Conventional wisdom holds that Congress has abandoned its duty regarding the government’s war powers. It is not hard to understand why. Between the agelessness and flexibility of the 2001 and 2002 Authorizations for Use of Military Force (AUMFs) and periodic unilateral uses of military force in Libya, Syria, and Iraq, the executive branch appears to act largely at its own discretion when it comes to conventional military operations. But matters are different in the cyber domain. With little fanfare and less public notice, Congress and the executive branch have cooperated effectively over the past decade to build a legal architecture for military cyber operations.
The development of this legal regime has coincided with innovations in the Pentagon’s cyber strategy, in particular its commitment to the “defend forward” operational model. Premised on the idea of “persistent engagement” with adversaries, defend forward calls for proactive and continuous U.S. military cyber operations, including on foreign networks and in the gray zone. U.S. Cyber Command’s efforts to disrupt Russian hackers and cyber trolls during the 2018 midterm elections provide a recent example of the defend forward posture in action. This operation and others like it raise pressing questions about the legal authority for and constraints on military cyber activity. For example, does the executive branch have specific statutory authorization to conduct the operations defend forward calls for, or must it lean on the existing AUMFs and Article II? How does the War Powers Resolution constrain the President in the cyber domain? Who within the government must authorize out-of-network military cyber operations? And what information must the executive branch provide to Congress and the public regarding military cyber activity?
Lawmakers have answered these questions by creating a framework comprised of four elements: (1) Authorization rules allocating decision-making authority between Congress and the executive branch; (2) Process rules governing the decision-making process within the executive branch; (3) Transparency rules that compel the executive branch to share information with Congress; and (4) Substantive rules that prohibit certain actions outright. This paper walks through each element, emphasizing how lawmakers have interpreted existing law and developed new law to address the particular challenges to which cyber conflict gives rise and create a functional yet accountable legal regime. The resulting structure is far less familiar to most observers than are its cousins—those architectures associated with conventional military operations and intelligence activities—but is no less important.