With the release of the Cyberspace Solarium Commission report, there has been much discussion about the future of cyber policy. A key component of the Trump administration’s current cyber policy, however, has been obscured from Congress for months, until recently.
National Security Presidential Memorandum 13, United States Cyber Operations Policy, or NSPM-13, is the document governing how the Department of Defense’s (DoD) offensive cyber operations are approved. NSPM-13 went into effect in 2018, and for over a year, Congress had not seen the memorandum.
“Having reviewed the relevant National Security Presidential Memorandum, I am now more confident that the necessary checks are in place to ensure that our actions in cyberspace contribute to stability of the domain rather than undermining it,” Rep. Jim Langevin, D-R.I., a House Armed Services Committee member and one of the Solarium commissioners, said in a statement.
The General Counsel for DoD, in remarks given earlier this month, said NSPM-13 “allows for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace.”
It took over 17 months, Langevin said, for the administration to provide documents needed for Congress to conduct oversight of the operations. A spokeswoman for the Senate Armed Services Committee said members were also able to review the NSPM-13.
The House Armed Services Committee sent a bipartisan letter to the president last year requesting the information. The February letter, a copy of which was obtained by The Wall Street Journal, was signed by Chairman Adam Smith, D-Wash., top Republican Rep. Mac Thornberry of Texas, and the leaders of intelligence and emerging threats subcommittee, Langevin and Rep. Elise Stefanik, R-N.Y.
After months of not receiving the information, lawmakers included a provisions in the National Defense Authorization Act to require the document and a report from the Secretary of Defense.
After the president signed the defense bill into law in December, the Secretary of Defense was required by March 1 to provide to the congressional defense committees a written report “summarizing all named military cyberspace operations conducted in the previous calendar year.”
DoD did not respond to inquiries about the briefing.
“I will continue to press the Administration for meaningful metrics for success that go beyond simply the number of operations conducted,” said Langevin, “so that Congress can be sure we continue to strike an appropriate balance with our more forward-leaning posture.”