How Lawyers are Ruining US CyberWar Defenses

by Julian Ku

Stewart Baker, former assistant secretary of Homeland Security during the Bush Administration, has this very powerful and clear explanation of how legal rules are weakening U.S. defenses against a cyber attack. Note the slam on using international law rules to regulate cyber war. (h/t Vincent Vitowsky).

Across the federal government, lawyers are tying themselves in knots of legalese. Military lawyers are trying to articulate when a cyberattack can be classed as an armed attack that permits the use of force in response. State Department and National Security Council lawyers are implementing an international cyberwar strategy that relies on international law “norms” to restrict cyberwar. CIA lawyers are invoking the strict laws that govern covert action to prevent the Pentagon from launching cyberattacks.

Justice Department lawyers are apparently questioning whether the military violates the law of war if it does what every cybercriminal has learned to do — cover its tracks by routing attacks through computers located in other countries. And the Air Force recently surrendered to its own lawyers, allowing them to order that all cyberweapons be reviewed for “legality under [the law of armed conflict], domestic law and international law” before cyberwar capabilities are even acquired.

The result is predictable, and depressing. Top Defense Department officials recently adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations, even as Marine Gen. James Cartwright, then vice chairman of the Joint Chiefs of Staff, complained publicly that a strategy dominated by defense would fail: “If it’s OK to attack me and I’m not going to do anything other than improve my defenses every time you attack me, it’s very difficult to come up with a deterrent strategy.”

3 Responses

  1. I am not on the inside of this debate, but I don’t buy the constant meme from former Bush administration officials that debating the proper legal boundaries of our actions overseas is necessarily against our long (rather than short) term interests.  We must remember that whatever rules we adopt will be used against us.  We then must ask ourselves what those rules should be.  

    What is a bit puzzling to me is that a country using drones to eliminate threats in un- or weakly governed foreign lands can have any difficulty adopting a strategy for proactively eliminating threats in relatively ungoverned cyberspace. While I recognize that cyberspace is an even more uncertain environment in which to accurately identify threats, proportionate uses of offensive capabilities should not prove too difficult.

    This is perhaps the clearest example of the costs and benefits of adopting a war paradigm.  While the laws of war give freedom of offensive action, they place limits on those actions.  If there is some general law of self-defense that permits the elimination of threats without requiring compliance with the laws of war, or requiring only compliance with the principles of necessity, distinction and proportionality (as some have argued), then this seems an apt place for it.  I question whether such law exists at the international level.

  2. Although I understand the need for some legal boundaries it seems like we just get in our own way at times. The department of defense needs to have some rope in regards to this type of attack until we can better define what those legal limits should be. Without letting some rope out we will hang the defense department and make them powerless to do their jobs to protect this country.

  3. If the quote from Gen. Cartwright is a fair representation of the strategy for cyberwar, then (a) he is probably right that it is not a good strategy, but (b) it is in no way mandated by international law.
    Even classical, reactive self-defense (that is to say, the kind of self-defense that is neither anticipatory nor preventive) allows for a reaction to an armed attack that removes the risk of further attacks. It is not necessary for an attacked state simply to lick its wounds and improve its defenses on a ‘better luck next time’ basis. Rather, it is perfectly legitimate to move against an adversary’s aggressive capabilities. In other words: counterstrikes do not necessarily constitute prohibited armed countermeasures, but they are rather part and parcel of the law of self-defense.
    More generally, it is irritating to see neo-cons and the like talk up the constraints of international law, only to then be able to give the ‘international law rules to regulate cyber war’ a good ‘slam’. If a proposition of international law really is absurd, the likelihood is that it is also wrong.
    Some time ago, someone (I fail to remember who) said about a proposition relating to human rights law ‘this is absurd’ and ‘you couldn’t make it up’ – to which, predictably, the better-informed answer was ‘you could, and you did’.

Trackbacks and Pingbacks

  1. There are no trackbacks or pingbacks associated with this post at this time.