New Laws for a New Cybercommand?

by Duncan Hollis

Today’s New York Times leads with the story of Pentagon plans to form a new cybercommand:

The Pentagon plans to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare. The military command would complement a civilian effort to be announced by President Obama on Friday that would overhaul the way the United States safeguards its computer networks.

White House officials say Mr. Obama has not yet been formally presented with the Pentagon plan. They said he would not discuss it Friday when he announced the creation of a White House office responsible for coordinating private-sector and government defenses against the thousands of cyberattacks mounted against the United States — largely by hackers but sometimes by foreign governments — every day.

But he is expected to sign a classified order in coming weeks that will create the military cybercommand, officials said. It is a recognition that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use — as a deterrent or alongside conventional weapons — in a wide variety of possible future conflicts.

The article (and other news stories) focus mostly on the defensive problems facing the United States as U.S. public and private information infrastructures increasingly find themselves subject to cyberattacks.  At the same time, these stories emphasize the bureaucratic battles over who should be in charge of U.S. cyberpolicy.  Given the creation of a “cyberczar” separate and apart from any new Pentagon cybercommand, the White House appears to have settled on trying to differentiate oversight of defensive efforts to protect civilian information infrastructures, which would broadly encompass the concept of cybercrime, from U.S. military capacity to engage in offensive or defensive cyberwar (although additional infighting between the Pentagon and NSA is reportedly ongoing over controlling U.S. cyberwarfare capacities).  

Broadly speaking, the increased attention to conflicts in cyberspace is a welcome development.  We’ve come a long way from the 1990s when “netwar” was an interesting hypothetical that many equated to science fiction.  Today, the threat AND potential of cyberspace as a vehicle for conducting conflicts among states, non-state actors, and even individuals are all too real.  So, it’s good to see the White House trying to adjust to this new reality on all fronts.  In particular, I was interested to see the NYT piece address the question of U.S. forces using cyberspace to conduct offensive operations, something earlier Administrations have reportedly approached with reluctance (e.g., in Kosovo, U.S. forces reportedly refrained from planned computer attacks against Serbian computer networks for purposes of disrupting military operations and basic civilian services out of concern that they’d be war crimes):  

The decision to create a cybercommand is a major step beyond the actions taken by the Bush administration, which authorized several computer-based attacks but never resolved the question of how the government would prepare for a new era of warfare fought over digital networks.

It is still unclear whether the military’s new command or the N.S.A. — or both — will actually conduct this new kind of offensive cyberoperations.

The White House has never said whether Mr. Obama embraces the idea that the United States should use cyberweapons, and the public announcement on Friday is expected to focus solely on defensive steps and the government’s acknowledgment that it needs to be better organized to face the threat from foes attacking military, government and commercial online systems. . . . “We are not comfortable discussing the question of offensive cyberoperations, but we consider cyberspace a war-fighting domain,“ said Bryan Whitman, a Pentagon spokesman. “We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.”

As welcome as these developments are, however, real questions remain.  First, as a practical matter, how sustainable is the dividing line between the civilian cyberczar and the planned cybercommand?  The anonymity associated with cyberattacks will make it extraordinarily difficulty to know whether an attack should trigger civilian or military defenses.   Will the White House give the cyberczar authority over defending civilian targets, even though it’s easy to imagine that an attack on the New York Stock Exchange could come from terrorist or foreign militaries rather than the proverbial teenage hacker or individuals with criminal intentions?  And should the Pentagon treat all attacks on military information infrastructure as triggering cyberwarfare questions, including those that come from U.S. citizens like our proverbial teenage hacker?  Similarly, if we look to offensive cyberoperations, how much of a cyberattack can the Pentagon pursue without affecting civilian information networks (think, the Internet) and how often can it do so without risk of affecting U.S. resources or civilians in ways that might trod on the cyberczar’s turf?

Second, I’m still unclear on what rules the new cybercommand will follow.  Of course, I understand the classified nature of these issues.  That said, in creating a new cybercommand, is the Pentagon prepared to recognize a need for accompanying new rules to govern its behavior?  Just as we devised new rules on cybercrime, will Congress and/or the President enact new U.S. laws or regulations on the conduct of cyberwar?  And, how will the new cybercommand view the international law(s) that constrain and facilitate its operations? 

In 1999, the Defense Department authored a comprehensive and detailed assessment of the international legal issues associated with cyberconflicts.  DOD’s report concluded that, at the time, it was “premature” to devise new rules for cyberspace, instead relying on analogies to existing international law as the source of norms for cyberconflicts.  A decade later, I’m wondering whether DOD still thinks new rules would be premature?  I certainly think the time has come to revisit the law-by-analogy approach and devise new rules, a point I’ve made in various formats, including an an op-ed, a military article, and a longer, law review article.  Is it possible that in recognizing the need to reorient U.S. forces to engage in cyberspace that the Pentagon now also appreciates the need to reorient the rules under which those forces will operate?  It’s not clear from today’s news, although most of the feedback I’ve gotten to my earlier work has suggested DOD is not there yet.  But if the Pentagon isn’t willing to engage in crafting new rules, will they at least explain why not?  It may make sense to keep U.S. cyber-capacities, both offensive and defensive, secret, but what corresponding benefit can there be in keeping the governing rules secret as well?  In the absence of clear rules, I worry about the dangers of unintended consequences over differing understandings of the rules (i.e., a cyber-op that U.S. forces don’t view as an armed attack is treated as such by foreign military forces and produces an armed, non-virtual response).  I also think that we’re missing an opportunity to require cyberoperations to supplant guns and missiles when they can achieve the same military objective.  

At a minimum, therefore, I’d hope today’s announcement serves to revive the conversation over what rules govern conflicts in cyberspace.  With or without a new cybercommand, we’re certainly going to need them.

UPDATE — The President’s speech is now available as is the Cyberspace Policy Review.  Interestingly, it hints at some movement on the need for clarifying or devising new laws for cyberspace. Under near-term action items, the Review recommends the Executive Branch take two actions on this front:

5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.

http://opiniojuris.org/2009/05/29/new-laws-for-a-new-cybercommand/

5 Responses

  1. I addition to your quotes, the review notes:
     

     

     

     

    At page 4:

    Answering thequestion of”who is in charge”must address the distribution of statutory authorities and missions across departments and agencies. This is particularly the case as telecommunications and Internet-type networks converge and other infrastructure sectors adopt the Internet as a primary means of interconnectivity. Unifying mission responsibilities that evolved over more than a century will require the Federal government to clarify policies for cybersecurity and the cybersecurity-related roles and responsibilities of various departments and agencies. The review team analyzed responses from more than 20 federal departments and agencies and identified cybersecurity-related policy gaps, overlaps in mission areas, and opportunities to improve collaboration.

    At page 10:

    The President’s cybersecurity policy official should work with departments and agencies to recommend coherent unified policy guidance where necessary in order to clarify authorities, roles, and responsibilities for cybersecurity-related activities across the Federal government. Law applicable to information and communications networks is a complex patchwork of Constitutional, domestic, foreign, and international laws that shapes viable policy options. In the United States, this patchwork exists because, throughout the evolution of the information and communications infrastructure, the Federal government enacted laws and policies to govern aspects of what were very diverse industries and technologies.
    As traditional telecommunications and Internet-type networks continue to converge and other infrastructure sectors adopt the Internet as a primary means of interconnectivity, law and policy should continue to seek an integrated approach that combines the benefits of flexibility and diversity of applications and services with the protection of civil liberties, privacy rights, public safety, and national and economic security interests. A paucity of judicial opinions in several areas poses both opportunities and risks that policy makers should appreciate—courts can intervene to shape the application of law, particularly in areas involving Constitutional rights. Policy decisions will necessarily be shaped and bounded by the legal framework in which they are made, and policy consideration may help identify gaps and challenges in current laws and inform necessary developments in the law. That process may prompt proposals for a new legislative framework to rationalize
    the patchwork of overlapping laws that apply to information, telecommunications, networks, and technologies, or the application of new interpretations of existing laws in ways to meet technological evolution and policy goals, consistent with U.S. Constitutional principles. However, pursuing either course risks outcomes that may make certain activities conducted by the Federal government to protect information and communications infrastructure more difficult.
    The Administration should partner appropriately with Congress to ensure adequate law, policies, and resources are available to support the U.S. cybersecurity-related missions. Congress has demonstrated interest and bipartisan leadership regarding the cybersecurity-related needs of the Nation, and the Administration would benefit from Congressional knowledge and experience. The cybersecurity policy official, working with departments and agencies, should consult with industry to understand the impact of laws and policies on business operations.

     

     

    At page 23:

    Responsibility for a federal cyber incident response is dispersed across many federal departments and agencies because of the existing legal, but artificial, distinctions between national security and other federal networks. Depending on the character of an incident—for example, a major vulnerability, a criminal attack, or a military incident—different departments or agencies may have or share the lead role for response, while others may never learn of the event. Moreover, the lead for the overall incident may not be clear. Although each player has defined areas of expertise and legal authorities, they are difficult to pull together into a single coordinated structure. Any consolidation of authorities in a unified structure may require legislation.
     

     

     

     

     

  2. Note, at page 20 of the cyber review:

    “International norms are critical to establishing a secure and thriving digital infrastructure. The United States needs to develop a strategy designed to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force. In addition, differing national and regional laws and practices—such as those laws concerning the investigation and prosecution of cybercrime;

     

    54 data preservation, protection and privacy; and approaches for network defense and response to cyber attacks—present serious challenges to achieving a safe, secure, and resilient digital environment. Addressing these issues requires the United States to work with all countries— including those in the developing world who face these issues as they build their digital economies and infrastructures—plus international bodies, military allies, and intelligence partners.
    In the past decade, federal communications, infrastructure, and cybersecurity-related policies developed along multiple paths. A more integrated approach to policy formulation would ensure mutually reinforcing objectives and allow the United States to leverage its international opportunities with consistent, more effective positions. The United States should adopt an integrated approach to national interests across a range of substantive areas—including cybersecurity and the protection of free speech and other civil liberties—to develop consistent policies. ”

Trackbacks and Pingbacks

  1. […] at the NYT. Opinio Juris also covers the issue, asking: Will the White House give the cyberczar authority over defending […]

  2. […] New Laws for a New Cybercommand? – Dan Hollis, Opinio Juris […]

  3. […] via Opinio Juris » Blog Archive » New Laws for a New Cybercommand?. […]