Cyberattacks and the Constitution

By Matthew Waxman
Thursday, November 12, 2020, 8:01 AM

The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the US Constitution allocate power to use that capability? And what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy?

The term “cyberattack” is often used loosely. In this essay, I define a cyberattack as action that involves the use of computer code to disrupt, degrade, destroy, or manipulate computer systems or networks or the information on them. I am not including cyber operations that are purely for information gathering or to map foreign networks in preparation for future cyberattacks.

This definition of cyberattack still includes a wide array of operations. On one end are attacks on computer systems that have effects—including kinetic, sometimes violent ones—outside those systems. Examples include the Stuxnet attack that brought down some of Iran’s nuclear centrifuges and the 2017 NotPetya attack, widely attributed to Russia, that targeted major Ukrainian companies and government agencies but spread widely and disabled computers—as well as commerce dependent on them—around the globe. At the other end are the types of low-level and often discrete attacks that appear to be contemplated by the United States “Defend Forward” concept. Examples include infiltrating adversary networks and deleting or corrupting data, or US Cyber Command’s operations that disrupted the networks of Russia’s infamous “Internet Research Agency” troll farm in the run-up to the 2018 US midterm elections. There are of course many possibilities in between.

This essay offers a way to think about the constitutional distribution of powers between the president and Congress governing the use of US cyberattack capabilities. Some commentators and analysts view this problem almost reflexively as a “war powers” issue—a term I use throughout this essay to refer to the political branches’ respective constitutional authority over the hostile use of military force. That is especially true as one moves up the scale of expected damage. A corollary to that constitutional issue is a statutory question: Namely, how should the 1973 War Powers Resolution, which was intended to restrict extensive military hostilities without congressional approval, be interpreted or amended to account for cyberattacks? The imprecise rhetoric of “cyberwar,” “cyber conflict,” and “cyberattacks” probably contributes to this legal framing.

But many—and probably almost all—cyberattacks undertaken by the United States cannot plausibly be viewed as exercises of war powers. Indeed, the entire Defend Forward concept appears to involve low-level operations well below the “use of force” threshold under international law and far short of the types of operations that have typically triggered war powers analysis under domestic constitutional law.

This essay argues that as a conceptual and doctrinal matter, cyberattacks alone are rarely exercises of war powers—and they might never be. They are often instead best understood as exercises of other, nonwar military powers, foreign affairs powers, intelligence powers, and foreign commerce powers, among other constitutional powers not yet articulated. Although this more fine-grained and fact-specific constitutional conception of cyberattacks leaves room for broad executive leeway in some operational contexts, this discretion is often the result of congressional delegation or acquiescence as opposed to any inherent constitutional authority on the part of the president. At the same time, these alternative understandings of cyberattacks also contain a strong constitutional basis for Congress to pursue legislative regulation of the procedural and substantive parameters governing cyber operations.

Beyond those descriptive claims, this essay argues that a rush to treat cyberattacks as implicating war powers misguides criticisms about the role Congress is or is not playing in regulating cyberattacks. This is because participants in war powers debates often bring intense and polar normative stances about the appropriate institutional arrangements governing the exercise of those powers. On one end are those who prize executive speed, agility, and secrecy—and therefore presidential freedom from congressional interference. On the other end are those who see formal congressional approval for military campaigns as being of paramount constitutional importance. The latter, who want to roll back presidential unilateralism, often see cyberattacks as yet another problematic means by which presidents can evade proper congressional checks on war. But in their focus on congressional approval for military intervention, and by extension for at least some high-intensity cyberattacks, those critics may overlook other institutional arrangements that are better tailored to US cyber strategy, especially to the sort of lower-intensity activities that make up Defend Forward. They also may overlook the many important ways in which Congress is already actively involved in shaping and facilitating that strategy.