But the action inside the Russian electric grid appears to have been conducted under little-noticed new legal authorities, slipped into the military authorization bill passed by Congress last summer. The measure approved the routine conduct of clandestine military activity in cyberspace, to deter, safeguard or defend against attacks or malicious cyberactivities against the United States.
Under the law, those actions can now be authorized by the defense secretary without special presidential approval.
I could not find that exact text in H.R.5515 115th Congress (2017-2018). But if that really is the effect of that new law, it sounds like "Plan R" from Dr. Stangelove:
General "Buck" Turgidson: "Plan R is an emergency war plan in which a lower echelon commander may order nuclear retaliation after a sneak attack if the normal chain of command is disrupted. You approved it, sir. You must remember. Surely you must recall, sir, when Senator Buford made that big hassle about our deterrent lacking credibility. The idea was for plan R to be a sort of retaliatory safeguard."
President Muffley: "A safeguard?"
Turgidson: "I admit the human element seems to have failed us here. But the idea was to discourage the Russkies from any hope that they could knock out Washington, and yourself, sir, as part of a general sneak attack, and escape retaliation because of lack of proper command and control."
No I don't, and don't call me Shirley.
Fast forward to today and cyber is recognized as its own warfighting domain ("there is no cyber warfare, there is warfare in the cyber domain") and each branch is more or less doing its own thing, DoD kind of ties it all together, but the resources are all over the place. USCYBERCOM was a sub-unified command under US Strategic Command until last year when Trump and Mattis finalized its elevation to a Unified Combatant Command. As part of operationalizing USCYBERCOM, some authorities were released from POTUS down to the SECDEF and USCYBERCOM Commander levels. It allows for far more flexibility in cyber actions and responses.