WASHINGTON — Tucked in the Senate Armed Services Committee’s annual defense policy bill is a provision to partner the US government with civilian hackers who experts and former military officials say could help the US tip the scales against China’s far deeper bench of cyber operators.
The committee seeks to authorize a pilot program that would assess the feasibility of conducting cyber operations limited to gaining access to systems using civilian contractors with their own infrastructure, but still under the operational direction and authority of US Cyber Command. It’s not clear the provision will become law, as the Senate and House must reconcile their versions of the National Defense Authorization Act before passing each chamber and receiving the president’s signature.
But the fact that this is being introduced is significant, according to nine experts who spoke with Breaking Defense. Some experts raised concerns that deputizing civilian hackers could trigger reprisals against civilian infrastructure and flout international norms; others see the provision as a chance to expand the US government’s cyber ranks and lean on America’s private sector advantage over China.
“I am hopeful this is indicative that inside the Department of War, but also up on Capitol Hill, people understand that we need to move towards a much closer relationship with the private sector,” Charlie Moore, distinguished visiting professor at Vanderbilt University and former deputy commander of CYBERCOM, told Breaking Defense in an interview. “We have to move beyond what we typically call partnerships and into becoming true teammates. The only way we’re going to scale to meet the qualitative and quantitative capabilities that we need against the likes of China is through close teamwork with the private sector.”
Some experts have raised alarm bells that China holds a 10:1 cyber personnel advantage relative to the US, where military cyber operators are in short supply. The Senate Armed Services Committee’s proposal could help even the playing field.
Russian, and to a lesser extent, Chinese actors implicitly deploy their private sector actors to conduct illicit cyber activity on behalf of the state as a means to achieve strategic objectives with some level of deniability.
Cyber operations are incredibly time consuming. In order to hit a target in the cyber domain, unlike dropping a bomb in the physical realm, operators need to gain access — which can take months to years — maintain that access, map the network and plan a tool for the effect. That foothold in a targeted system must then be covertly maintained until the order is given to attack, which could come years later or not at all.
“The solution to that problem is let’s just penetrate everything that the president might want to attack, and that’s a big deal because that’s a lot of targets,” Herbert Lin, senior research scholar at the Center for International Security and Cooperation at Stanford University, told Breaking Defense. “Cyber Command clearly can’t do all of that. So the question is, how do you do it? And this seems to be a way.”
The Senate provision follows discussions over the years to have industry take a more direct role in cyber operations. Those include “hack-back” proposals to allow companies to go after hackers who steal their materials, and repurposing a clause of the US Constitution once used to issue “Letters of Marque and Reprisal” to privateers attacking enemy vessels to instead deputize companies to conduct cyber operations on behalf of the government.
The benefit of the latest Senate provision is it allows the US government to retain direct control of operations, according to Moore.
“These are cyber operations conducted under direct oversight and control of Title 10 operators,” he said.
A Provocative Move?
The provision stops short of greenlighting contractors to conduct “effects,” which are not currently permitted under US law and would require department policy changes and congressional action.
While gaining access is technically considered an operation, a few experts who spoke to Breaking Defense noted that cyber effects — denying, degrading, disrupting, destroying, or manipulating targeted systems — are typically considered offensive, an act of war, and must be conducted by a government entity.
However, just the act of gaining access could be perceived by some foreign countries as an offensive action.
“It’s analogous to [saying], ‘let’s have the North Koreans dig a tunnel under the DMZ into South Korea,’ but they don’t send any troops in, they just dig a hole. Now, nobody believes they’re going to send people with flowers, but they haven’t done anything,” Lin said. “Does that count as an attack? It certainly counts as unfriendly, but is it an attack? As I say, that’s for lawyers to decide.”
Kurt Sanger, formerly CYBERCOM’s deputy general counsel, doesn’t see this paradigm as particularly controversial. Surreptitiously accessing foreign networks, he said, is akin to unlocking a door one is not authorized to open. That could be considered a minor trespass rather than a burglary.
“It’s not the same as intel gathering because you’ve taken a step towards having a cyber effect,” Sanger added. “But given the nature of the effects most US cyber operations cause, contractors won’t be connected to anything traditionally considered a provocative activity, and certainly [this] isn’t the type of kinetic activity that has led to escalation.”
Some experts equated these operations to the contractor-owned and -operated surveillance flights the US military already outsources to contractors who gather intelligence but don’t conduct effects.
The activities could still open industry up to some level of liability. While defense contractors have long been subject to cyber intrusions — such as the Chinese purporting to have stolen the specs for the F-35 from Lockheed Martin’s network — conducting cyber operations on their own infrastructure as opposed to government systems could make them legitimate military targets, according to Gary Brown, a professor at National Defense University and formerly the first senior legal counsel for CYBERCOM.
A former military cyber commander who also spoke on condition of anonymity questioned what the oversight for this Senate provision would look like, noting it will require significant human — not AI — attention, and it must strike a balance between proper oversight and not stifling the pilot effort with micromanagement. The commander also raised possible counterintelligence concerns regarding the risk of private sector employees conducting government-sanctioned cyber operations on their own infrastructure and the possibility of exposing tradecraft.
There is also the issue of international norms. Brown pointed to how the US has sought to maintain certain normative behaviors in cyberspace over the years, including by carving out protections for civilian infrastructure. He worried the Senate provision could “muddy” those waters and “nibble away” at that system, possibly opening the door to more regular attacks on civilian infrastructure.
Private Sector Advantage
Several experts who spoke to Breaking Defense said the Senate provision could help scale US cyber capabilities against the likes of China, noting it’s the only way the government can keep up to the level of manpower China employs in this space. Leveraging private industry would immediately increase the number of targets that can be held at risk by US agents, another former military cyber official said.
As a manmade domain, cyber is unique in that it requires persistent attention and maintenance of a target to ensure access remains even as patches and fixes are rolled out. With contractors doing that day-to-day work, military personnel are free to focus on effects and the “mastery” of cyber war, according to two former military cyber commanders.
Moreover, allowing the contracting community a more direct role in cyber operations fosters greater innovation and faster development of capabilities, experts said.
“Being on their own infrastructure, contractor-own[ed] and contractor-operated, immediately unlocks innovation at the speed of relevance. Because if I have a really cool tool or suite of tools that can help me perform a mission, I can utilize it right away. I don’t have to go through a lengthy requirements and acquisitions process,” Moore said. “That is how we fully capitalize on one of the most important advantages we have over the likes of China. We unlock and fully utilize the innovative solutions created by great American companies.”
Moore noted he hopes this evolves to eventually allow the contacting community to conduct effects operations as well, though still under the direct oversight and control of CYBERCOM, a much more complicated endeavor from a legal and policy perspective.
Several sources indicated that industry is, in fact, looking to do effects, standing ready for when the time might come.
