I’d like to briefly address two articles in the news today on U.S. cyber-attack strategy, one the New York Times piece that Jack already commented on and the other a Washington Post editorial. The Times reports on a “secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad.” The Post, following up on its recent reporting by Ellen Nakashima that U.S. Cyber Command is dramatically expanding and reorganizing, laments that “[o]ne large missing piece is a declaratory policy similar to that used for nuclear weapons in the Cold War, when nuclear policy was openly debated without divulging important secrets.” I have interrelated concerns and questions about both pieces.
The New York Times piece was a head-scratcher for me. For starters, although I don’t like it when legal bloggers nitpick journalists’ efforts to summarize technical legal issues, in this case it’s a story all about a legal analysis for which precise categorization is important – indeed, it’s about the executive branch’s legal claims in an area where the big debates are very much about appropriate categorization. So, I was surprised by some bizarre references to, for example, “declared wars,” as well as almost any clarity throughout the article about which “rules” are considered binding as a matter of law versus policy, or domestic versus international law.
Focusing on the main report of the piece that the President claims power to order pre-emptive cyber-attacks, the Times report then draws parallels to the claimed authority for the Obama administration’s counter-terrorism drone strikes in places like Yemen and Pakistan, and to the Bush Administration’s 2003 Iraq war justification (as an aside, under my breath: here it repeats the frequent error in asserting that preemption was the Bush Administration’s central legal argument). In those other cases, though, there’s no serious question that U.S. actions constitute military force and that a major al Qaida terrorist bombing or a WMD strike by Iraq would constitute an armed attack; the key issue is under what conditions could the U.S. take self-defensive military action in anticipation of a foreseeable future threat. Such analogies are only directly legally relevant, though, to the extent that cyber-attacks – those directed at us, and those we might use in self-defense – also constitute “force” or “armed attacks” for the purposes of the UN Charter and customary international law of self-defense. In the past, some Obama Administration lawyers such as Harold Koh have spoken to this issue, and one of the interesting but buried aspects of this Times story is how the U.S. government is converting that legal analysis into specific guidance and its own state practice.
This also raises a strategic question, which relates to the Washington Post piece: to what extent does the U.S. government desire to communicate the rules and lines it’s drawing to the rest of the world, either because it’s trying to shape international norms or because strategically it’s trying to deter cyber-attacks. After all, deterrent threats only work if they’re communicated to the adversary (see Dr. Strangelove), though this could be achieved in a number of ways, including proclaiming them publicly, demonstrating them through visible actions, or… leaking them to a major paper.
The Post editorial calls for, among other things, a public declaratory policy about when we will use cyber-attacks, comparing this historically to U.S. nuclear doctrine. That may or may not be a good idea strategically, among other things because sometimes ambiguity is better than clarity in deterring attacks. What’s odd about this editorial, though, is that this recommendation is pitched not as a strategic imperative but for democratic accountability and out of concern about inadequate public scrutiny. Cold War and post-Cold War nuclear declaratory policy was deliberately integrated with strategic doctrine, not for democratic transparency. If we're looking for institutional checks on executive branch cyber-doctrine, I question whether declaratory policies are so useful. In general declaratory policies (because they are intended to be lasting) should come at the end of a process of careful deliberation, not as a way of prompting it.