David Sanger reports that the Pentagon and the NSA planned a sophisticated cyberattack aimed at “the Syrian military and President Bashar al-Assad’s command structure” that “would essentially turn the lights out for Assad.” He also reports that President Obama declined to go forward with the attacks then or since because of uncertainty about the proper role of offensive cyber weapons and worries about retaliation. Sanger suggests that the use of these weapons in Syria is now back on the table.
What is the domestic legal basis for such attacks? In sketching what I think the answer is below, I will make the standard but contestable assumption that attack with these “kinetic effects” must be analyzed using the same domestic legal criteria that would apply if these effects were caused by kinetic attack. (I highly recommend Bobby’s terrific essay on this general topic for a fuller treatment.)
Assume for the moment that the attacks lack congressional authorization. Under that assumption, the case for the President’s inherent Article II authority to order such attacks in this context is weak, even under Executive branch precedents. The argument is weak for many of the same reasons the planned missile attacks in Syria last summer were weak. I laid out my views on that issue here and here. I will not repeat those points in detail, except to say that even under the Executive branch’s view of Article II, the President must articulate a strong national interest before using force. And as I said in another post last summer, it is a stretch to say that the United States has an adequate national interest justification under prior executive branch opinions because “(1) neither U.S. persons nor property are at stake, and no plausible self-defense rationale exists; (2) the main non-self-defense U.S. interest that the Commander in Chief has invoked since the Korean War to justify unilateral uses of force – upholding the integrity of the U.N. Charter – appears . . . to be disserved rather than served by a military strike in Syria; and (3) a Syria strike would push the legal envelope further even than Kosovo, the outer bound to date of presidential unilateralism, which at least implicated our most important security treaty organization commitments (NATO).” I would add that the Stuxnet cyberattack in Iran is not much of a precedent for a cyberattack on Assad's forces because the President's Article II powers are robust when it comes to self-defense, and the self-defense argument in Iran is colorable but against Assad is not. For this reason, I think the cyberattack in Syria that Sanger describes could not be justified under Article II without exceeding the scope of presidential war power beyond past Executive branch precedents – at least the precedents we know about.
But need the President rely on Article II? Might there be statutory authority? The AUMF cannot help in this context. Nor, I think, can the President rely on the covert action statute, 50 U.S. Code § 413b for authority to conduct these attacks. There is a rarefied debate about whether and under what circumstances Section 413b provides independent authority for the use of force abroad. It certainly says nothing on its face about independent authority to use force, and my own view is that it could not independently support the significant use of force that Sanger describes. (If it does provide such support, then Congress has given the President super-broad authority to start wars covertly against nations that do not directly threaten us.) There is also the tricky issue whether the covert action statute would even apply in this context , since the operation might be a “traditional military activity” excluded from the definition of covert action by Section 413b(e) of Title 50.
One might also think that the President could glean the authority for the Syrian cyberattacks from 50 U.S.C. § 403-4a, which includes the CIA’s famous “fifth function.” I doubt that provision would suffice here on its own terms, but in any event it is at best an authorization to the CIA and Sanger says this operation is done by DOD and NSA.
But the President need not rely on these statutes. Instead, in planning this attack, his lawyers probably relied heavily on § 954 of the National Defense Authorization Act for Fiscal Year 2012, which provides:
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—
(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
This seems to me the best statutory hook for the planned Syrian cyberattacks, especially since it “affirms” that the President may conduct “offensive operations in cyberspace to defend our Nation, Allies and Interests.” That is a broad authorization indeed. (Having said that, I recommend p. 228 ff. of Bobby’s article, cited above, for an argument about why this law should not be read as broadly as its plain language seems to indicate.) I don’t think the War Powers qualification in (2) is any real hurdle, since the administration has basically read the WPR not to apply to “war at a distance” where there is no potential harm to U.S. troops. (Here is the administration’s definitive statement on the WPR in Libya---here and here are some of my criticisms.) The first qualification (1)---on following the usual “policy and legal regimes” that DOD uses for kinetic operations---probably gave administration lawyers more pause. The lawyers have probably worked out how they think about the jus in bello issues of proportionality and distinction in the cyberattack context, where effects are difficult to anticipate and control. The harder question, much harder in my view, is how the attack Sanger describes would have been justified under jus ad bellum, since there is no U.N. Security Council authorization, no consent, and no plausible self-defense rationale. It would be interesting to see that part of the memo.
A final note. Sanger says: “Because he has put the use of such weapons largely into the hands of the N.S.A., which operates under the laws guiding covert action, there is little of the public discussion that accompanied the arguments over nuclear weapons in the 1950s and ′60s, or the kind of roiling argument over the wisdom of using drones, another classified program that Mr. Obama has begun to discuss publicly only in the past 18 months.” I am not sure what this means. The NSA does not always operate under the covert action statute, but assuming it is here, that statute is no bar to public discussion. Rather, that statute says that if the President intends an action abroad to remain unacknowledged, he has to follow certain procedures (like making a finding, reporting, and the like). The covert action statute is not why programs like the one Sanger discusses cannot be talked about publicly. What prevents public discussion of such programs is classified information rules backed by criminal and administrative sanctions---rules and sanctions, one should note, that were ignored by the people who spoke to Sanger for this story.