Congress Authorizes U.S. Offensive CyberAttacks
Ah, the 2012 National Defense Authorization Act… has any defense spending bill had so much defense-related legal policy embedded in it? In addition to all the very important stuff about military detentions, it turns out the NDAA also authorizes the U.S. military to engage in offensive cyber-attacks (h/t Gary Schmitt).
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests.
The act further clarifies that such actions should be subject to the
(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.
It is hard to figure out (as Schmitt notes) what the point of this is, since it seems to confirm that the US military has the authority to do what it already has the authority to do (kind of like detaining enemy combatants, actually). I suppose it actually might restrain a more aggressive use of offense cyber-attacks, since it constrains it by limiting it to the “law of armed conflict.” I am also a bit baffled as to how the War Powers resolution would limit such attacks.
The larger issue here about the 2012 NDAA is that its controversial provisions do nothing more than confirm (at least in most cases) pre-existing legal authority: e.g. to conduct the war on Al-Qaeda, to detain enemy combatants outside of the civilian system, to try them in military commissions, and to conduct offensive cyber-attacks. I suppose it is annoying to critics of these policies to see them embedded into statute, but will it have any serious practical difference in the conduct of U.S. government policy? It is hard to see.