WASHINGTON — After three years
of grueling internal debate, the
chairman of the Joint Chiefs is
poised to approve new rules empowering
commanders to counter
direct cyberattacks with offensive
efforts of their own — without
White House approval.
Once signed, the new cyber
rules contained in the US
military’s new standing rules of engagement
(SROE)—the classified
legal document that outlines when,
how and with what tools America
will respond to an attack — will
mark a far more aggressive tack
than envisioned when the process
started in 2010, or even much
more recently. To date, any cyber
action requires the approval of the
National Security Council (NSC).
A defense spokesman said that
much of the focus on cyber has
revolved around defensive action,
and that pre-emptive offensive actionwouldstill
require presidential
approval.
Sources said the new rules are vital to address a rapidly developing
domain that should be integrated
into normal military rules, but
still remains largely closed to outside
observers by heavy layers of
classification. Because the SROE
is classified, conversations about
its composition and details of
deliberations are all considered
very sensitive, and sources who
participated declined to be named.
The new rules were supposed to
have been implemented in late
2010, but were delayed as topgovernmentlawyersdebatedhow
aggressively the US should respond
to cyberattacks, and what
tools commanders could use, according
to current and former
White House, defense and intelligence
officials.
Now complete, the rules are
undergoing a final “internal bureaucratic
process,” a defense official
said.
Lawyers from the Joint Staff
and US Cyber Command
(CYBERCOM) gathered in Washington
to try to update the
Defense Department’s standing
rules of engagement in late 2010,
with two major policy areas remaining
as subjects of debate:
rules regarding deployed ships
and rules about cyberwarfare.
The cyber discussion resulted
in a draft cyber policy that was
gerrymandered, larded with legalese,
and had become almost
unintelligible because of the
many hands from multiple agencies
involved in its writing. An interagency
process had been started because cyber concerns confront a
variety of agencies, the intelligence community
and DoD as well as State, Homeland
Security and other departments, with each
expressing views on how the domain would
be treated.
That effort aimed to update rules crafted
in 2005 that did not address broader questions
regarding cyber, but were in need of updates
as cyber threats escalated. Recent
reportsfromthe securitycompanyMandiant
and from DoD indicate the Chinese cyberattacks
began to increase in 2006.
With the SROE process having stalled,
three lawyers attending the conference decided
to start over, redrafting the language
on cyber over a lunch break during the
conference.Huddledaroundatable they created
what they thought was a simple, clean
approach that could gain broad support.
They presented it to the other attendees,
and thenewversion was passed up the chain
of command for review by senior officers.
Not long afterward, that draft was
rejectedbyadeputyofGen.KeithAlexander,
head of CYBERCOM and director of the National
Security Agency, because it fell short
of where “the SecDef wanted it to go,” said
a former defense official.
The problem was that the document didn’t
allow for a sufficiently assertive response,
the official added. In its efforts to achieve
balance, the draft didn’t accommodate the
strong stance the administration, and
specifically CYBERCOM, wanted to take.
So the rules were drafted again, designed
to be “forward leaning,” permitting a stronger
response. Once again they were rejected.
Nearly three years later the rules still
haven’t been signed. Defense officials said
they expect the newest version to be
formalized shortly, but there is always the
possibility that further policy concerns will
stall the process.
While several sources pointed to the
desire by some, especially Alexander, to take
a more assertive stance, not everyone
agrees that the delay was caused by internal
dissent. A senior defense official said the
process was slowed by the administration’s
need to develop larger cyber policies to
make sure the military rules fit the larger
whole.
“As we were developing our standing rules
of engagement and going through that
interagency process we were recognizing
that there’s a natural progression, a natural
sequencing of making sure that the
presidential policy was finalized and signed
out, then making sure that the doctrine and
other procedures are in place, and finally the
next logical step is the standing rules of engagement,”
the senior defense official said.
According to the former defense official
with knowledge of earlier drafts, the
version on the verge of completion is “way
far” from previous versions, authorizing far
more assertive action than had been previously
considered.
Use of cyber weapons will still be the domain
ofUSCyber Command, with geographic
combatant commanders requesting
action through locally stationed cyber support
elements. But the debate about the rules
of engagement, what authorities they should
permit and who should have them, stems
from a larger issue about normalizing cyberwarfare
thatwascomplicated by the concentration
of cyber authority within the NSC, a
concentration that is the byproduct of an
inter-agency dispute dating to the Iraq war.
What the US does as it begins to normalize
cyber will have a big effect on how cyber is
treated globally, said Jason Healey, director
of the Cyber Statecraft Initiative of the
Atlantic Council.
“Without a doubt what we do gets copied,”
he said. “The fact that we’re including this in
rules of engagement and pushing this down
to lower levels, [means that] then the
military of another country will try to convince
its leaders to do the same thing.”
Concentration of Power
In 2003, with the launch of the war in Iraq,
cyber capabilities weren’t very advanced
compared to some of the elegant tools at
the military’s disposal today. But that doesn’t
mean that various intelligence and defense
agencies weren’t interested in using them.
When the squabbling over who would be
in charge of cyber began, President George
W. Bush signed a classified presidential directive
in 2004 requiring that all cyber decisions
be funneled through the NSC.
That prevented any single agency from layingclaim.
Butitdidn’tendthedisagreements.
“It became an issue with cabinet and
deputycabinetlevelofficialsintherehacking
it out,” said a former senior intelligence official,
describing debates in the White House
Situation Room.
In every instance where cyber was involved,
the NSC had to be involved. That
helped settle some of the disputes between
agencies by limiting any independent application
of cyber capabilities, but was useful
neither for expediting any cyber action nor
for integrating cyber into larger military
capabilities. Several sources said that this
has slowed the integration of cyber into
broader military tactics, possibly giving rivals
without the same hesitation, like China,
a chance to become more adept at military
cyber.
Some decisions by the NSC on the use of
cyber were easier than others. In an individual
theater of combat, such as Afghanistan,
their use was more easily authorized if the
effects were limited to the region. If
anything resembling a cyberattack or intrusioncamefrom
the area, a responsewasalso
likely authorized.
But when it came to more complicated
issues, like international intrusions, the
standards got hazy.
Because every decision had to be run
through the West Wing, potential political
blowback limited the use of cyber tools, the
former senior intelligence official said. “If
they can’t be used without a discussion in
theWest Wing, the president’s got no place to
run if something goes wrong when he uses
them,” he said. Those decisions included
what to do if the US confronted a cyberattack.
The rules of engagement review
proceeded in 2005 with limited cyber concerns
integrated into the final version. Not
until2010didthelargerdebatepickupsteam.
The rejection of the drafts developed at
the end of 2010 by CYBERCOM officials was
part of a larger push to increase the authority
vested in Alexander, the former senior
intelligence official said. “When we had
these dialogues with the Fort Meade population,
it was often the rest of the intelligence
community cautioning the Fort Meade guys
not to be so aggressive,” he said. NSA and
CYBERCOM are at Fort Meade in Maryland.
Several sources cited these interests as
slowing the process, and causing several
compromises to be rejected.
Not everyone agrees that the process has
been slowed by dissent or efforts to increase
authority by any one group. The senior defense
official who described the delays as
being the result of larger policy development
pointed to the difficulty in crafting a new
policy in a new area of warfare.
“It was much less about a turf war than it
was about us wanting to make sure that
the department’s role was right in defending
it, and that the level to which the authority
was delegated was appropriate and something
with which the secretary and the
chairman and the White House was
comfortable,” he said. “If this is the first time
ever that we’re talking about SROEs that
are outside of DoD networks, it should be
expected that it’s a very complicated thing.
There’s no precedent, there’s no clear understanding
on some of the issues.”
A defense spokesman who was asked
about Alexander’s role in eliminating earlier
versions of the cyber language noted that
there were multiple officials involved in the
development process.
“The standing rules of engagement are a
product of many minds, of which Gen. Alexander
is one,” a statement from the spokesman
read. “He has worked tirelessly with
senior department leadership to develop
appropriateSROEsthat for the first time will
define the legal framework for how the
United States would respond if attacked by,
through or with the cyber domain.”
To be sure, even when an SROE document
is signed, it will not grant the authority to
wage cyberwar to low level military personnel.
Even the cyber capabilities that might
be employed to respond to an attack will require
orders from senior officials.
But the document is a move that begins to
standardize cyber, folding some areas into
more typical military rules and hashing out
concerns about how cyber should be
treated.
The use of cyber is more a question of
political influence in the West Wing, a process
that favors those like Alexander who
have access to decision-makers. If cyber capabilities
become more readily accepted,
their implementation could become more
democratic, basedmoreonneedthanonpolitics.
More importantly, by authorizing immediate
action against cyberattacks, the SROE
will greatly cutdownonthe reaction time.By
eliminating the often laborious process of
NSC deliberations, an attack will likely be
countered sooner and potentially result in
less damage.
“If you have time to run it through the NSC
you don’t really need a standing requirement,”
a former defense official said.
www.defense.com
of grueling internal debate, the
chairman of the Joint Chiefs is
poised to approve new rules empowering
commanders to counter
direct cyberattacks with offensive
efforts of their own — without
White House approval.
Once signed, the new cyber
rules contained in the US
military’s new standing rules of engagement
(SROE)—the classified
legal document that outlines when,
how and with what tools America
will respond to an attack — will
mark a far more aggressive tack
than envisioned when the process
started in 2010, or even much
more recently. To date, any cyber
action requires the approval of the
National Security Council (NSC).
A defense spokesman said that
much of the focus on cyber has
revolved around defensive action,
and that pre-emptive offensive actionwouldstill
require presidential
approval.
Sources said the new rules are vital to address a rapidly developing
domain that should be integrated
into normal military rules, but
still remains largely closed to outside
observers by heavy layers of
classification. Because the SROE
is classified, conversations about
its composition and details of
deliberations are all considered
very sensitive, and sources who
participated declined to be named.
The new rules were supposed to
have been implemented in late
2010, but were delayed as topgovernmentlawyersdebatedhow
aggressively the US should respond
to cyberattacks, and what
tools commanders could use, according
to current and former
White House, defense and intelligence
officials.
Now complete, the rules are
undergoing a final “internal bureaucratic
process,” a defense official
said.
Lawyers from the Joint Staff
and US Cyber Command
(CYBERCOM) gathered in Washington
to try to update the
Defense Department’s standing
rules of engagement in late 2010,
with two major policy areas remaining
as subjects of debate:
rules regarding deployed ships
and rules about cyberwarfare.
The cyber discussion resulted
in a draft cyber policy that was
gerrymandered, larded with legalese,
and had become almost
unintelligible because of the
many hands from multiple agencies
involved in its writing. An interagency
process had been started because cyber concerns confront a
variety of agencies, the intelligence community
and DoD as well as State, Homeland
Security and other departments, with each
expressing views on how the domain would
be treated.
That effort aimed to update rules crafted
in 2005 that did not address broader questions
regarding cyber, but were in need of updates
as cyber threats escalated. Recent
reportsfromthe securitycompanyMandiant
and from DoD indicate the Chinese cyberattacks
began to increase in 2006.
With the SROE process having stalled,
three lawyers attending the conference decided
to start over, redrafting the language
on cyber over a lunch break during the
conference.Huddledaroundatable they created
what they thought was a simple, clean
approach that could gain broad support.
They presented it to the other attendees,
and thenewversion was passed up the chain
of command for review by senior officers.
Not long afterward, that draft was
rejectedbyadeputyofGen.KeithAlexander,
head of CYBERCOM and director of the National
Security Agency, because it fell short
of where “the SecDef wanted it to go,” said
a former defense official.
The problem was that the document didn’t
allow for a sufficiently assertive response,
the official added. In its efforts to achieve
balance, the draft didn’t accommodate the
strong stance the administration, and
specifically CYBERCOM, wanted to take.
So the rules were drafted again, designed
to be “forward leaning,” permitting a stronger
response. Once again they were rejected.
Nearly three years later the rules still
haven’t been signed. Defense officials said
they expect the newest version to be
formalized shortly, but there is always the
possibility that further policy concerns will
stall the process.
While several sources pointed to the
desire by some, especially Alexander, to take
a more assertive stance, not everyone
agrees that the delay was caused by internal
dissent. A senior defense official said the
process was slowed by the administration’s
need to develop larger cyber policies to
make sure the military rules fit the larger
whole.
“As we were developing our standing rules
of engagement and going through that
interagency process we were recognizing
that there’s a natural progression, a natural
sequencing of making sure that the
presidential policy was finalized and signed
out, then making sure that the doctrine and
other procedures are in place, and finally the
next logical step is the standing rules of engagement,”
the senior defense official said.
According to the former defense official
with knowledge of earlier drafts, the
version on the verge of completion is “way
far” from previous versions, authorizing far
more assertive action than had been previously
considered.
Use of cyber weapons will still be the domain
ofUSCyber Command, with geographic
combatant commanders requesting
action through locally stationed cyber support
elements. But the debate about the rules
of engagement, what authorities they should
permit and who should have them, stems
from a larger issue about normalizing cyberwarfare
thatwascomplicated by the concentration
of cyber authority within the NSC, a
concentration that is the byproduct of an
inter-agency dispute dating to the Iraq war.
What the US does as it begins to normalize
cyber will have a big effect on how cyber is
treated globally, said Jason Healey, director
of the Cyber Statecraft Initiative of the
Atlantic Council.
“Without a doubt what we do gets copied,”
he said. “The fact that we’re including this in
rules of engagement and pushing this down
to lower levels, [means that] then the
military of another country will try to convince
its leaders to do the same thing.”
Concentration of Power
In 2003, with the launch of the war in Iraq,
cyber capabilities weren’t very advanced
compared to some of the elegant tools at
the military’s disposal today. But that doesn’t
mean that various intelligence and defense
agencies weren’t interested in using them.
When the squabbling over who would be
in charge of cyber began, President George
W. Bush signed a classified presidential directive
in 2004 requiring that all cyber decisions
be funneled through the NSC.
That prevented any single agency from layingclaim.
Butitdidn’tendthedisagreements.
“It became an issue with cabinet and
deputycabinetlevelofficialsintherehacking
it out,” said a former senior intelligence official,
describing debates in the White House
Situation Room.
In every instance where cyber was involved,
the NSC had to be involved. That
helped settle some of the disputes between
agencies by limiting any independent application
of cyber capabilities, but was useful
neither for expediting any cyber action nor
for integrating cyber into larger military
capabilities. Several sources said that this
has slowed the integration of cyber into
broader military tactics, possibly giving rivals
without the same hesitation, like China,
a chance to become more adept at military
cyber.
Some decisions by the NSC on the use of
cyber were easier than others. In an individual
theater of combat, such as Afghanistan,
their use was more easily authorized if the
effects were limited to the region. If
anything resembling a cyberattack or intrusioncamefrom
the area, a responsewasalso
likely authorized.
But when it came to more complicated
issues, like international intrusions, the
standards got hazy.
Because every decision had to be run
through the West Wing, potential political
blowback limited the use of cyber tools, the
former senior intelligence official said. “If
they can’t be used without a discussion in
theWest Wing, the president’s got no place to
run if something goes wrong when he uses
them,” he said. Those decisions included
what to do if the US confronted a cyberattack.
The rules of engagement review
proceeded in 2005 with limited cyber concerns
integrated into the final version. Not
until2010didthelargerdebatepickupsteam.
The rejection of the drafts developed at
the end of 2010 by CYBERCOM officials was
part of a larger push to increase the authority
vested in Alexander, the former senior
intelligence official said. “When we had
these dialogues with the Fort Meade population,
it was often the rest of the intelligence
community cautioning the Fort Meade guys
not to be so aggressive,” he said. NSA and
CYBERCOM are at Fort Meade in Maryland.
Several sources cited these interests as
slowing the process, and causing several
compromises to be rejected.
Not everyone agrees that the process has
been slowed by dissent or efforts to increase
authority by any one group. The senior defense
official who described the delays as
being the result of larger policy development
pointed to the difficulty in crafting a new
policy in a new area of warfare.
“It was much less about a turf war than it
was about us wanting to make sure that
the department’s role was right in defending
it, and that the level to which the authority
was delegated was appropriate and something
with which the secretary and the
chairman and the White House was
comfortable,” he said. “If this is the first time
ever that we’re talking about SROEs that
are outside of DoD networks, it should be
expected that it’s a very complicated thing.
There’s no precedent, there’s no clear understanding
on some of the issues.”
A defense spokesman who was asked
about Alexander’s role in eliminating earlier
versions of the cyber language noted that
there were multiple officials involved in the
development process.
“The standing rules of engagement are a
product of many minds, of which Gen. Alexander
is one,” a statement from the spokesman
read. “He has worked tirelessly with
senior department leadership to develop
appropriateSROEsthat for the first time will
define the legal framework for how the
United States would respond if attacked by,
through or with the cyber domain.”
To be sure, even when an SROE document
is signed, it will not grant the authority to
wage cyberwar to low level military personnel.
Even the cyber capabilities that might
be employed to respond to an attack will require
orders from senior officials.
But the document is a move that begins to
standardize cyber, folding some areas into
more typical military rules and hashing out
concerns about how cyber should be
treated.
The use of cyber is more a question of
political influence in the West Wing, a process
that favors those like Alexander who
have access to decision-makers. If cyber capabilities
become more readily accepted,
their implementation could become more
democratic, basedmoreonneedthanonpolitics.
More importantly, by authorizing immediate
action against cyberattacks, the SROE
will greatly cutdownonthe reaction time.By
eliminating the often laborious process of
NSC deliberations, an attack will likely be
countered sooner and potentially result in
less damage.
“If you have time to run it through the NSC
you don’t really need a standing requirement,”
a former defense official said.
www.defense.com