On October 3-4, 2016, I was privileged to be invited to attend and speak at the annual conference organized by the Staff Judge Advocate for USCYBERCOM, Colonel Gary Corn. I attended the two unclassified days of the conference (two days of classified discussion followed). Fellow Lawfare bloggers Bobby Chesney and Carrie Cordero were also in attendance. The conference was under Chatham House rules but with the organizer’s kind permission, I wanted to blog a few of the most salient insights (from my own idiosyncratic perspective) derived from the two days of discussion I observed:
- The degree to which cyber warfare is being rapidly operationalized is underappreciated outside of the military (and perhaps even inside it). Though I was fully aware that USCYBERCOM had been filling its billets and reached a full complement of more than 6000 troops I did not understand the full scope and nature of their activities. To summarize a wide-ranging survey in a short pithy way, American cyber combatants are increasingly capable of engaging in cyber conflict activities (not all of which rise to the level of armed conflict) across the globe. The troops are organized in 40-70 person teams that have both offensive and defensive capabilities and are, when authorized, readily deployed (in both the virtual and physical sense) under the command of Admiral Rogers, the USCYBERCOM Commander.
- Speaking of the Commander of USCYBERCOM—there was a refreshingly candid (albeit under Chatham House rules) split of opinion voiced on the gnawing question of whether USCYBERCOM should be completely removed from the NSA. The best argument I heard against the move was of the “it’s a question of when, not if, and we aren’t quite ready” variety. The best argument in favor was that continued connection was retarding the development of a clear “military cyber culture of conduct” that was independent of the influence of an intelligence community perspective.
- It was surprising how little prospect most participants saw for any realistic deterrence model in cyberspace. This conclusion will come as no surprise to those who’ve read Jack’s analysis of the DNC Hack but it is nonetheless a bit depressing. Still the perception is that given the scope of global entanglement; the persistency of contact in the domain; and the flattening of attack capabilities, we are entering an era where a new paradigm of conflict management is necessary – and we don’t have one yet. Indeed, given how persuasive the case for the “difference” of the cyber domain is, I came away with the personal view that forcing cyber conflict questions into the cabin of existing Law of Armed Conflict requirements is, in the mid-to-long term, going to be unsustainable.
- For me, the most engaging discussion was of the prospects for international law in the space of cyber conflict that does not rise to the level of an “armed attack” or a “use of force” under the UN Charter. Later this year, the authors of the Tallinn manual will release a second volume (appropriately titled Tallinn 2.0) that address a host of “sub-war” issues such as neutrality, counter-measures, and retortion.
- One of the most interesting of these (or perhaps vexing is a better word) is the disputed question of whether “sovereignty” exists as an independent ground for judging the lawfulness of cyber activity. The majority view among commentators seems to be developing that sovereignty is a stand-alone aspect of a nation and that international law protects against its violation. The minority view seems to be that sovereignty is not an independent value and that international law violations arise from the means by which sovereignty is intruded upon, not from the intrusion vel non.
- To see why this is important, consider the question of espionage which has a lengthy history and would seem (at least to me) to be an activity unregulated by international law as evidenced by extensive state practice. If we see sovereignty as an independently protected aspect of a nation’s nature then we are going down the road toward declaring traditional espionage unlawful. And we are also starting down a road to declare many aspects of cyber intrusion unlawful. I wonder about that conclusion. Under the majority view, for example, the simple accessing without authorization of a computer or network located inside the territory of another State, without more, might be an international law violation – as opposed to a matter better left to the realm of diplomacy.
That’s just a taste of the first two days and it only begins to scratch the surface of issues and concerns that are at the intersection of law and cyberwar today. I haven’t mentioned the many other issues (the role of the ICRC; the concept of direct participation in hostilities, to name two) that were discussed. What struck me most saliently was the seeming routinization of law and cyber war. Six years ago when this conference was first held, I am told that fewer than 20 lawyers were in attendance—and that encompassed nearly everyone in the military who knew anything about the topic. This year attendance was an order of magnitude larger, which is, perhaps, is the most significant takeaway.