New Rules Will Allow Military Commanders to Counterattack Foreign Cyber Threats

Combatant commanders will be able to take defensive cyber action without White House approval

From Zachary Fryer-Biggs, Defense News:  After three years of grueling internal debate, the chairman of the Joint Chiefs is poised to approve new rules empowering commanders to counter direct cyberattacks with offensive efforts of their own — without White House approval.

Once signed, the new cyber rules contained in the US military’s new standing rules of engagement (SROE) — the classified legal document that outlines when, how and with what tools America will respond to an attack — will mark a far more aggressive tack than envisioned when the process started in 2010, or even much more recently. To date, any cyber action requires the approval of the National Security Council (NSC).

A defense spokesman said that much of the focus on cyber has revolved around defensive action, and that pre-emptive offensive action would still require presidential approval.

Sources said the new rules are vital to address a rapidly developing domain that should be integrated into normal military rules, but still remains largely closed to outside observers by heavy layers of classification. Because the SROE is classified, conversations about its composition and details of deliberations are all considered very sensitive, and sources who participated declined to be named.

The new rules were supposed to have been implemented in late 2010, but were delayed as top government lawyers debated how aggressively the US should respond to cyberattacks, and what tools commanders could use, according to current and former White House, defense and intelligence officials.

Now complete, the rules are undergoing a final “internal bureaucratic process,” a defense official said. . . .

Use of cyber weapons will still be the domain of US Cyber Command, with geographic combatant commanders requesting action through locally stationed cyber support elements. But the debate about the rules of engagement, what authorities they should permit and who should have them, stems from a larger issue about normalizing cyberwarfare that was complicated by the concentration of cyber authority within the NSC, a concentration that is the byproduct of an inter-agency dispute dating to the Iraq war.

What the US does as it begins to normalize cyber will have a big effect on how cyber is treated globally, said Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council.

“Without a doubt what we do gets copied,” he said. “The fact that we’re including this in rules of engagement and pushing this down to lower levels, [means that] then the military of another country will try to convince its leaders to do the same thing.”  (photo: Colin Kelly/Defense News)

Image: defense%20news%205%2028%2013%20Alexander.jpg