Remember the NDAA? Yeah, for a variety of reasons that bill got a lot of attention last year - mostly focused on the question of detainment of terrorists. But there are some other nuggets in the bill, including one tidbit about “military activities in cyberspace.” The existing version of the NDAA does grant the Defense Department the ability to conduct such military activities, but only “upon direction by the President” and if the purpose is to “defend our Nation, Allies and interests,” subject to existing laws.
The House Armed Services Committee is getting ready to do a markup on the NDAA that includes a change to that section (section 954), which expands the powers of the Defense Department, and basically gives it broad powers to conduct any military actions online - with it specifically calling out clandestine operations online. Here’s the text they want to substitute:
SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.
‘‘(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.
‘‘(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—
‘‘(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or
‘‘(c) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.’”
‘‘(2) to defend against a cyber attack against an asset of the Department of Defense.
Note a bunch of slightly sneaky things going on here. First, it gives blanket powers to the DoD, rather than saying it can only take actions on the President’s direction. While we may not have much faith that the President wouldn’t let the DoD do such things, giving such blanket approval upfront, rather than requiring specific direction is a pretty big change.
Second, and perhaps more important, the new language specifically grants the DOD (and the NSA, which is a part of DOD) the power to conduct “clandestine operations.” This is (on purpose) left basically undefined. Combine this with the fact that the “Authorization of Use of Military Force” is so broadly defined in the current government, this then grants the DOD/NSA extremely broad powers to conduct “clandestine” operations with little oversight. Related to this is that it removes the restriction that the DOD must take actions that are “subject to the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflicts.” Instead it lets them use such powers, without these restrictions, against anyone declared an enemy under the AUMF (lots and lots of people) or in any effort to stop a cyberattack against the DOD - which again you can bet would be defined broadly. This is a pretty big expansion of online “war” powers for the Defense Department, with what appears to be less oversight. And all done while people are looking the other way.