Pentagon Grants Cyber Command Faster Authority for Defensive Strikes, Sources Say

New Delegation Takes Effect Feb. 1

The Pentagon has granted U.S. Cyber Command new authority to launch certain defensive cyber operations against foreign networks without obtaining case-by-case approval from the White House, according to two operators at the command and a congressional staffer on the House Armed Services Committee. The classified memorandum, signed by the secretary of defense on Jan. 20, 2026, delegates decision-making for operations below a specified impact threshold to the Cyber Command commander and the secretary himself, the sources said. The new authority takes effect Feb. 1.

Under the previous process, operators said, each defensive operation required review through the National Security Council and a formal approval memo signed by the secretary of defense or a presidential finding. The new framework establishes a tiered approval structure: operations expected to cause less than $10 million in damages, affect fewer than 1,000 foreign computer systems, or produce no foreseeable physical effects can be authorized by the Cyber Command commander after notification to the secretary, the operators said. More significant operations would still require NSC review.

A former NSA targeting officer who worked on similar authorities said the change reflects frustration within the workforce over delays that sometimes allowed adversary infrastructure to remain active for weeks while approvals moved through interagency channels. The former officer, who left government service in 2024, said the new threshold was calibrated to match recent operations against Iranian and Russian proxy networks that had been held up by procedural reviews.

The classified memo was circulated to senior leaders at Fort Meade, Maryland, on Jan. 21 following a deputies committee meeting at the White House on Jan. 19, the congressional staffer said. Legal counsel at Cyber Command spent the following two days drafting implementation guidance that will be distributed to operational units by Jan. 30, the staffer added.

Operation Types and Limits

The delegated authority covers what the military calls "defensive cyber operations," which include disrupting command-and-control servers used by ransomware groups, disabling infrastructure used to stage espionage campaigns against U.S. agencies, and interdicting foreign proxies before they can launch attacks on critical infrastructure, the operators said. It does not extend to offensive cyber strikes aimed at destroying targets or causing physical damage, which remain subject to presidential authorization under Title 10 and covert-action authorities.

The Jan. 20 memo specifies that operations must be linked to an active or imminent threat to U.S. networks, military systems, or designated critical infrastructure, the congressional staffer said. It also requires Cyber Command to notify the House and Senate Armed Services committees within 48 hours of any operation conducted under the delegated authority, according to the staffer, who was briefed on the memo Jan. 21. The notification must include an estimate of collateral effects and a description of the foreign network targeted.

The operators said the new authority was developed in response to a series of classified after-action reviews following operations in late 2025, including a December campaign against a Chinese state-sponsored group that had compromised dozens of water utilities. Those reviews found that the average time from target identification to operation execution was 47 days, by which point adversaries had often shifted infrastructure or altered their tactics.

The $10 million damage threshold is defined as the estimated replacement cost of foreign hardware, software, and data, excluding costs associated with lost business or reputational harm, the former NSA officer said. Operations that could affect U.S. persons or domestic networks remain excluded from the delegation and require separate Attorney General approval under Executive Order 12333.

Workforce Reaction and Oversight Questions

Reaction inside Fort Meade, where Cyber Command and the National Security Agency share facilities, has been mixed, the operators said. Junior and mid-level planners welcomed the change, saying it would let them respond to threats at the speed of malicious activity rather than at the pace of bureaucratic review. Senior attorneys and policy advisers expressed concern that even tightly bounded delegation could create ambiguity during fast-moving operations, one operator said.

The congressional staffer said the Armed Services Committee expects to hold a closed hearing on the new authority within 30 days. Committee members want to examine whether the $10 million impact threshold is clearly defined and whether the 48-hour notification requirement provides adequate oversight, the staffer said. A second staffer on the Senate Select Committee on Intelligence said that panel had not been briefed as of Jan. 22 and planned to request a formal readout early next week.

The change arrives as the administration prepares to release a classified cyber strategy update in March. Two defense contractors present at a Jan. 15 industry briefing said the strategy would emphasize "continuous engagement" and closer coordination between Cyber Command, the FBI, and the Cybersecurity and Infrastructure Security Agency. The new delegation appears designed to give military operators a faster lane within that broader framework, the contractors said.

What to Watch

Watch for an unclassified fact sheet from the Defense Department in the coming days summarizing the delegation. Operators said the first operations under the new authority could come within two weeks, likely targeting ransomware infrastructure associated with Russian-speaking criminal groups that have recently probed hospital networks. The congressional staffer said the Armed Services Committee has asked Cyber Command to provide a monthly tally of operations conducted under the delegated authority beginning March 1.

Legal scholars and former officials will scrutinize whether the delegation tests the boundaries of the president's authority under Article II and the War Powers Resolution. The former NSA targeting officer said the memo includes a 90-day review clause allowing the secretary to suspend the authority if congressional leaders raise objections. That clause suggests the Pentagon expects intense scrutiny, the officer said.

Major news outlets are likely to confirm the policy change by Monday or Tuesday as officials begin briefing lawmakers. A Pentagon spokesperson did not respond to requests for comment on Jan. 22.