A small but significant quarrel is emerging between a bipartisan team of lawmakers in the House and the Trump administration over how the Pentagon is going about using its newly minted authority to strike back against adversaries in cyberspace.
Democratic and Republican leaders of the House Armed Services Committee and its emerging threats subcommittee — in a rare instance of bipartisan pushback against the White House — have repeatedly asked administration officials for a still-secret memo issued by President Donald Trump that lifted earlier restrictions on U.S. Cyber Command’s operations against adversaries.
The White House has thus far refused to provide the memo, and the House last week voted to include an amendment in its version of the 2020 Pentagon policy bill that would force the administration to turn over “all National Security Presidential Memorandums relating to Department of Defense operations in cyberspace.”
While it’s unclear why the White House refuses to share the document with lawmakers, Congress wants it to make sure that the memo outlines and codifies a process on how various agencies coordinate among themselves before launching an offensive operation in cyberspace, according to congressional aides.
Understanding how the consultation process among agencies works is important because the NSPM 13, as the document is known, replaced an Obama administration directive that is classified but is said to have advocated caution in how the United States deploys offensive cyber measures against adversaries. The Obama-era order called for a White House-led coordination before offensive cyber efforts could be used against adversaries.
“I can’t recall a time when a document of this significance has been withheld from Congress,” said Rep. Jim Langevin, a Rhode Island Democrat who has served in the House for nearly two decades and who sponsored the amendment that would force the White House to hand over the document.
Langevin chairs the Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities, which oversees cyber defense programs.
A bipartisan group of lawmakers — including Washington Democrat Adam Smith and Texas Republican Mac Thornberry, the chairman and ranking member of the full committee, respectively, along with Langevin and New York Republican Elise Stefanik, the leaders of the emerging threats panel — have asked for the memo since February without receiving it.
The White House did not directly reply to a query about whether it is withholding the documents.
“The administration keeps Congress appropriately informed of cyber operations, including by providing briefings and documents,” a senior administration official said in an email.
Langevin has been supportive of the freedom given to Cyber Command to push back against Russia, China, Iran, North Korea and other cyber foes, but Congress has a responsibility to ensure that the authority is being used carefully, he said.
“We need to make sure that we are doing this strategically and not in a Wild West fashion,” Langevin told CQ Roll Call in a recent interview.
In the weeks before the 2018 midterm elections, a team of experts from Cyber Command were deployed to Macedonia, Ukraine and Montenegro as part of an operation code-named Operation Synthetic Theology. The cyber team identified Russian agents who were trying to interfere in the 2018 elections and warned them they were being monitored. The team also temporarily shut down the Internet Research Agency, a Kremlin-backed troll farm in St. Petersburg that mounted a large-scale influence operation during the 2016 elections.
Langevin has also said that, like other military operations including secretive special operations, Cyber Command should conduct exercises beforehand on how it would respond to a variety of threats in cyberspace.
“Unless exercised, we won’t be prepared to confront the bad things, and we don’t want to do this on the fly,” Langevin said.
It is for those reasons lawmakers want to see how the presidential memorandum is structured and what it instructs Cyber Command to do.
But senators who oversee the Pentagon are not as concerned about getting a copy of the classified document, and it remains unclear if the final defense authorization bill that emerges from Congress will still require the White House to share the document with lawmakers.
Republican Mike Rounds of South Dakota, chairman of the Senate Armed Services Subcommittee on Cybersecurity, said in a brief interview that he did not feel the need to see the documents themselves, because “I was very comfortable with the briefings I received on it — several of them.”
Sen. Joe Manchin III of West Virginia, the top Democrat on the panel, did not directly answer when asked twice if he had asked for or seen the documents.
“I’ve had some briefings,” Manchin said both times.
The move to loosen restrictions on Cyber Command was announced last fall by White House national security adviser John Bolton.
“It’s important that our adversaries know it and the public knows it that we have authorized offensive cyber operations that will be undertaken through the coordination process” under a presidential order, Bolton said in September. “We have determined and the president has determined that it’s in our national interest to do that.”
The Obama administration had feared that offensive cyber actions targeting an adversary’s networks could inadvertently affect computer networks in neighboring friendly countries, as has happened with a U.S.-Israel effort, called Stuxnet, designed to cripple Iran’s nuclear program computers.
Stuxnet later affected other industrial systems around the world.
“Our presidential policy directive effectively reverses those restraints,” Bolton said, referring to the Obama administration order. As a result, Bolton added, the Trump administration is “enabling offensive cyber operations through the relevant departments.”
“Any nation that’s taking cyber activity against the United States, they should expect, and it is part of creating structures of deterrence so it’ll be known publicly as well, we’ll respond offensively as well as defensively,” Bolton said.
Last month, The New York Times reported that U.S. cyber operators had implanted computers in Russia’s energy sector with crippling malware that could be activated at a later date.
The Pentagon has said the report is inaccurate but has offered no elaboration. Bolton said last month that the administration’s goal has been “to say to Russia, or anybody else that’s engaged in cyber operations against us, ‘You will pay a price.’”