To most onlookers, the U.S. appears to be in the midst of a successful cyber defense campaign against Russia. As Gen.

Paul Nakasone,

commander of U.S. Cyber Command, recently testified before Congress, the U.S. military is deploying military members to the region to sit “side by side with our partners.” Cyber Command has also “crafted options for national decision makers” and is “conducting operations as directed.” Yet at a pivotal time in Ukrainian cyber defense, the Biden administration is reportedly considering a proposal to take away Defense Department authorities to conduct offensive cyber operations and reinstate a centralized approval process from the White House. This would be a mistake.

All departments and agencies within the federal government operate under different authorities, delegated from the president through executive policies and from Congress through law. These define what an organization can and can’t do and when it needs to ask for permission. In a conflict or military campaign, the president (and sometimes Congress) delegates authorities to the Defense Department to conduct operations.

Offensive cyber operations didn’t quite fit under existing military authorities, so the Obama administration created Presidential Policy Directive 20 in 2012. This directive created a centralized interagency review process to approve offensive cyber operations and gave other government organizations a veto over military cyber operations. The review process was slow, deliberative and prone to internecine fights: The intelligence community didn’t want to cede control over cyber operations; the diplomatic community worried over implications for international partnerships; the Pentagon was eager to come off the cyber sidelines. Not surprisingly, few if any offensive cyber operations made it through the review process, despite significant cyber incidents such as North Korea’s hack of


in 2014 and Russia’s cyber-enabled election interference in 2016. When Sen.

Mike Rounds

(R., S.D.) asked Gen. Nakasone in April about military offensive cyber operations under PPD-20, he replied, “I know of no effects operations ever conducted prior to 2018.”

For the Obama administration, military cyber restraint was an acceptable hedge against the risk of escalation. Faced with uncertainty about responses to cyberattacks, the administration chose to err on the side of inaction.

That perception of cyber risk changed during the Trump administration—and so did the military’s cyber authorities. While National Security Presidential Memorandum 13 remains classified, U.S. officials’ public statements suggest the policy delegates authorities to the Defense Department to conduct “time-sensitive” offensive cyber operations without a cumbersome interagency approval process. Concurrently, Congress delegated authorities to the Pentagon in the 2019 National Defense Authorization Act to conduct “military activity and operations in cyberspace,” including “active defense” against China, Russia, North Korea and Iran. The act went on to define this as traditional military activity not subject to a presidential finding, which is required for covert action.

In the decade since the Obama administration began defining U.S. offensive cyber policy, cyberspace has become less uncertain. Academic research and the emerging lessons from Russia’s invasion of Ukraine suggest that cyber operations don’t escalate to violence. Case studies, data analyses, experiments and war games all show the Obama administration’s fears about cyber escalation were misplaced.

Cyberspace isn’t the “Wild West.” Norms are being developed—both tacitly as actors operate and explicitly as states agree on formal cyber rules. The lack of violent responses to cyber operations, for example, suggests that states view cyberspace differently than conventional uses of force. And a United Nations Group of General Experts on cyberspace (which includes the U.S., China and Russia) agreed in 2021 that cyberattacks against critical infrastructure before violent conflict is inappropriate.

We know more about when and how cyber operations are most effective. They are best for espionage, perception shaping, or creating fog, friction and uncertainty, all of which are most effective at the early stages of conflict. Gaining access to networks and exploiting their weaknesses requires large investments, which is why highly centralized operations with tight control struggle to keep pace as network configurations change, patches are implemented, or other new controls are adopted. Ukraine has proved that bottom-up adaptation and experimentation are key to success, especially in cyberspace.

Critics argue that current cyber authorities gave the Pentagon free rein to conduct whatever offensive cyber operations it deems useful. But given how little evidence we’ve seen of U.S. offensive cyber operations in the general public, this is likely an exaggeration. Instead of taking away these authorities, the White House should clearly communicate what the Defense Department can do in cyberspace before a declared war or conflict and, as important, what it will not do. Finally, we should be wary of turning cyber authorities into a partisan debate.

Ms. Schneider is a fellow at the Hoover Institution.

Journal Editorial Report: The week’s best and worst from Kim Strassel, Jason Riley and Dan Henninger. Images: AFP/Getty Images/ABC/MSNBC/Zuma Press/Shutterstock Composite: Mark Kelly

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8