Written by Suzanne Smalley
The Defense Department has largely won out in a long-running bureaucratic battle with the State Department over retaining its expansive powers to launch cyber operations without significant input from other government agencies, according to two sources familiar with the matter.
While the exact details of which authorities to carry out operations in cyberspace the Pentagon will retain are classified, sources familiar with the matter say that the DOD has succeeded in holding on to key parts of the expansive authorities granted to it by the Trump administration in 2018 to carry out online operations with less oversight.
President Biden is set to sign off on these authorities in a newly revised version of National Security Policy Memorandum-13, according to a government official with direct knowledge of the discussions.
First instituted in 2018, NSPM-13 allowed the delegation of “well-defined authorities to the secretary of defense to conduct time-sensitive military operations in cyberspace,” according to a 2020 speech given by Paul Ney, then the general counsel for the DOD. Designed by President Trump’s National Security Council and promoted by then National Security Adviser John Bolton, NSPM-13 was intended to streamline the approval process for cyber operations that Bolton describes in his memoir as “frozen solid” when he arrived in office.
These authorities were used perhaps most famously in 2018 to disrupt internet access at a Russian troll farm infamous for its role in spreading disinformation around the 2016 election and have more recently played a role in countering Russian cyber operations in Ukraine.
The State Department and other executive branch agencies have long bristled at what they see as the outsize power and authority NSPM-13 grants DOD. NSPM-13, in their view, elevates military prerogatives in cyberspace over those of civilian agencies and fails to adequately consider the impact of military cyber operations on human rights, diplomacyand private-sector infrastructure.
Running offensive cyber operations often requires the use of such private-sector infrastructure in foreign countries, and NSPM-13 largely prevents the State Department from informing these foreign countries — and slowing down operations.
“In the past, the U.S. has had trouble in joint operations because State has taken a long time to to give their assent and that’s a handicap.”james lewis, center for strategic and international studies
Debate over the revision has raged behind closed doors since May, when CyberScoop reported an initial deal had been forged giving the State Department additional but limited power to weigh in on cyber operations, according to a source briefed on the discussions. In recent months, the department has continued to push for more authority, but the White House has ultimately largely sided with the Pentagon and is not giving the State Departmentnearly as much sway as it would like, the source said.
“The debate was: ‘How much authority does State have to lay across the railroad tracks?’” the source said. “That’s been the debate in the past few months, and it’s moved in DOD’s direction.”
The Pentagon, State Department and U.S. Cyber Command did not respond to requests for comment. “The administration hasn’t changed our approach to or ability to use offensive cyber operations as a tool of national power when needed,” a senior administration official told CyberScoop.
As the Pentagon and State Department have sparred over authorities, Cyber Command’s operations in response to Russia’s invasion of Ukraine have boosted DOD’s position in the interagency fight. By moving quickly to counter Russian operations, Cyber Command has helped to blunt Russia’s abilities in cyberspace, and these efforts have been used to make the case that the Pentagon should retain its authorities, according to a source briefed on the discussions.
“CyberCom has been able to notch a bunch of good wins, justifying the argument that having more flexibility, being able to move faster really does help operations,” the source said.
Throughout the Obama era, the State Department hobbled cyber operations, said James Lewis, who directs the Strategic Technologies Program at the Center for Strategic and International Studies. “In the past, the U.S. has had trouble in joint operations because State has taken a long time to to give their assent, and that’s a handicap.”
The State Department has worked to bolster its staff working on cyber diplomacy issues, but experts say the department has historically lacked expertise on this issue relative to other agencies.
In 2017, the Trump administration shuttered the State Department office dedicated to cybersecurity and transferred its responsibilities to another bureau. It is only recently that the State Department has stood up a cyber-focused unit. The department’s Bureau of Cyberspace and Digital Policy began operating in April, and Nate Fick, the ambassador at large for cyberspace and digital policy, was only confirmed in September.