WASHINGTON: Why does the internet still work in Raqqa? That simple question about the Syrian capital of Daesh, the self-proclaimed Islamic State, posed today by retired fighter pilot Rep. Martha McSally, goes to the heart of how the military will use — or refrain from using — cyber weapons. It goes to deep suspicions that President Obama’s swollen National Security Council staff is micromanaging the military. No less a figure than House Armed Services Committee chairman Mac Thornberry voiced deep concern that we are bureaucratizing the cyber force at birth.
All too often in the air war, “by the time you get permission to do it (i.e. strike), the target is gone… I have personally talked to pilots who have had that happen,” Thornberry said at this morning’s full-committee hearing on cyber operations, for which the war on Daesh has been an official coming-out. “I’m concerned, I guess, that we are developing the same multi-layered bureaucracy, decision-making process, when it comes to cyber.”
“When things are moving at the speed of light, if we go through this multi-layered decision process to push the button on a cyber response, then we are going to be hopelessly behind,” said Thornberry. (To help de-layer that process, Thornberry wants CYBERCOM to become an independent combatant command, moving it out from under Strategic Command — more on that below).
Thornberry’s remark was prompted by an administration witness’s answer to Rep. McSally. The exchange (edited for length) is illuminating:
“We have known cells in Raqqa that are directing training, that are directing operations very specifically targeting against Americans,” McSally said. “Why is the internet not shut down in Raqqa?”
The assistant secretary of defense for homeland defense and global security, Thomas Atkin, deferred a detailed answer to the closed-door hearing this afternoon. In general terms, “certainly going after specific nodes to hamper and stop the use of the internet by ISIS is important, but we also have to respect the rights of citizens to have access to the internet,” he said. “So it’s a careful balance, even in Raqqa.”
Thornberry followed up. “I understand the concept of proportionality,” he said, “but are you arguing that the citizens of Raqqa have some sort of inherent right to access the internet that you all have to try to weigh?”
“Taking out the internet” isn’t a straightforward operation, Atkin replied. The Islamic State and other guerrilla/terrorist forces often rely on civilian infrastructure, so shutting down their internet service provider also cuts off legitimate civilian users in a wide area. “How that effect occurs has greater impact than just against the adversary and we have to weigh that in to all our operations,” he said, “whether that’s a kinetic or a cyber operation.”
After some additional back and forth — ending with an awkward silence from the administration witnesses — Thornberry reserved further questions for the classified hearing. “Okay, well, we’ll talk more about it,” he said, “but, again, I am not yet reassured.”
The administration’s position is that cyber operations must follow the same laws of war as physical combat, and that cyber attacks require the same kind of review as kinetic strikes. That includes such considerations as collateral damage — e.g. in shutting down the terrorists’ internet access, do you take it out for innocent civilians as well? — and proportionality — is the damage to civilians excessive for the military gain?
“Our operations in cyberspace are subject to the same rules as every operation, so we’re constrained by the laws of armed conflict and other limitations,” said Lt. Gen. Kevin McLaughlin, deputy commander of CYBERCOM. “We feel like we have the authorities and flexibility we need.”
But many in Congress, not just Republicans, are concerned that the White House, specifically the National Security Council, is binding the military’s hands on how many troops to deploy, what targets to strike, and what means to use.
“What if any role does the NSC play in your cyber operations?” asked the committee’s senior Democrat, Rep. Adam Smith. “This is a subject that’s come up in our hearings(:) the increasing role of the NSC over the top of, in some cases, the Department of Defense.”
“We keep them advised of the operations we have ongoing through the interagency process,” said Atkin. “When necessary we coordinate and get the president’s permission to conduct operations when his permission is inquired.”
“We may want to pursue that a little further,” broke in Thornberry.
One way to streamline the bureaucratic process would be to make Cyber Command a stand-alone combatant command (COCOM), rather than a subordinate unit of Strategic Command as it is today. Thornberry and Smith both advocate this reorganization and included it in their draft of the National Defense Authorization Act for 2017, although the Senate doesn’t include similar language.
“Isn’t it time for CYBERCOM to stand on its own as a combatant command?” Thornberry asked.
“I think the short answer to that is yes,” said Atkin. “We are continuing to look at that within the Department.”
What’s the hold up? asked Rep. Smith.
“Our biggest challenges are going to be resources,” said Atkin. In other words, as always, the bottom line is funding.