Congress Authorizes U.S. Offensive CyberAttacks

by Julian Ku

Ah, the 2012 National Defense Authorization Act… has any defense spending bill had so much defense-related legal policy embedded in it?  In addition to all the very important stuff about military detentions, it turns out the NDAA also authorizes the U.S. military to engage in offensive cyber-attacks (h/t Gary Schmitt).

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests.

The act further clarifies that such actions should be subject to the

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.

It is hard to figure out (as Schmitt notes) what the point of this is, since it seems to confirm that the US military has the authority to do what it already has the authority to do (kind of like detaining enemy combatants, actually). I suppose it actually might restrain a more aggressive use of offense cyber-attacks, since it constrains it by limiting it to the “law of armed conflict.”  I am also a bit baffled as to how the War Powers resolution would limit such attacks. 

The larger issue here about the 2012 NDAA is that its controversial provisions do nothing more than confirm (at least in most cases) pre-existing legal authority: e.g. to conduct the war on Al-Qaeda, to detain enemy combatants outside of the civilian system, to try them in military commissions, and to conduct offensive cyber-attacks.   I suppose it is annoying to critics of these policies to see them embedded into statute, but will it have any serious practical difference in the conduct of U.S. government policy? It is hard to see.

7 Responses

  1. Response…
    “offensive” operations to “defend”?  What nonsense from the perspective of international law!  What about Articles 2(4) and 51 (“if an armed attack occurs”)  of the United Nations Charter?
    Some cyber-attacks on the U.S. might be “armed,” but Article 51 expressly requires that the attack take place.

  2. Cyberspace is not a real space. Would this allow action against U.S. based servers? Hacking Americans’ accounts? Seems to all fall within the broad text.

  3. Response…
    Sorry Eugene — your computer has been hacked in order to “defend our … interests.”

  4. Response…
    Question re: “breaking news” — was the CIA use of a drone to surveil Iranian nuclear sites, etc., like a cyber “attack”?  Was it a use of a “weapon”?  Is the mere receipt of information not an “attack”?  Just an impermissible intervention into Iranian airspace (subject to public opinion, diplomatic, economic, juridic sanctions (the latter if the U.S. agrees))?

  5. One does get a sense that this particular NDAA is a preparation for an armed conflict next year or in the near future which might entail holding numbers of American citizens or residents (people protesting such an armed conflict?) along with other nationals.

  6. Response…
    With respect to detention without trial, there has been recognition that Hamdi was limited to a law of war propriety, covered by the AUMF’s “appropriate” term, and limited to the actual armed conflict in Afghanistan.  See also Scalia’s dissent in Hamdi. Thus, some claim that broader detention legislation is needed — e.g., to detain professors who speak out! 

Trackbacks and Pingbacks

  1. […] Congress Authorizes U.S. Offensive CyberAttacks – Opinio Juris […]