Latest in Aegis Paper Series
The US policy of “defend forward” and “persistent engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law.
United States Cyber Command turned ten years old in 2020. It is a unique institution—a military command that operates globally against capable adversaries and yet never fires a shot—and its design has been a work in progress.
The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the US Constitution allocate power to use that capability? And what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy?
As its name implies, the 2018 US Department of Defense Defend Forward strategy is principally reactive. The strategy assumes that the United States will continue to suffer harm from competitors and malign actors through cyberspace. Accordingly, it outlines US reactions in order to preempt threats, defeat ongoing harm, and deter future harm.
If information is power, then the corruption of information is the erosion, if not the outright usurpation, of power. This is especially true in the information age, where developments in the technological structure and global interconnectedness of information and telecommunications infrastructure have enabled states to engage in malicious influence campaigns at an unprecedented scope, scale, depth, and speed.
The Israeli equivalent to Defend Forward is far less regulated than its U.S. parallel, and that the Israeli version of Persistent Engagement at home allows domestic action and harnesses the private sector in ways that the U.S. approach does not contemplate.
When a state suffers an internationally wrongful act at the hands of another state, international law allows the injured state to respond in a variety of ways. Depending on the nature, scope, and severity of the initial wrongful act, lawful responses can range from a demand for reparations in response to a low-level violation to a forcible act of self-defense in response to an armed attack. Countermeasures offer an additional way for a state to respond to an internationally wrongful act.
With little fanfare and less public notice, Congress and the executive branch have cooperated effectively over the past decade to build a legal architecture for military cyber operations.
Across the United States and Europe, the act of clicking “I have read and agree” to terms of service is the central legitimating device for global tech platforms’ data-driven activities. In the European Union, the General Data Protection Regulation has recently come into force, introducing stringent new criteria for consent and stronger protections for individuals. Yet the entrenched long-term focus on users’ control and consent fails to protect consumers who face increasingly intrusive data collection practices.
Platforms’ ability to assess the context of content plays a major role in determining whether “new school regulation” sets proportional limits to freedom of speech.