ensure that when the military does stealth operations in cyberspace that they are categorized as covert actions subject to the various burdens required by the government.

"I do not think it is correct to think of this legislation as granting some form of free-standing, novel authority to conduct any operations. The aim, rather, appears to be to clarify that one of the things the military has the right to do when engaged either in a congressionally authorized conflict or in self-defense is to conduct clandestine computer network operations," he said in an e-mail. "The underlying concern was that such computer network operations might have been argued to be 'covert action' more properly conducted by the CIA. There has been a lot of fighting internally in recent years about these boundary lines, according to certain media accounts, and the NDAA provision is probably best understood as an attempt to bolster the Pentagon's position on that vis-a-vis the CIA position."

Notes from the chairman's statement on the full markup of the measure provide a bit more insight.

This section would affirm that the Secretary of Defense has the authority to conduct military activities in cyberspace. The committee recognizes that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace.

In particular, this section would clarify that the Secretary of Defense has the authority to conduct clandestine cyberspace activities in support of military operations pursuant to a congressionally authorized use of force outside of the United States, or to defend against a cyber attack on an asset of the Department of Defense.

The committee notes that Al Qaeda, the Taliban, and associated forces are increasingly using the internet to exercise command and control as well as to spread technical information enabling attacks on U.S. and coalition forces in areas of ongoing hostilities. Terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world. As a result, military activities may not be confined to a physical battlefield, and the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally. In certain instances, the most effective way to neutralize threats is to undertake military cyber activities in a clandestine manner. While this section is not meant to identify all or in any way limit other possible military activities in cyberspace, the Secretary of Defense's authority includes the authority to conduct clandestine military activities in cyberspace in support of military operations pursuant to an armed conflict for which Congress has authorized the use of all necessary and appropriate force or to defend against a cyber attack on a Department of Defense asset.

Because of the sensitivities associated with such military activities and the need for more rigorous oversight, this section would require quarterly briefings to the congressional defense committees on covered military activities in cyberspace.

"We envision Congress exercising stringent oversight over these activities," the unidentified committee staffer said.

To strike or not to strike?
Still, Adams said the amended bill doesn't really spell out the circumstances that would merit a military cyberstrike. For instance, what exactly is a Department of Defense "asset," and could a strike be carried out anywhere any U.S. military personnel are located? "It strikes me as a broad effort to expand the autonomous authorities of the Defense Department both to attribute attacks or respond and attack in kind, or use a cyber offensive capability anywhere American forces are deployed going forward," he said.

The U.S. Cyber Command was created to organize the nation's response to foreign computer threats.
The U.S. Cyber Command was created to organize the nation's response to foreign computer threats. CBS News
The measure doesn't make any substantive changes to a controversial section that critics say violates constitutional rights of citizens by allowing for unlimited military detention of people believed to have ties with terrorist organizations. "There is a rather broad rush here to step to the edge of what we've accepted as legal behavior in the past," Adams said. "We're on a slippery slope and this is another step down the slippery slope."

Jeff Moss, founder of the popular DefCon hacker conference and a member of the Homeland Security Advisory Council, said he suspected that anything related to war or cyberwar would require the president to sign off. But he wondered why Congress was affirming the rights of the Defense Department to do cyberactions at this time.

"I'm wondering if these are issues coming up with Cyber Command," which was recently established to operate the Defense Department's computer networks, Moss said. "Cyber Command may be coming up against roadblocks or trying to figure out what they can do."

The language in the amended version of the National Defense Authorization Act also would seem to bolster the position of the Department of Defense, and by association the National Security Agency, to oversee cybersecurity for the nation as opposed to the Department of Homeland Security, Adams said. "This gives DOD a leg up in its authority in what has become a rather nasty turf war," he said.

The Cyber Command was created in 2009 to organize the U.S. military's response to cyberattacks, espionage from other countries, and threats to critical infrastructure. Located in Fort Meade, Md., it is led by Gen. Keith Alexander.

We reached out to the Defense Department for comment and will update the post when they get back to us.