The United States has sent Ukraine a variety of military equipment, including killer drones, Stinger surface-to-air missiles, Javelin anti-tank missiles, small arms, and ammunition. We should do more.
If ordered, U.S. Cyber Command could develop the ability to temporarily disable key Russian military, intelligence, or logistics networks. This would be a tremendous boon to Ukrainian forces. Moreover, such cyber operations would not be clearly traceable back to the U.S.—reducing the possibility of escalating tensions with Russia.
Unfortunately, it appears that National Security Council staff will force the Pentagon to navigate a time-consuming bureaucratic maze before it can include offensive cyber operations in the package of military assistance to Ukraine. The NSC staff stance echoes that of the Obama administration.
Washington has long invested billions of dollars annually to build immense capabilities for offensive cyber operations. Yet, for years, those capabilities went unused. Policy directives from President Obama created a multi-level bureaucratic review process that was too slow and cumbersome to enable timely or meaningful cyber operations.
The result was inaction in the face of growing cyber and conventional threats from Russia, China, North Korea, and Iran. The commander of U.S. Cyber Command recently testified that he was unaware of any cyber operations that took place under the Obama Administration’s policy process.
That changed in 2018, when President Trump, supported by the Fiscal Year 2019 National Defense Authorization Act, created a new process that delegated the authority to conduct time-sensitive offensive cyber operations to certain operating agencies, including the Department of Defense.
This new process struck a careful balance to enable timely offensive cyber operations within carefully defined parameters. For example, approval of actions above a certain threshold—including any cyber operation that would have a kinetic effect similar to that of a conventional operation—were reserved to the President, while the military could carry out smaller-scale operations following a streamlined interagency coordination process.
U.S. Cyber Command successfully deployed these newly delegated authorities to defend the 2018 and 2020 elections against Russian influence operations. In the key period ahead of the 2018 midterm elections, it temporarily shut down the Internet Research Agency, a Kremlin-associated troll farm involved in 2016 election influence. During the 2020 cycle, Cyber Command conducted more than two dozen operations to combat foreign threats to the election.
Combined with “hunt forward” operations, which position U.S. cyber operators alongside foreign partners to engage and defend against malicious cyber threats, offensive cyber operations are effective tools for the United States and our allies to counter an accelerating and dangerous cyber landscape.
The commander of Cyber Command disclosed “nine different hunt forward operations” that have helped our allies engage with persistent adversary threats, including most recently, assistance to Ukraine against Russia.
Other federal agencies can complement the military’s efforts with their own offensive cyber operations. Just this week, for instance, the Department of Justice and FBI announced that an offensive cyber operation had successfully removed Russian malware that was designed to create “botnets” from around the globe.
In spite of these successes, Biden’s NSC staff has reportedly launched an “interagency review” that aims to undo the Trump administration’s work streamlining reforms. Proponents of the review argue that the White House must control all decisions related to cyber operations, no matter how trivial the operation, to manage the diplomatic and strategic consequences of military action.
These short-sighted views capture the essence of the Obama and Biden administration’s inaction through bureaucratic malaise. As Sen. Angus King (I-Maine) recently noted, rescinding the Trump framework would be “a grave mistake [that] would undermine deterrence at the worst possible moment.”
If the review is to recommend positive policy changes, it should aim to improve interagency communication and speed the coordination and approval process for offensive cyber operations, not recreate a failed multi-tiered review process. President Biden should continue to delegate authority to operating agencies, and Congress should continue to provide the authorities and resources necessary to establish deterrence below the threshold of armed conflict.
Even as Russian forces retreat from the suburbs of Kyiv, the risk of cyberattacks against U.S. and allied critical infrastructure remains high. Vladimir Putin continues to wield powerful cyber tools, and he may use them to lash out at the United States and its allies. In the face of that threat, now is not the time to build bureaucratic obstacles to operations that could help stop Russian attacks before they begin.
This piece originally appeared in RealClear Defense