As the Pentagon's cyberattacks increase, experts warn of weak congressional oversight

Sean D. Naylor
·National Security Correspondent
Updated

WASHINGTON — When U.S. Cyber Command launched a stealth assault in June on an Iranian intelligence organization linked to attacks on commercial ships in the Gulf of Oman, nobody told Congress ahead of time.

It was the same last year, when the command began to clandestinely target Russia’s electrical grid, according to the New York Times.

To many, these cyberattacks looked like covert actions — operations that the targets might have realized were occurring, but in which the role of the United States remained hidden. The president must sign off on covert actions, which must also be briefed to key members of Congress responsible for intelligence.

But according to a provision in the 2019 National Defense Authorization Act, such missions are not covert actions but “traditional military activities” and therefore do not require presidential authorization, nor do they have to be briefed ahead of time to Congress. By declaring them to be traditional military activities, the provision also placed clandestine cyber operations under the purview of the House and Senate armed services committees, rather than the intelligence committees.

Yahoo News photo illustration; photos: AP, Getty Images
Yahoo News photo illustration; photos: AP, Getty Images

That move is fraught with significant risks, according to critics, including that foreign powers will retaliate against Cyber Command’s military missions by launching cyberattacks against private American firms. “That’s not a consideration that our normal military operators are used to calculating,” said Suzanne Spaulding, a former undersecretary of the Department of Homeland Security who previously worked as a lawyer for the CIA and the Senate Select Committee on Intelligence.

A defense official said Spaulding’s concerns were misplaced, however. “To suggest that military personnel aren’t used to weighing repercussions on the civilian population is simply not accurate,” the defense official wrote in an email. “Cyber Command routinely coordinates with governmental partners to understand the potential risks and impacts to the private sector.”

Escalating tensions in the Persian Gulf in the wake of the Sept. 14 attacks on Saudi oil facilities have raised fears among Democratic lawmakers that President Trump could take military action against Iran without congressional authorization. Yet the ability of Cyber Command to conduct cyber missions before even notifying the president or Congress appears to have raised few hackles on Capitol Hill.

George H. W. Bush with Tower Commission members
Then-Vice President George H.W. Bush talking with Tower Commission members investigating the Iran-Contra affair. (Photo: Dirck Halstead/The Life Images Collection via Getty Images)

The issue of classifying certain types of operations as “traditional military activities” rather than as covert action dates back to the presidency of George H.W. Bush, when in the wake of the Iran-Contra scandal the government engaged in an internal debate over how to oversee covert action, according to John Rizzo, former acting general counsel of the Central Intelligence Agency. It was these discussions that produced the requirements for covert actions to be personally approved by the president and briefed to the so-called Gang of Eight — the Senate majority and minority leaders, the speaker and minority leader of the House, as well as the chairs and ranking members of the Senate and House intelligence committees.

Although the military already had secret units conducting operations that might otherwise have been considered covert action, the Defense Department argued successfully that what it termed “traditional military activities” should be exempt from these requirements and remain under the purview of the armed services committees. “It was a big point of contention,” said Rizzo, who took part in the negotiations. “They were terrified of getting into the covert action reporting and oversight regime.”

In addition to cyberattacks, the Pentagon’s carve-out has also affected areas such as low-visibility special operations missions and information operations.

“This all got written into the law,” but without a clear definition of “traditional military activities,” said Bobby Chesney, an expert on national security law at the University of Texas School of Law.

 
 

The Pentagon has since taken full advantage, according to Spaulding. “What has happened over time is that the exception from the definition [of covert action] for traditional military activities has grown and grown and grown, and basically now it covers virtually anything that the Defense Department does,” she told Yahoo News. “It has become a loophole that they have driven multiple Mack Trucks through.”

One of those trucks, according to Rizzo, contains offensive cyber operations. “I was there,” he said of the post-Iran-Contra negotiations. “I will promise you, no one was talking about cyber in 1989.” Referring to what he had read of Cyber Command’s intrusions into the Russian electrical grid, Rizzo said that “if CIA was in the lead, that would be covert action.”

Mike Rogers, a former Republican congressman who chaired the House Permanent Select Committee on Intelligence from 2011 to 2015, appeared to agree about the Cyber Command operation. “That would rise to the level of a covert action, in my mind,” he said when asked what activities currently overseen by the armed services committees should be moved under the purview of the intelligence committees.

John Rizzo
John Rizzo, former acting general counsel of the CIA. (Photo: Molly Riley/MCT via Getty Images)

But a defense official pushed back on the idea that the armed services committees had conducted some sort of surreptitious power grab. The 2019 law mandating that clandestine cyber operations be treated as traditional military activities “was voted upon by the whole of Congress to include members of both the House and Senate intelligence committees,” the defense official said.

During the negotiations after the Iran-Contra scandal, “the armed services committees backed [the Pentagon] because they didn’t want to give up their jurisdiction,” Rizzo said. This suited the military just fine, according to several sources. The Pentagon believed that it received “more compliant and complacent” oversight from those committees than it would get from the intelligence committees, Rizzo told an audience in Washington, D.C., during a June 24 panel discussion on intelligence issues. In this regard, “I was envious of the Pentagon,” he later told Yahoo News.

“There’s just a bigger love affair” between the armed services committees and the military than there is between the intelligence committees and the nation’s intelligence agencies, agreed Rogers.

Observers cited several reasons why the Pentagon might feel that its more covert activities will receive less harsh scrutiny from the armed services committees.

According to Rogers, the vast responsibilities for overseeing the entire U.S. military and the defense budget means the armed services committees can devote only a sliver of their time and resources to overseeing niche activities like clandestine cyber and special operations missions.

 
 

Spaulding questioned whether those committees were hiring staff with “the right skill sets” to oversee cyber operations. “My guess is that’s lagging, that the skill sets on the committees aren’t yet where they need to be,” she said.

A former intelligence committee staffer questioned the ability of the armed services committees to exercise the type of oversight required. Unlike intelligence committees, which often hold closed hearings away from the cameras, the former committee staffer said, the members of the armed services panels feel they need to publicly express support for the military. “It’s much harder for any member of Congress to be negative or critical — especially publicly so — about [the Pentagon] … because you’re supposed to trust and support our troops,” said the former intelligence committee staffer.

There are also the “iron triangle relationships between the committees, the defense industrial base and the Pentagon,” said Chesney, adding that those relationships give the committees control over “big chunks” of money. “There’s nothing quite like that for the intelligence committee relationship” with the CIA, he said.

But speaking to reporters July 24, Rep. Mac Thornberry, R-Texas, the senior Republican on the House Armed Services Committee, strongly rejected the notions that the armed services committees are too cozy with the military or that their staffs lack the requisite expertise to oversee cyber operations. “Anyone who would say that has not been in our closed, classified wire-scrubbing sessions where questions or concerns are voiced,” said Thornberry, who previously served on the House Intelligence Committee. “Especially in the areas where you can’t do it in public, we take those responsibilities very seriously.”

Nonetheless, some fear that by exempting Cyber Command’s missions from the normal covert action oversight regime, the Pentagon is running a dangerous risk. Offensive cyber operations are still a relatively new, extremely sensitive and risky phenomenon, with the potential for significant foreign policy and international law implications if something goes wrong, according to Spaulding. “That is characteristic of covert actions and why we put this oversight mechanism in place,” she said.

Suzanne Spaulding
Suzanne Spaulding, former CIA assistant general counsel. (Photo: Mark Wilson/Getty Images)

Some observers see an oversight role for congressional committees beyond the armed services and intelligence panels when it comes to Cyber Command’s recent activities. “If we shut down the power grid in Moscow, nobody would question that has foreign policy implications,” a congressional staffer said. “There’s a suite of activities that ... are falling through these oversight cracks,” said another congressional staffer.

Thornberry defended the House Armed Services Committee’s oversight of sensitive cyber operations, saying it was modeled on how the committee oversees special operations kill-or-capture missions outside the designated war theaters of Iraq and Afghanistan. “With something that literally takes place at the speed of light, you can’t come and have extensive consultations every click of the computer,” he said.

The House Armed Services Committee’s version of the 2020 National Defense Authorization Act includes a stipulation that the military brief the armed services committees within 15 days of conducting a secret cyber operation, rather than every quarter, as is the case now. The new language “may indicate that Congress is not satisfied with the degree to which the administration is keeping it informed about offensive cyber operations,” Spaulding said during the June 24 panel discussion. (But Rizzo said that CIA covert action programs have to be reported to Congress within 48 hours, which he noted was “a big difference” from 15 days.)

“I’ll confess, there’s been a little back and forth about getting certain information, especially some of the rules of engagement, ahead of time,” Thornberry said. The committee was working through these issues with the Trump administration, he added.

 
 

Despite the calls from some for the intelligence committees to gain greater authority over offensive cyber operations and, in some cases, low-visibility special operations missions, those committees have had their critics too.

Rogers voiced concern that the hyperpartisan behavior that has characterized Congress recently is affecting the committees’ ability to do their job. “Politics is overcoming the strategic oversight responsibilities of these committees,” he said. Rogers expressed particular worry over the House Intelligence Committee, saying that he wasn’t sure whether the members had “earned” the right to exercise oversight over the intelligence community.

Since Rep. Devin Nunes, R-Calif., became chairman in 2015, the House Intelligence Committee has increasingly become a forum for partisan mud-slinging, and little has changed since Nunes changed places with California Democrat Adam Schiff in January. This toxic dynamic is putting the public’s faith in the intelligence community at risk, according to Spaulding.

Devin Nunes
Devin Nunes, former chairman of the House Permanent Select Committee on Intelligence. (Photo: Chip Somodevilla/Getty Images)

“The intelligence oversight committees play such a crucial role in reconciling the inevitable tension between the openness and transparency that a democracy is premised upon and the secrecy that intelligence activities require,” she said. “When you see a committee behaving in a way that seems very political, it weakens the public’s confidence, I think, in the credibility of what they’re being told.”

The partisan rancor reduces the chances that Congress will tackle a subject as delicate as shifting the oversight responsibilities, according to Spaulding. “Really doing an overhaul of national security oversight would require the leadership to have the will to take jurisdiction from [some] committees and enlarge it in others,” she said. “And we haven’t seen a lot of evidence of that.”

That is cause for concern, according to Rizzo. “The oversight regime, especially in offensive cyber missions, needs to be updated,” the former CIA lawyer said. “I just doubt whether there’s any congressional appetite to do that.”

_____

Download the Yahoo News app to customize your experience.

Read more from Yahoo News: