It will likely be some time, if ever, before one of our enemies succeeds at doing more than launching limited, opportunistic drone strikes at the US. By contrast, every day brings new revelations of how our enemies and rivals are finding new vulnerabilities in American cyber-defense.
Which is why it is so curious to compare this account of the multi-year process that has led to an expansion of DOD’s authority to approve defensive cyber-attacks with this account of Obama’s close hold on DOD’s drone targeting.
In both cases, you had several agencies — at least DOD and CIA — in line to execute attacks, along with equities from other agencies like State.
An interagency process had been started because cyber concerns confront a variety of agencies, the intelligence community and DoD as well as State, Homeland Security and other departments, with each expressing views on how the domain would be treated.
For much of Obama’s term, it seems, both DOD drone attacks outside of the hot battlefield and cyberattacks had to be approved by the White House. With drones, Obama wanted to retain that control (over DOD, but not CIA) to prevent us from getting into new wars.
But from the outset of his presidency, Obama personally insisted that he make the final decision on the military’s kill or capture orders, so-called direct action operations. Obama wanted to assume the moral responsibility for what were in effect premeditated government executions. But sources familiar with Obama’s thinking say he also wanted to personally exercise supervision over lethal strikes away from conventional battlefields to avoid getting embroiled in new wars. As responsibility for targeted strikes in places like Yemen, Somalia, and, over time, Pakistan shifts to the military’s Joint Special Operations Command, Obama will be the final decider for the entire program.
With cyber, White House control was designed partly to limit blowback — almost the same purpose as his micromanagement of drone targeting — but also to mediate disputes between agencies.
In every instance where cyber was involved, the NSC had to be involved. That helped settle some of the disputes between agencies by limiting any independent application of cyber capabilities, but was useful neither for expediting any cyber action nor for integrating cyber into larger military capabilities. Several sources said that this has slowed the integration of cyber into broader military tactics, possibly giving rivals without the same hesitation, like China, a chance to become more adept at military cyber.
Because every decision had to be run through the West Wing, potential political blowback limited the use of cyber tools, the former senior intelligence official said. “If they can’t be used without a discussion in the West Wing, the president’s got no place to run if something goes wrong when he uses them,” he said. Those decisions included what to do if the US confronted a cyberattack.
But over the course of the Obama Administration, DOD lobbied to increase its autonomy in both areas, in drones via the year-long process of crafting a drone rulebook, and with cyber, via the three year process of drafting new standing rules of engagement.
It had far more success in its efforts to expand autonomy with cyber.