Federal law already obliges the president to notify Congress within 48 hours of any commitment of U.S. forces to military action, but lawmakers evidently feel that they’ve been somewhat left in the dark when it comes to military action in cyberspace. New legislation introduced on Thursday is meant to correct that.
The bill, cosponsored by the chairman and ranking Democrat on the House Armed Services Committee, plus the top two leaders of that panel’s emerging threats and capabilities subcommittee, would impose a host of new notification requirements when the Defense Department uses cyber capabilities in military operations, or even when it reaches legal conclusions that the use of those weapons is permissible under international law.
Rep. Mac Thornberry (R-Texas), chairman of the House Armed Services Committee, acknowledged the reporting requirements the bill would involve military capabilities and operations DoD regards as highly-sensitive, but said that at least the committees that are directly involved in Defense oversight need more visibility into the Pentagon’s cyber operations.
“Congress still has a responsibility to conduct appropriate oversight in order to protect our security and our essential freedoms at the same time,” he said. “This proposal to enhance congressional oversight of sensitive military cyber operations and cyber weapons will help achieve that balance by promoting greater transparency and accountability for some of the most classified elements of our national defense.”
The measure, which the lawmakers hope to pass as part of the 2018 National Defense Authorization Act, would require DoD to notify the four congressional defense committees any time the military conducts a “sensitive” cyber operation, whenever one of the military’s classified cyber capabilities has been disclosed without authorization, when military lawyers conclude that a newly-developed cyber tool can be used against an enemy without violating the law of armed conflict or U.S. treaty obligations, and any time it uses a cyber capability as an offensive weapon, including when it’s using defensive measures to beat back an attack by a foreign threat.
In each case, the Pentagon would have to make the notification in writing, and within 48 hours.
Congress, in turn, would have to develop measures to make sure that any classified information DoD provides to the defense committees is adequately protected to keep it from leaking to the broader public and potential adversaries, but the bill does not specify exactly what safeguards would be put in place.
Rep. Adam Smith (D-Wash.), the committee’s ranking Democrat, said the legislation was informed by previous steps Congress has taken to require notification on more “traditional” sensitive military activities, an apparent reference to a measure passed in 2014 which demands briefings on counterterrorism operations, including capture or kill operations conducted by special forces.
“Over the past few years, military cyber operations have evolved, and as the evolution and maturation of both defensive and offensive operations continues, it is crucial that we establish clear standards, processes, and procedures for notification to Congress,” he said. “Drawing on lessons we’ve learned from the oversight of more traditional DoD sensitive activities outside of areas of active hostilities, this bill will enable Congress to provide additional support and oversight for these activities as they continue to develop as an essential component of U.S. military power.”
The legislation includes a broad exception for “covert activities,” those that are intentionally designed to conceal the fact that the U.S. is behind them or leave the government with plausible deniability, so it remained unclear how many of the military’s cyber activities would be implicated by the new reporting requirements. And covert operations are already supposed to be reported to the congressional intelligence committees.
But Rep. James Langevin (D-R.I.) echoed the sentiment that the bill was mainly focused on DoD cyber operations outside of areas where Congress has already authorized or assented to ongoing military operations, such as Afghanistan.
“I am pleased this bill will ensure that as cyber operations are conducted by our armed forces outside areas of active hostility, Congress is subsequently notified to ensure the appropriate level of oversight is conducted,” he said. “This bill brings cyber in line with the other notifications Congress already receives and will help broaden our collaboration and conversation with the Department of Defense when it comes to cyber operations.”