Cybersecurity and Deterrence
The Pentagon’s General Counsel on the Law of Military Operations in Cyberspace
How does the Defense Department understand the legal frameworks that govern operations in the cyber domain? Last week, the department’s general counsel gave a speech setting forth the department’s current position (which might or might not reflect the views of the U.S. government as a whole) in relation to both domestic and international law. Here’s what you need to know.
1. Is this the first time a U.S. government official has weighed in on this topic?
No. In 2012, State Department Legal Adviser Harold Koh gave a speech concerning the U.S. government’s views on the applicability of international law to operations in the cyber domain (see p. 593 of the 2012 Digest of United States Practice in International Law), and in 2016 his successor Brian Egan did the same (see p. 815 of the 2016 Digest of United States Practice in International Law). And it’s worth noting, too, that the Defense Department’s Law of War Manual (issued in 2015) has a chapter on the subject (see ch. 16 of the manual, starting on p. 994). The best way to think about last week’s speech by Defense Department General Counsel Paul C. Ney, Jr., therefore, is as an update to these prior efforts from the department’s perspective, and as a similar contribution to understanding how the department understands the domestic legal framework.
2. I want to read the full text of the speech. Where is it?
Read the whole speech here.
3. Regarding domestic law, what are the most interesting elements of the speech?
a. Insight into the NSPM-13 framework
Let’s start with a small but intriguing element, one that concerns the executive branch’s internal rules determining when military commanders have authority to use cyber capabilities without seeking the president’s approval.
Through National Security Presidential Memorandum 13 (NSPM-13), the Trump administration gave the Defense Department greater discretion to make the decision to conduct certain cyber operations without requesting a specific presidential authorization. The precise details of the resulting framework remain classified, however, so any indications revealing just how the current system is calibrated can be tantalizing.
In Ney’s speech, we get a brief glimpse of something that perhaps has not been stated publicly before. We already knew that NSPM-13 focused on delegating authority for “actions that fall below the ‘use of force’ [threshold] or a level that would cause death, destruction[,] or significant economic impacts ….” To this, we might now add a timing element: According to last week’s speech, NSPM-13’s delegation of authority concerns “time-sensitive” operations.
This is interesting, because it raises the possibility that the Defense Department enjoys discretion to conduct cyber operations without presidential involvement in a slightly narrower range of circumstances than some of us thought might be the case. Then again, it’s also possible that the brief reference to “time-sensitive” operations reflects only a part of the NSPM-13 framework, and in any event we do not know how strictly “time-sensitive” has been defined.
b. How the Defense Department thinks about separation of powers issues
The speech’s depiction of the domestic law framework opens with a discussion of the “separation of powers” question: When does the executive branch have domestic law authority to conduct military cyber operations? The discussion that follows is exactly what I had expected and tracks with the Defense Department’s stated views addressing domestic authority to conduct kinetic, as opposed to cyber, operations. The speech contends that the president has Article II authority to conduct operations to advance national interests—at least when the context remains below the threshold of “war” in the constitutional sense—and that this authority also extends to “defense of the nation and federal persons, property, and instrumentalities” even if above that threshold. The speech also notes the potential relevance here of authorizations for the use of military force and, especially, the express statutory authorization for U.S. Cyber Command to conduct proportional operations in response to Chinese, North Korean, Russian or Iranian attacks that are ongoing and systematic.
c. Does the Computer Fraud and Abuse Act (CFAA) apply to limit military operations in cyberspace?
Plainly, application of the CFAA to military cyber activities would be a tremendous obstacle to those operations. Many such operations would violate 18 U.S.C. § 1030(a)(2) insofar as they breach the statute’s prohibitions on “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from [a] protected computer.” The term “protected computer” covers any computer “used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”—concepts that would be satisfied by computers connected to the internet, for example. And other operations would violate 18 U.S.C. § 1030(a)(5), which forbids intentionally causing damage to a protected computer without authorization.
Since it’s obvious that the CFAA was not enacted in order to protect the systems of foreign adversaries from U.S. military activity, it is worth pausing to ask why the Defense Department would make a point of addressing the question of the CFAA’s potential applicability in this speech. The answer is that the CFAA is poorly drafted on this question. Here’s the problem: Congress anticipated that someone might argue that law enforcement and intelligence officers might engage in activity that might seem to violate the CFAA and added specific statutory language at 18 U.S.C. § 1030(f) to rule out any effort to construe the CFAA to apply to “lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States … or of an intelligence agency of the United States.” Congress did not anticipate military activity, however, and neglected to include it in that safety-valve provision.
The speech argues that the exception should be read into the statute nonetheless, reasoning both that Congress did not originally intend the law to encompass such activity and, in any event, that subsequent congressional actions to authorize Cyber Commands activities (as noted above) reflect an assumption that the CFAA does not apply. This seems right to me.
d. Military cyber operations do not count as “covert action”
I’ve written about this a great deal on Lawfare (see, e.g., here), and won’t repeat that here. Suffice to say that the speech properly recognizes that military cyber activity generally constitutes “traditional military activity” and therefore does not trigger the “covert action” statutory framework.
e. How does the First Amendment apply to military operations intended to disrupt foreign propaganda efforts targeting U.S. audiences?
Now that is an interesting question. The speech acknowledges the importance and difficulty of this question. Defense Department lawyers, we are told, consider factors including “whether the operation is targeting the foreign actors seeking to influence U.S. elections covertly rather than the information itself; the extent to which the operation may be conducted in a ‘content-neutral’ manner; and the foreign location and foreign government affiliation of the targeted entity.”
The speech did not cite this example, but it is easy to see how these sorts of questions may have been part of the legal vetting associated with Cyber Command’s interventions against the Russian Internet Research Agency at the time of the 2018 U.S. midterm elections.
4. What about international law?
The speech stakes out the following positions:
a. A gentle shot at the Tallinn Manual
“Initiatives by non-governmental groups like those that led to the Tallinn Manual can be useful to consider, but they do not create international law, which only states can make.”
b. Of course international law applies in cyberspace
“It continues to be the view of the United States that existing international law applies to State conduct in cyberspace.”
c. What counts as a “use of force” in cyberspace?
In determining whether a cyber operation constitutes a “use of force,” the Defense Department uses an effects test, meaning that it “consider[s] whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine.” Notably, though, the speech does not expressly exclude the possibility that the force threshold might be crossed in other circumstances, too—such as a strategically significant cyberattack on the integrity of data in the financial system. In short, it appears to me that the Defense Department is maintaining a bit of purposeful ambiguity on that point.
d. What counts as prohibited “intervention”?
The speech accepts that the prohibition on coercive intervention “in the core functions of another State (such as the choice of political, economic, or cultural system)” is a rule of international law and that this rule applies in the cyber domain. And it cites interference with the “ability to hold an election” and tampering with election results as examples of conduct that would cross this line. But it asserts (correctly, in my view) that there is “no international consensus among States on the precise scope or reach” of this rule. The speech notes that other states have argued that the rule also would be violated by disruption of the “fundamental operation of a legislative body” or “destabiliz[ation of] their financial system.” The speech does not assert that the Defense Department (let alone the U.S. government as a whole) takes the same view, though it does not rule out that possibility either.
The speech emphasizes that consent from a state will obviate such objections, so long as the operation in question stays within the boundaries of that consent.
e. When does the option of “countermeasures” become available?
The notion of countermeasures refers to the idea that a state may engage in otherwise-unlawful measures in proportionate response to an internationally wrongful act of another state, in order to stop the other state’s wrongful action. This is an important topic, particularly insofar as one takes a broad view of what constitutes a violation of the rule against coercive intervention, and even more so if one supports the position (described below) that “sovereignty” more generally is a rule of international law. Simply put: The wider the array of international law constraints on cyber activities, the more important it is to be able to describe one’s cyber domain activities as proper countermeasures.
What makes this topic tricky? Uncertainty about three things: attribution, which acts trigger the right to resort to countermeasures and whether there is a “prior demand” requirement.
First, consider attribution. The problem here is simple: Countermeasures must be directed at the offending state, and hence uncertainty about attribution can necessarily stand in the way of taking action.
Second, consider the predicate act triggering the right to resort to countermeasures: As noted above, there is debate about the boundaries of the rule against coercive intervention. And as described below, there is debate too regarding the status of “sovereignty” as a rule of international law (as opposed to the obvious status of sovereignty as a general principle, which informs a variety of rules, including of course the U.N. Charter). One upshot of this state of affairs is that this makes it unclear when the condition for using countermeasures has been satisfied.
Third, consider the idea that a “prior demand” might be required before carrying out a countermeasure. Some take the view that a state intending to use countermeasures must first give notice to the offending state, demanding that the offender cease its unlawful conduct. Such advance notice might have negative effects on the prospects for operational effectiveness, of course, and also might prevent effective resort to deniable methods. And so the question arises: Does the Defense Department agree that a priori demand is required?
The speech notes that there is disagreement among states concerning this question but ultimately declines to take a clear stance on the matter. Still, this express agnosticism appears to be a departure from the 2016 speech by State Department Legal Adviser Brian Egan, moving in the direction of skepticism about a prior demand requirement. Egan had said that “[t]he doctrine of countermeasures … generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken[.]” The word “generally” in that sentence implied the existence of unspoken exceptions—exceptions that might be particularly relevant in the context of cyber operations (as the U.K. attorney general asserted in this much-discussed 2018 address)—and so there may be no practical difference between this position and last week’s speech. Still, as a formal matter, the 2016 position of the U.S. government did not appear to question the applicability of the prior demand rule as a general matter, whereas last week’s speech treats the idea as up for grabs.
What is the upshot of all this uncertainty? The speech offers a tantalizing clue. It says that it is “common” for there to be circumstances in which attribution and wrongfulness are indeterminate, or at least cannot be determined quickly enough given the speed with which some particular responsive action is needed in light of ongoing harms. In such cases, the speech asserts, “countermeasures would not be available.” But what exactly follows from this? Perhaps it means our hands are tied, out of a belief that the necessary responsive measure would itself be unlawful and therefore cannot occur without the United States more clearly having the right to resort to countermeasures. It also is possible, however, that in such cases the United States carries out its preferred response anyway, without feeling obliged to satisfy the conditions for having the right to conduct countermeasures. This is especially likely to be true if the offending action taken by the foreign state is not clearly an internationally wrongful act; that being the case, the United States by the same token might feel free to respond in kind.
f. Do cyber operations violate an international law rule of “sovereignty”?
This brings us to the question of whether “sovereignty” is a stand-alone rule of international law that might be violated by military operations in cyberspace even in circumstances that do not constitute the use of force or coercive intervention.
Some have argued that there is such a rule; on the other hand, the U.K. expressly rejected that view in 2018. The U.S. government’s position, as reflected in Egan’s 2016 address, took a nuanced approach. On the one hand, Egan asserted that “cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimis effects.”
On the other hand, Egan held open the possibility that some operations under unspecified conditions might indeed be unlawful in the sense of violating “sovereignty”: “Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.”
So how does last week’s Defense Department speech compare? At first blush, it seems to track closer to the U.K. position: “For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory.”
However, the speech went on to assert that Defense Department lawyers still do “take into account the principle of State sovereignty,” adding that “States have sovereignty over the information and communications technology infrastructure within their territory.” This section of the speech then concludes in a fashion that sounds at least open to the possibility that a particular operation might be problematic from the sovereignty perspective, much like Egan’s 2016 speech: “[I]t does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law” (emphasis added).
What to make of all this? The speech gave me the impression that there is a real desire within the Defense Department to take a firmer, U.K.-like line against the idea of sovereignty as an enforceable rule of international law, yet still substantial lingering concerns about taking that position in an unequivocal way. This is intriguing, particularly since this speech presumably was not the product of an interagency assessment intended to produce a whole-of-government position as was the case in 2012 and 2016 but, rather, reflects only the Pentagon’s perspective.
Having said all that: Perhaps the most notable aspect of the sovereignty discussion in the speech was its emphasis on the way that Defense Department lawyers use traditional espionage as a point of comparison when vetting proposed military cyber operations. Much like the 2016 speech, last week’s speech emphasized the U.S. position that espionage in general does not violate international law. This makes it a useful lodestar, one against which proposed military cyber operations can be compared.
5. Other points worth noting?
To no one’s surprise, the speech restated the familiar point that U.S. forces comply with principles under the Law of Armed Conflict even outside the context of armed conflict.
More interesting was the next point: that Defense Department lawyers pay attention to the (nonbinding) “policy norms” that the United States seeks to promote for state behavior in cyberspace, and that these impact the advice the lawyers give when vetting proposed operations. I’m not surprised to learn this, but it still is nice to see this express, practical indicia of Defense Department support for the State Department’s efforts.