Lawmakers locked in a nine-month fight with the White House over access to a classified 2018 directive on offensive cyber operations, known as National Security Presidential Memorandum 13, prevailed with the defense spending bill being signed by President Trump on Friday.
“Even if you support the general direction this policy is headed in, that doesn’t remove the need for congressional oversight,” a senior House Democratic aide said. “This will remove any claim that they can make on a statutory basis that they are not required to share this.”
The directive on offensive cyber operations describes the rules for the conduct of U.S. cyber activities. Lawmakers on both sides of the aisle complained that the Trump administration was not forthcoming in response to congressional efforts at oversight.
“If you hear, ‘This all worked out well’ and ‘as designed,’ and you don’t have an understanding of what ‘as designed’ is supposed to look like from a process standpoint, it’s very hard to conduct effective oversight,” a senior Democratic aide told the Washington Examiner.
Trump rescinded Presidential Policy Directive 20, an Obama-era interagency hacking protocol last year, a shift that some National Security Council members were said to have pressed for. Long at issue was the directive’s “burdensome procedural restrictions,” the backbone of a policy that one senior administration official called “ineffective” in an interview with the Washington Examiner.
The Obama White House’s deliberations were excessive at times, an industry expert said. When Iran attacked Wall Street in 2012, attempts to balance the White House’s competing foreign policy priorities led to frustration on the part of the banks.
Trump’s new guidance, National Security Presidential Memorandum 13, invokes higher retaliatory cost on attackers targeting U.S. networks, systems, or infrastructure. When an attack falls short of an operational takedown, say, in the case of cybertheft, NSPM-13 suggests attackers can expect a swift, robust response. Streamlining the process and removing procedural bulwarks allows for this, the senior administration official said.
Prior administrations were inclined to name and shame the attackers, retaliating with indictments and the like, an industry analyst said. Deterrence has been “the challenge,” she said.
“Action has been taken since the issuance” of NSPM-13, a senior administration official said, adding in a reprise of former Trump national security adviser John Bolton’s words, “Our nation’s hands are no longer tied.”
The Trump administration has axed the cybersecurity “coordinator” role, and with a number of high-profile departures, the team has winnowed. “In the Trump administration, we have seen a sort of weird, conflicting approach where they got rid of cyber expertise at the White House, got rid of the senior director role — they kept sort of changing the title — then decided to come up with a really aggressive cyber policy,” an industry expert said. “My concern would be that they have enough checks on this more aggressive approach to guard against exacerbating potential impacts.”
Losing the central node, or coordinator, risks agencies working at cross purposes, “which is obviously not helpful,” she said. “Cyber is one of the most cross-cutting issues,” and there is potential for error.
“If you are looking at the trend, it’s obviously going from discovery to trying to figure out how to marshal it in a controlled way to what happens when you take some of the controls off,” she said. “It’s just a little bit experimental here, very reliant on some very careful marshaling of cyberweapons, and puts more responsibility on the government not to misstep.”
Michael Daniel, the Obama White House cyber coordinator and now president and CEO of the Cyber Threat Alliance, suggested the streamlining and staff reductions were unnecessary. “While any organization can make process improvements, the NSC staff size was not out of alignment with its assigned missions in the Obama administration,” he said.
“In fact, the cyber directorate often ended up working on issues that weren’t purely cybersecurity, such as encryption, 5G, AI, and so on; they were technology issues with national security implications that otherwise had no home on the NSC. We got them because we were the closest thing to a ‘technology directorate,'” Daniel said.
