Oversight and control will hamper America’s cybersecurity

As polls opened for the 2018 U.S. midterm elections, Russia’s Internet Research Agency — a Kremlin propaganda machine aimed at sowing discord and eroding faith in American institutions — lost all internet access. Fast forward to the 2020 election season: TrickBot, an infamous Russian-controlled network of computers used for spreading ransomware, experienced a major disruption. In both instances, U.S. Cyber Command took the fight to the adversary to secure the American democratic process. Russian President Vladimir Putin’s agents undoubtedly will be back at it this year, but they may have more room to succeed, thanks to the Biden administration.

In the name of centralizing civilian authority over cyber operations at the White House — a hallmark of the Obama years — the administration is looking to handcuff U.S. Cyber Command with a cumbersome review process. This would reverse a Trump-era directive that gave the military and intelligence agencies a freer hand to disrupt cyber threats at the source. More specifically, the current policy accelerates decision-making by giving the Pentagon greater authority over targeting and timing. This allows U.S. cyber forces to better counter adversaries such as Russia, China, Iran and North Korea that operate in cyberspace with few restraints. By trying to fix what isn’t broken, the Biden administration would weaken U.S. Cyber Command’s ability to persistently engage and defend against threats in cyberspace.

Scrapping the current approach also overlooks the fact that Cyber Command’s freedom to operate reflects its growth into a more capable and effective force. In the span of a decade, it has become a unified command with greater acquisition authorities and a seasoned Cyber Mission Force, the command’s action arm. While Cyber Command has directly benefited from its autonomy, it also has used its latitude for cross-agency collaboration without having to seek White House approval. Task forces such as the joint USCYBERCOM-National Security Agency Russia Small Group have partnered with the FBI, the CIA and the Department of Homeland Security to combat Russian election meddling.

Worse yet, returning to a laborious interagency review of cyber operations ignores the history of counterproductive military and intelligence turf wars that play out in a centralized setting. The military traditionally has sought greater initiative in cyberspace; intelligence agencies have been reluctant to share the cyber mission. Indeed, U.S. Central Command and U.S. Strategic Command’s Joint Functional Component Command-Network Warfare (JFCC-NW), a predecessor to U.S. Cyber Command, led the 2008 shutdown of a CIA website used for surveilling extremists in Saudi Arabia and Iraq. Despite the intelligence value, the military leveraged the interagency setting by arguing the site threatened American troops in the region by facilitating extremist cooperation. Although the CIA eventually reestablished the site, the agency launched a legal complaint over the disregard for deconfliction practices. 

More recently, the CIA used the National Security Council to delay U.S. Cyber Command’s 2016 offensive against ISIS. CIA objections centered on the need for greater military reporting and update requirements. But this also was a bureaucratic power move to exert influence, since the two had agreed on communication measures.

More broadly, the Biden administration would be handing agencies such as the State Department greater veto power over military cyber operations. Diplomatic and legal concerns routinely produced excessive deliberation and delayed the approval of operations under the Obama administration. There is every reason to expect this dynamic to be worse now given that the State Department and its new digital bureau are staking a greater claim to cyber issues. While greater deliberation can produce a stronger legal justification for action, it risks an overly constrained Cyber Command that cannot keep up with threat actors.

Legislators have been right to push back on the effort to curtail USCYBERCOM’s authority. Cyber Command doesn’t need micromanagement. But if the Biden administration can’t resist the temptation to intervene, then it should do so with the goal of enhancing the force’s effectiveness. The administration could certainly provide better guidance on the range of acceptable actions in and outside of war. Biden and his National Security Council also should work to develop concrete metrics for evaluating outcomes in cyberspace. These avenues would vastly improve how we assess and enhance USCYBERCOM’s effectiveness.

Civilian oversight of military and intelligence cyber operations is important for a healthy democracy, but a lengthy bureaucratic review process hamstrings the proven operational effectiveness that protects our democracy. The Biden administration is focusing too much on oversight and control at the expense of effectiveness. Let’s hope the White House can course-correct before the midterms.

Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on cybersecurity and transatlantic relations. Follow him on Twitter @JasonABlessing.