The Defense Department has largely won out in a long-running bureaucratic battle with the State Department over retaining its broad powers to launch cyber operations, according to two sources familiar with the matter.
While the exact details of which authorities the Pentagon retains to carry out cyber operations are classified, sources familiar with the matter said it succeeded in holding onto key parts of broad authorities the Trump administration granted DOD in 2018.
The State Department won some concessions as part of the revised policy document, according to a senior administration official speaking on condition of anonymity to describe the framework. The official added that the final version of the policy memorandum will include provisions requiring the White House to receive details of cyber operation plans from DOD well in advance of operations. The new policy also will allow agencies to flag operations they find concerning through what the official called a “documented dispute resolution process.”
President Biden is now set to review these authorities in a newly revised version of National Security Policy Memorandum-13, the official said.
First instituted in 2018, NSPM-13 allowed the delegation of “well-defined authorities to the secretary of defense to conduct time-sensitive military operations in cyberspace,” according to a 2020 speech given by Paul Ney, then the general counsel for the DOD. Designed by President Trump’s National Security Council and promoted by then National Security Adviser John Bolton, NSPM-13 was intended to streamline the approval process for cyber operations that Bolton describes in his memoir as “frozen solid” when he arrived in office.
These authorities were used perhaps most famously in 2018 to disrupt internet access at a Russian troll farm infamous for its role in spreading disinformation around the 2016 election and have more recently played a role in countering Russian cyber operations in Ukraine.
The State Department and other executive branch agencies have long bristled at what they see as the outsize power and authority NSPM-13 grants DOD. NSPM-13, in their view, elevates military prerogatives in cyberspace over those of civilian agencies and fails to adequately consider the impact of military cyber operations on human rights, diplomacy and private-sector infrastructure.
Running offensive cyber operations often requires the use of such private-sector infrastructure in foreign countries, and the original NSPM-13 largely prevented the State Department from informing these foreign countries, which slowed down operations.
Debate over the revision has raged behind closed doors since May, when CyberScoop reported an initial deal had been forged giving the State Department additional but limited power to weigh in on cyber operations, according to a source briefed on the discussions. In recent months, the department has continued to push for more authority, but the White House has ultimately largely sided with the Pentagon and is not giving the State Department nearly as much sway as it would like, the source said.
“The debate was: ‘How much authority does State have to lay across the railroad tracks?’” the source said. “That’s been the debate in the past few months, and it’s moved in DOD’s direction.”
The Pentagon, State Department and U.S. Cyber Command did not respond to requests for comment. “The administration hasn’t changed our approach to or ability to use offensive cyber operations as a tool of national power when needed,” a second senior administration official told CyberScoop.
As the Pentagon and State Department have sparred over authorities, Cyber Command’s operations in response to Russia’s invasion of Ukraine have boosted DOD’s position in the interagency fight. By moving quickly to counter Russian operations, Cyber Command has helped to blunt Russia’s abilities in cyberspace, and these efforts have been used to make the case that the Pentagon should retain its authorities, according to a source briefed on the discussions.
“CyberCom has been able to notch a bunch of good wins, justifying the argument that having more flexibility, being able to move faster really does help operations,” the source said.
Throughout the Obama era, the State Department hobbled cyber operations, said James Lewis, who directs the Strategic Technologies Program at the Center for Strategic and International Studies. “In the past, the U.S. has had trouble in joint operations because State has taken a long time to to give their assent, and that’s a handicap.”
The State Department has worked to bolster its staff working on cyber diplomacy issues, but experts say the department has historically lacked expertise on this issue relative to other agencies.
In 2017, the Trump administration shuttered the State Department office dedicated to cybersecurity and transferred its staff and responsibilities to another bureau. It is only recently that the State Department has stood up a cyber-focused unit. The department’s Bureau of Cyberspace and Digital Policy began operating in April, and Nate Fick, the ambassador at large for cyberspace and digital policy, was only confirmed in September.
Updated Nov. 17, 2022: This article has been updated with additional details from a senior administration official.
Corrected Nov. 18, 2022: This article has been corrected to reflect that the newly revised memorandum has been sent to the president to review before signing.