The National Defense Authorization Act’s Adaptations and Their Significance in the Realm of Cyber Security
“We defend. We deter. And when called upon, we take decisive action,” Defense Secretary Leon Panetta said, speaking of the Department of Defense. “In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”1 The expansion of cyberspace as a theater of conflict has necessitated legislation that addresses intangible threats more specifically. The National Defense Authorization Act (NDAA) is one such bill that has adapted to encompass the cyber sphere — and arguably, those adaptations have helped progress the United States toward a state of greater readiness to combat emerging threats.
The NDAA bill itself comprises a number of different provisions, uses, and jurisdictions:
The technical description: a comprehensive law authorizing the budgetary authority of the Department of Defense and its national security programs.
What it does: allocates specific amounts of funding to specific programs and the departments or agencies that oversee them.
Implications: the framing of the bill’s language dictates the processes and limitations of how certain operations can be carried out.
This bill clearly bears far more consequence than the outline of how much each agency or department is allowed to spend on certain programs. As a United States federal law, the NDAA’s language dictates not only how funds are to be allocated, but how the processes being funded are to operate. Therefore, it is crucial that the language of this bill in particular not enable (or restrict) the DoD in any way that compromises national security and accountability.
Like most bills enumerating the government’s budgetary allocations, the NDAA has undergone many revisions over the years to account for expanding programs and new fiscal years. The provisions discussing cybersecurity and operations have been among the most closely monitored and discussed.
The 2012 version of the NDAA bill included the following provision:
Title 9, Subtitle F, Section 954: MILITARY ACTIVITIES IN CYBERSPACE: Congress affirms that the Department of Defense has the capability, and upon direction by the President, may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution (50 USC. 1541 et seq.).2 (emphasis added)
Some of the key phrases to take away from this passage are “direction from the President” “offensive operations,” and “to defend.” Upon examining the provision as a whole through the lens of those key phrases, its implications take on a new severity. Most importantly, unless direct authorization is provided from the President, the provision restricts the DoD from conducting any offensive operations for the defense of the Nation or our allies.
This might seem in general like an acceptable measure (after all, how much can an extra requirement of authorization hurt). However, cyberattacks from threatening nations can occur much more quickly and are much less predictable than conventional attacks. This means that the US’s response must also be faster and less conventional—and must include aggressive affirmative defense should the opportunity arise to exploit an enemy network. Even a defensive operation requires some offensive actions to counter the enemy. In this way, cyber warfare necessitates exceptions to the conventional rules of warfare.
Political officials and policy commentators alike expressed an acute concern for the disadvantage this limitation could impose on the nation in the event of a crisis. Defending the US cyber sphere (whether by proactive or reactive actions) depends on minute-by-minute monitoring of electronic signatures and immediate exploitation of loopholes in enemy attacks. The very nature of this defense precludes the ability to wait for the President to personally give permission for every single action (especially when attacks happen thousands of times each day). Furthermore, the NDAA’s discussion of military activities in cyberspace was framed within the context of declared war, which was even more severely limiting.3 Not every actor that launches cybernetic probes and viruses at our key networks will declare conventional war on our country—many are in fact our allies!
Senator Howard “Buck” McKeon proposed that this portion of the NDAA be revised due to the problems it presented. The new language would expand the DoD’s cyberwar powers by authorizing clandestine operations, removing the requirement for presidential approval, and expanding the authority beyond declared war by authorizing cyberwar actions in response to cyberattacks against the military.4
Revisions corroborating Senator McKeon’s proposed alterations appeared in the NDAA for fiscal year 2013. Under Subtitle E, Cyberspace Related Matters, explicit authorization was given to conduct clandestine operations in cyberspace, provided that they were for the purpose of defending against attacks or supporting military operations.5 No mention was made regarding a prerequisite of presidential authorization for such responsive action. This version of the bill, when examined in light of the criticisms levied against its predecessor, seems to show a significant step towards adequately equipping America’s defenses.
However, in 2014, the following year, the “cyber sections” of the NDAA were again rewritten, this time reflecting more than just changes to wording and authorization. The 2014 revision describes the re-ordering and expansion of cyber allocations, as well as calling for the naming of a Principal Cyber Advisor. This Advisor would be chosen by the Secretary of Defense, and be given oversight of both offensive operations in cyberspace and the defense of DoD networks.6 Further, several subsections are devoted to ensuring that agents operate at maximum efficiency and accountability by providing adequate training and organizational structure, and requiring consistent reports to superiors.
The sheer size of the “Cyberspace-Related Matters” subtitle in the 2014 revision exemplifies the law’s increased importance. As the cybersphere continues to grow more popular and more advanced as a tool and a weapon, it is necessary that our budgetary and organizational procedures rise to the challenge of keeping our nation’s networks secure. Dave Wajsgras, who heads Raytheon Co’s Intelligence, Information and Services business, commented to Reuters: “There is a tsunami of threats that exist in the cyber domain today. It’s something that we all collectively need to take much more seriously.”7
The most recently implemented revision of the NDAA actually bears Senator McKeon’s namesake, although the initial issues he wanted revised back in 2012 appear rudimentary, given that policy has progressed so far in just a few years. Some of the 2015 bill’s main goals consist of budgeting and accounting for cyber mission forces and the issuance of certain procedures in the event of cyber incidents.8
Although the NDAA is one of many pieces of legislation that addresses US cyber policies, it is one of the most helpful to reference when analyzing trends and allocations. The progress of the NDAA reflects a growing recognition of the complexity of cyber warfare, as well as consistent efforts to ensure our capabilities adapt to our needs. When it becomes difficult to crystalize the overall response of the government to a given issue, such as cybersecurity, it is useful to examine legislation that most closely discusses the limitations and priorities of the government in that area. While the US certainly has far to go before it can say that its cyber capabilities are “good enough,” its core policies are moving in the right direction. ■
- Garamone, Jim. “Panetta Spells Out Dod Roles in Cyberdefense.” Department of Defense. October 11, 2012 http://archive.defense.gov/news/newsarticle.aspx?id=118187.
- US Government Print Office. “National Defense Authorization Act for Fiscal Year 2012.” December 31, 2011. http://www.gpo.gov/fdsys/pkg/PLAW-112publ81/pdf/PLAW-112publ81.pdf.
- Shaw, Donny. “New NDAA Would Give the Military Clandestine Cyberwar Powers,” Open Congress, Accessed September 2015 https://www.opencongress.org/articles/view/2492-New-NDAA-Would-Give-the-Military-Clandestine-Cyberwar-.
- US Government Print Office. “National Defense Authorization Act for Fiscal Year 2013.” December 31, 2012. http://www.gpo.gov/fdsys/pkg/BILLS-112hr4310enr/pdf/BILLS-112hr4310enr.pdf.
- US Government Print Office. “National Defense Authorization Act for Fiscal Year 2014.” December, 2013. http://www.gpo.gov/fdsys/pkg/CPRT-113HPRT86280/pdf/CPRT-113HPRT86280.pdf.
- Shalal, Andrea. “The Us Defense Industry Is Reeling After the Latest Massive Cyber Attack.” Reuters, via Business Insider. June 18, 2015. Accessed. http://www.businessinsider.com/r-us-cyber-hack-unsettles-frustrates-us-defense-industry-2015-6#ixzz3lCwGaWFR.
- US Government Print Office. “National Defense Authorization Act for Fiscal Year 2015.” December 31, 2014. http://www.gpo.gov/fdsys/pkg/CPRT-113HPRT92738/pdf/CPRT-113HPRT92738.pdf.