Last week, the U.S. Senate held confirmation hearings for Vice-Admiral Michael S. Rogers to replace General Keith Alexander as head of U.S. Cyber Command. It’s interesting to see how both men received almost identical written questions in their respective 2014 and 2010 hearings. More interesting perhaps are the similarities and variations in their responses with respect to how international law operates in cyberspace.
For example, in both 2010 and 2014, the Senate asked the nominee the same question: “Does the Defense Department have a definition for what constitutes use of force in cyberspace, and will that definition be the same for [U.S.] activities in cyberspace and those of other nations?”
Here was Alexander’s written response:
Article 2(4) of the U.N. Charter provides that states shall refrain from the threat or use of force against the territorial integrity or political independence of any State. DOD operations are conducted consistent with international law principles in regard to what is a threat or use of force in terms of hostile intent and hostile act, as reflected in the Standing Rules of Engagement/Standing Rules for the Use of Force (SROE/SRUF). There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force. Thus, whether in the cyber or any other domain, there is always potential disagreement among nations concerning what may amount to a threat or use of force.
Remainder of answer provided in the classified supplement.
And this is what Vice Admiral Rogers provided to the Committee last week:
DoD has a set of criteria that it uses to assess cyberspace events. As individual events may vary greatly from each other, each event will be assessed on a case-by-case basis. While the criteria we use to assess events are classified for operational security purposes, generally speaking, DoD analyzes whether the proximate consequences of a cyberspace event are similar to those produced by kinetic weapons.
As a matter of law, DoD believes that what constitutes a use of force in cyberspace is the same for all nations, and that our activities in cyberspace would be governed by Article 2(4) of the U.N. Charter the same way that other nations would be. With that said, there is no international consensus on the precise definition of a use of force, in or out of cyberspace. Thus, it is likely that other nations will assert and apply different definitions and thresholds for what constitutes a use a force in cyberspace, and will continue to do so for the foreseeable future.
Similarly, both hearings had the Senate asking “Could U.S. Cyber Command lawfully employ offensive cyber weapons against computers located abroad that have been determined to be sources of an attack on the United States or U.S. deployed forces if we do not know who is responsible for the attack (i.e., a foreign government or non-state actors)?“
General Alexander’s response:
The establishment of U.S. Cyber Command, in and of itself, does not change the lawful employment of military force for self-defense. In this case, if the “attack” met the criteria approved by the President in our Standing Rules of Engagement, the military would exercise its obligation of self-defense. Operationally, it is difficult to develop an effective response when we do not know who is responsible for an “attack”; however, the circumstances may be such that at least some level of mitigating action can be taken even when we are not certain who is responsible. Regardless whether we know who is responsible, international law requires that our use of force in self-defense be proportional and discriminate. Neither proportionality nor discrimination requires that we know who is responsible before we take defensive action.
Vice-Admiral Rogers got the same question plus an additional add-on sentence, asking ”Without confident “attribution,” under international law, would the Defense Department have the authority to “fire back” without first asking the host government to deal with the attack?” His written response?
International law does not require that a nation know who is responsible for conducting an armed attack before using capabilities to defend themselves from that attack. With that said, from both an operational and policy perspective, it is difficult to develop an effective response without a degree of confidence in attribution. Likely, we would take mitigating actions, which we felt were necessary and proportionate, to defend the nation from such an attack. I’d note that in such an event, U.S. Cyber Command would be employing cyber capabilities defensively, in the context of self-defense.
For me, I was struck by (a) the new emphasis on the ‘effects test’ that’s been bantered about for years in terms of identifying what constitutes a use of force subject to Article 2(4); (b) the lessened attention to ‘classified responses’, which peppered Alexander’s original written responses and that are now (thanks to Edward Snowden I assume) largely absent from Rogers’ answers; and (c) the softening of the language regarding the U.S. willingness to respond in self-defense where attribution is a problem.
What do readers think? Is this all one, harmonious, consistent U.S. policy? Or, are there shifts in these responses that bear watching? Anyone interested in comparing the remainder of the two testimonies can do so by seeing what Alexander wrote here versus Rogers’ more recent written responses here.