Perspective: Cyber operationsMilitary Cyber Operations: The New NDAA Tailors the 48-Hour Notification Requirement
Congress will soon enact the National Defense Authorization Act for Fiscal Year 2020 (NDAA fiscal 2020), which includes a provision that will fine-tune the range of military cyberoperations subject to the 48-hour notification requirement associated with “sensitive military cyber operations.”
Congress will soon enact the National Defense Authorization Act for Fiscal Year 2020 (NDAA fiscal 2020), which includes a provision that will fine-tune the range of military cyberoperations subject to the 48-hour notification requirement associated with “sensitive military cyber operations.”
Robert Chesney writes in Lawfarethat
Congress for many years has been building a domestic legal framework to govern military cyber operations. Specifically, it has used the NDAA process to clarify the U.S. military’s affirmative authority to conduct operations in the cyber domain, to establish that these operations do not constitute “covert action” for purposes of U.S. domestic law even when conducted on a deniable basis, and to subject some such operations to a custom-designed notification-to-Congress rule that is akin to the more familiar one used for covert action. See here for a post, last summer, in which I summed up much of this work.
Chesney notes that the relevant rule regarding notification to Congress, enacted in 2017, is codified as 10 U.S.C.§ 395. It defines a category called “Sensitive Military Cyber Operations” (SMCOs), requiring the secretary of defense to give written notification of any such activity to the Senate and House Armed Services Committees within 48 hours. “This is modeled on the covert-action oversight rule, of course, but without the element of likely interagency involvement that comes from the covert-action requirement of presidential authorization, and with the oversight running to the armed services committees rather than intelligence committees,” he writes.
He describes and analyzes the different clauses of NDAA fiscal 2020, concluding:
The bottom line? Congress continues to do little-heralded but important work fine-tuning the domestic legal architecture within which U.S. Cyber Command performs its increasingly important mission. As in similar contexts such as the covert-action framework, this involves constant balancing and rebalancing that one hopes will achieve and preserve an optimal compromise between efficiency and responsible oversight. The new NDAA appears to be a thoughtful contribution to that project.
