Reading Tea Leaves in Confirmation Hearings for U.S. Cyber Commander

by Duncan Hollis

Last week, the U.S. Senate held confirmation hearings for Vice-Admiral Michael S. Rogers to replace General Keith Alexander as head of U.S. Cyber Command.  It’s interesting to see how both men received almost identical written questions in their respective 2014 and 2010 hearings.  More interesting perhaps are the similarities and variations in their responses with respect to how international law operates in cyberspace.

For example, in both 2010 and 2014, the Senate asked the nominee the same question: “Does the Defense Department have a definition for what constitutes use of force in cyberspace, and will that definition be the same for [U.S.] activities in cyberspace and those of other nations?

Here was Alexander’s written response:

Article 2(4) of the U.N. Charter provides that states shall refrain from the threat or use of force against the territorial integrity or political independence of any State. DOD operations are conducted consistent with international law principles in regard to what is a threat or use of force in terms of hostile intent and hostile act, as reflected in the Standing Rules of Engagement/Standing Rules for the Use of Force (SROE/SRUF). There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force. Thus, whether in the cyber or any other domain, there is always potential disagreement among nations concerning what may amount to a threat or use of force.

Remainder of answer provided in the classified supplement.

And this is what Vice Admiral Rogers provided to the Committee last week:

DoD has a set of criteria that it uses to assess cyberspace events. As individual events may vary greatly from each other, each event will be assessed on a case-by-case basis. While the criteria we use to assess events are classified for operational security purposes, generally speaking, DoD analyzes whether the proximate consequences of a cyberspace event are similar to those produced by kinetic weapons.

As a matter of law, DoD believes that what constitutes a use of force in cyberspace is the same for all nations, and that our activities in cyberspace would be governed by Article 2(4) of the U.N. Charter the same way that other nations would be. With that said, there is no international consensus on the precise definition of a use of force, in or out of cyberspace. Thus, it is likely that other nations will assert and apply different definitions and thresholds for what constitutes a use a force in cyberspace, and will continue to do so for the foreseeable future.

Similarly, both hearings had the Senate asking “Could U.S. Cyber Command lawfully employ offensive cyber weapons against computers located abroad that have been determined to be sources of an attack on the United States or U.S. deployed forces if we do not know who is responsible for the attack (i.e., a foreign  government or non-state actors)?

General Alexander’s response:

The establishment of U.S. Cyber Command, in and of itself, does not change the lawful employment of military force for self-defense. In this case, if the “attack” met the criteria approved by the President in our Standing Rules of Engagement, the military would exercise its obligation of self-defense. Operationally, it is difficult to develop an effective response when we do not know who is responsible for an “attack”; however, the circumstances may be such that at least some level of mitigating action can be taken even when we are not certain who is responsible. Regardless whether we know who is responsible, international law requires that our use of force in self-defense be proportional and discriminate. Neither proportionality nor discrimination requires that we know who is responsible before we take defensive action.

Vice-Admiral Rogers got the same question plus an additional add-on sentence, asking ”Without confident “attribution,” under international law, would the Defense Department have the authority to “fire back” without first asking the host government to deal with the attack?”  His written response?

International law does not require that a nation know who is responsible for conducting an armed attack before using capabilities to defend themselves from that attack. With that said, from both an operational and policy perspective, it is difficult to develop an effective response without a degree of confidence in attribution. Likely, we would take mitigating actions, which we felt were necessary and proportionate, to defend the nation from such an attack. I’d note that in such an event, U.S. Cyber Command would be employing cyber capabilities defensively, in the context of self-defense.

For me, I was struck by (a) the new emphasis on the ‘effects test’ that’s been bantered about for years in terms of identifying what constitutes a use of force subject to Article 2(4); (b) the lessened attention to ‘classified responses’, which peppered Alexander’s original written responses and that are now (thanks to Edward Snowden I assume) largely absent from Rogers’ answers; and (c) the softening of the language regarding the U.S. willingness to respond in self-defense where attribution is a problem.

What do readers think?  Is this all one, harmonious, consistent U.S. policy?  Or, are there shifts in these responses that bear watching?  Anyone interested in comparing the remainder of the two testimonies can do so by seeing what Alexander wrote here versus Rogers’ more recent written responses here.

4 Responses

  1. Interesting, for a couple of reasons. The definition of use of force provided by Vice Admiral Rogers is reminiscent of Rule 11 of the Tallinn Manual. Except that Tallinn recognizes that a non-cyber use of force may involve either kinetic or non-kinetic acts (see Nicaragua) and therefore suggests that a cyber use of force must have effects analogous to the effects produced by either kinetic or non-kinetic actions. Vice Admiral Rogers limits the notion of a cyber use of force to cyber actions producing effects ‘similar to those produced by kinetic weapons’. Sponsoring a friendly hacktivits in a foreign country and supplying him with cyber weapons is therefore not a use of force on the DoD view, it would seem.
    The other interesting point is the Vice Admiral’s claim that the legal definition of what constitutes a use of force in cyberspace is the same for all States, but that States disagree about that definition. So, if the law is made by States, what Vice Admiral Rogers is saying is that the legal definition of what constitutes a use of force is indeterminate. A reflection of the US view about the absence of a gap between the use of force and armed attack?

  2. Ultimately, there is much ambiguity and textwriters can make varied claims regarding what the U.S. prefers as well as what international law requires.  I am reminded about the point that Article 2(4) only prohibits three types of force.
    The last boxed quotation is particularly ambiguous — international law does not require that a state know who is responsible? with respect to what — a kinetic self-defense response or merely domestic attempts to stop and block? “mitigating” actions?
    And “a degree of confidence in attribution”?  That raises in interesting question regarding what sort of proof should be required for attribution to a state, e.g., under the ICJ’s “significant involvement” test (Nic. v. U.S.).

  3. Aurel: but supplying hackers with “cyber weapons” may be sufficient for attribution re: hacker attacks under the “substantial involvement” test.

  4. Jordan, that’s exactly my point: supplying hackers with cyber weapons would amount to a use of force by analogy with supplying non-State actors with weapons. However, neither would amount to an actual use of kinetic weapons and therefore would not be considered as a use of force on the view taken by the Vice Admiral.

Trackbacks and Pingbacks

  1. There are no trackbacks or pingbacks associated with this post at this time.