Does Title 10 impose a legal barrier on U.S. Cyber Command conducting operations outside of the Pentagon’s own networks?
That’s the question raised earlier this week by this story from Chris Bing at Cyberscoop (an increasingly interesting site), which builds on recent congressional testimony from Admiral Rogers. The story depicts a “quiet but constant tug of war … between the intelligence community and the military over the future of government—backed hacking,” with the central issue concerning the allocation of lead responsibility for conducting computer network operations outside the government’s own systems in order to “strike back at foreign targets.” More specifically, the story depicts something of a turf war between NSA and an increasingly independent CYBERCOM (highlighting a number of key themes, including the inherent challenge of balancing intel collection equities against the interest in having disruptive effect on some targets; on that point, read all the way to the bottom for spot-on observations from Jamil Jaffer of George Mason).
Critically, the story suggests that Title 10 and Title 50 concerns also are impacting this debate. I thought I include a brief note here to shed light on what that might mean.
The article observes that “[w]hen military leaders push to do more with hackers, they usually meet some form of resistance from Pentagon lawyers.” By way of illustration, the article points to an instance in which CYBERCOM operators deleted ISIS propaganda off a server that happened to be located in Germany. The Germans apparently were notified of the operation in some fashion but not asked for advance consent, and they were not happy about it.
From a legal perspective, the issue this highlights is that operations abroad implicate the UN Charter and related claims about international law protection of sovereignty. So how does this become part of the Title 10/Title 50 debate? Intelligence agencies can more easily act in this setting when operating under Title 50 authority, as covert action status carries with it a statutory obligation to comply with the U.S. Constitution and U.S. statutes—but no more than that. Title 10, in contrast, carries with it no such implicit statutory shield against international law objections, and of course there is a general Defense Department policy of international law compliance. Thus CYBERCOM operating under Title 10 would run into the full thicket of international law concerns. There may be good and sufficient answers to those concerns in particular cases—so this should not be understood as an absolute bar—but it does make sense to say that the legal friction is greater in that setting (that is, operations with effects on servers in third countries and without consent from those countries) than it would be for an entity acting under color of Title 50.