CQ WEEKLY – IN FOCUS
June 16, 2012 – 1:05 p.m.
Sorting Out Rules of Cyberwar
By Tim Starks, CQ Staff
Congress has made lots of noise over the past two weeks about leaks that reveal the United States’ role in creating Stuxnet, the sophisticated computer worm that infected Iranian nuclear facilities in 2010.
Some Republicans angrily allege that the leaks were brazen politicking by the Obama administration to buttress its national security credentials in an election year. Others call for an investigation by an independent counsel. And both Democrats and Republicans openly worry that the public acknowledgement of a U.S. role in unleashing an offensive cyber weapon opens the way for other nations to retaliate.
Masked by all the outrage, though, are substantial questions about Congress’ role in the new era of warfare and espionage. The debate over how best to defend U.S. computer networks has gone on in Congress for three years and still hasn’t been resolved. The debate over offensive actions against the networks of others has been a quieter one, and has only just begun.
“It’s a huge problem, and we haven’t sorted out the authorities, nor has the military, and they acknowledge it,” says Senate Armed Services Committee Chairman
Congress has barely scratched the surface of such issues as the statutory definition of “cyberwar,” and when or how lawmakers should be briefed on military cyber operations — two related topics, since most legal and cyber experts agree that programs such as Stuxnet straddle the line between espionage and attack. That line determines who in Congress is informed about what. The fiscal 2012 defense authorization law made an opening attempt at addressing those questions, and the fiscal 2013 version might make another.
And, as the Stuxnet leak makes clear, cyber offensive operations are hurtling ahead in the meantime. Defense officials have repeatedly stated that right now, the United States’ cyber posture is 90 percent defensive, 10 percent offensive, a ratio they want to invert.
“The world is barreling forward. Technology is barreling forward,” says Republican Rep.
‘A Lot That We Have to Do’
Army Gen. Keith B. Alexander, who heads both the National Security Agency (NSA) and the U.S. Cyber Command, told members of Senate Armed Services in March that the administration was still sorting out the difference — from a legal and personnel perspective — between attacking computers and exploiting computers to gather intelligence.
“I think there’s a lot that we have to do,” Alexander told Colorado Democrat
The technological nature of cyber operations is such that drawing bright lines is difficult, says Eric Jensen, a Brigham Young University law professor and an authority on the laws of war.
“I don’t know if Congress can define what is cyber espionage and what is an attack,” Jensen says. “It’s too hard. In many cases it’s the same type of computer process to establish a door in” to a network, he says. One answer that has been offered, Jensen says, is that it all depends on the final intent for using that door.
Sorting Out Rules of Cyberwar
The difficulty in drawing stark lines reflects a broader blurring of the lines between military operations and covert operations, though they are governed by different sections of U.S. law. The fact that the NSA — an intelligence agency — and the military’s Cyber Command are collocated and commingled illustrates the trend, University of Texas School of Law professor Robert Chesney wrote in the Journal of National Security last year.
“Small wonder, in light of all this, that convergence has proven especially disruptive to the legal frameworks associated with computer network operations,” Chesney wrote.
Nonetheless, Congress has delved a bit into defining some of the boundaries. The House version of the fiscal 2012 defense authorization bill would have allowed the Pentagon to conduct clandestine cyberwarfare to support conventional military campaigns and defend U.S. forces anywhere in the world. The provision affirmed the Defense secretary’s authority to “conduct military activities in cyberspace,” including “clandestine” ones to protect Defense Department assets or to support military campaigns conducted under the 2001 law authorizing the war on terrorism.
The Obama administration objected to the language for unspecified reasons; one congressional official says the language was merely “poorly written.” The final version of the bill instead tied the military’s ability to employ offensive cyber measures to the 1973 War Powers Resolution. And lawmakers hinted in the conference report at more to come.
The conferees wrote that “because of the evolving nature of cyberwarfare, there is a lack of historical precedent for what constitutes traditional military activities in relation to cyber operations” and that it is necessary to affirm that such operations should follow “the same policy, principles, and legal regimes” of traditional warfare.
Other questions for Congress are which of its members should be told of cyberattacks against others and to what extent they should be notified. House and Senate members of both parties have been reluctant to discuss Stuxnet in even the vaguest terms. Upset by the leaks, they don’t want to confirm their accuracy. Levin says he was not briefed about any such program but that he believes leaders of the Intelligence panels were. The vice chairman of the Senate Select Intelligence Committee, Georgia Republican
The difference is that the Intelligence committees have specific notification requirements, while the Armed Services panels have fewer such rules. One congressional official says of the Intelligence committees: “If there were operations that were going on that are characterized as intelligence activities or forward actions, we would be notified under the government’s responsibility to keep us fully and currently informed.”
Exactly who gets notified can be determined by something as simple as whether the CIA or Cyber Command carries out the action and whether it’s pursuant to a covert action finding from the president, the official says.
Thornberry says he has no complaint about how the Intelligence committee has been kept abreast of cyber operations. But he has been trying to expand how much the Armed Services panels are briefed.
Last year, his Armed Services subcommittee inserted language into the House version of the defense policy bill that would have called for quarterly reports to the Armed Services panels of any “significant” Defense Department cyber operations. The language was left out of the final version of the law, but it is once again in the House’s fiscal 2013 version.
Furthermore, Thornberry says that as the Pentagon works through cyber rules of engagement, Congress should be involved. Because of the speed of cyber operations — and because they could involve machines pre-programmed to take certain actions in certain situations — he argues that after-the-fact notification won’t do. “I don’t think in the history of the country we’ve ever had actions that take place at light speed,” he says.
Mieke Eoyang, a former staff member on the House Intelligence panel, says Congress might need clearer advance authority over offensive cyber operations because of their potential consequences. “There is a process for authorizing use of force or declaring war,” says Eoyang, who is now at Third Way, a left-leaning think tank. “But in the case of classified programs, the approval process is opaque to the public. If Congress’ only option to register their objection is cutting off funding after the fact, it may be too late.”
Sorting Out Rules of Cyberwar
More broadly, former Rep.
“There are inadequate rules around the post-9/11 world,” says Harman, who used to chair the Intelligence panel. “When you go virtually, it’s the same problem, on steroids.”
Frank Oliveri contributed to this story.
FOR FURTHER READING:
Fiscal 2013 defense authorization bill (