Sunday, June 7, 2009

New Laws for a New Cybercommand? (Opinio Juris)

New Laws for a New Cybercommand?

by Duncan Hollis

http://opiniojuris.org/2009/05/29/new-laws-for-a-new-cybercommand/

Today's New York Times leads with the story of Pentagon plans to form a new cybercommand:

The Pentagon plans to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare. The military command would complement a civilian effort to be announced by President Obama on Friday that would overhaul the way the United States safeguards its computer networks.

White House officials say Mr. Obama has not yet been formally presented with the Pentagon plan. They said he would not discuss it Friday when he announced the creation of a White House office responsible for coordinating private-sector and government defenses against the thousands of cyberattacks mounted against the United States — largely by hackers but sometimes by foreign governments — every day.

But he is expected to sign a classified order in coming weeks that will create the military cybercommand, officials said. It is a recognition that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use — as a deterrent or alongside conventional weapons — in a wide variety of possible future conflicts.

The article (and other news stories) focus mostly on the defensive problems facing the United States as U.S. public and private information infrastructures increasingly find themselves subject to cyberattacks.  At the same time, these stories emphasize the bureaucratic battles over who should be in charge of U.S. cyberpolicy.  Given the creation of a "cyberczar" separate and apart from any new Pentagon cybercommand, the White House appears to have settled on trying to differentiate oversight of defensive efforts to protect civilian information infrastructures, which would broadly encompass the concept of cybercrime, from U.S. military capacity to engage in offensive or defensive cyberwar (although additional infighting between the Pentagon and NSA is reportedly ongoing over controlling U.S. cyberwarfare capacities).  

Broadly speaking, the increased attention to conflicts in cyberspace is a welcome development.  We've come a long way from the 1990s when "netwar" was an interesting hypothetical that many equated to science fiction.  Today, the threat AND potential of cyberspace as a vehicle for conducting conflicts among states, non-state actors, and even individuals are all too real.  So, it's good to see the White House trying to adjust to this new reality on all fronts.  In particular, I was interested to see the NYT piece address the question of U.S. forces using cyberspace to conduct offensive operations, something earlier Administrations have reportedly approached with reluctance (e.g., in Kosovo, U.S. forces reportedly refrained from planned computer attacks against Serbian computer networks for purposes of disrupting military operations and basic civilian services out of concern that they'd be war crimes):  

The decision to create a cybercommand is a major step beyond the actions taken by the Bush administration, which authorized several computer-based attacks but never resolved the question of how the government would prepare for a new era of warfare fought over digital networks.

It is still unclear whether the military's new command or the N.S.A. — or both — will actually conduct this new kind of offensive cyberoperations.

The White House has never said whether Mr. Obama embraces the idea that the United States should use cyberweapons, and the public announcement on Friday is expected to focus solely on defensive steps and the government's acknowledgment that it needs to be better organized to face the threat from foes attacking military, government and commercial online systems. . . . "We are not comfortable discussing the question of offensive cyberoperations, but we consider cyberspace a war-fighting domain," said Bryan Whitman, a Pentagon spokesman. "We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment."

As welcome as these developments are, however, real questions remain.  First, as a practical matter, how sustainable is the dividing line between the civilian cyberczar and the planned cybercommand?  The anonymity associated with cyberattacks will make it extraordinarily difficulty to know whether an attack should trigger civilian or military defenses.   Will the White House give the cyberczar authority over defending civilian targets, even though it's easy to imagine that an attack on the New York Stock Exchange could come from terrorist or foreign militaries rather than the proverbial teenage hacker or individuals with criminal intentions?  And should the Pentagon treat all attacks on military information infrastructure as triggering cyberwarfare questions, including those that come from U.S. citizens like our proverbial teenage hacker?  Similarly, if we look to offensive cyberoperations, how much of a cyberattack can the Pentagon pursue without affecting civilian information networks (think, the Internet) and how often can it do so without risk of affecting U.S. resources or civilians in ways that might trod on the cyberczar's turf?

Second, I'm still unclear on what rules the new cybercommand will follow.  Of course, I understand the classified nature of these issues.  That said, in creating a new cybercommand, is the Pentagon prepared to recognize a need for accompanying new rules to govern its behavior?  Just as we devised new rules on cybercrime, will Congress and/or the President enact new U.S. laws or regulations on the conduct of cyberwar?  And, how will the new cybercommand view the international law(s) that constrain and facilitate its operations? 

In 1999, the Defense Department authored a comprehensive and detailed assessment of the international legal issues associated with cyberconflicts.  DOD's report concluded that, at the time, it was "premature" to devise new rules for cyberspace, instead relying on analogies to existing international law as the source of norms for cyberconflicts.  A decade later, I'm wondering whether DOD still thinks new rules would be premature?  I certainly think the time has come to revisit the law-by-analogy approach and devise new rules, a point I've made in various formats, including an an op-eda military article, and a longer, law review article.  Is it possible that in recognizing the need to reorient U.S. forces to engage in cyberspace that the Pentagon now also appreciates the need to reorient the rules under which those forces will operate?  It's not clear from today's news, although most of the feedback I've gotten to my earlier work has suggested DOD is not there yet.  But if the Pentagon isn't willing to engage in crafting new rules, will they at least explain why not?  It may make sense to keep U.S. cyber-capacities, both offensive and defensive, secret, but what corresponding benefit can there be in keeping the governing rules secret as well?  In the absence of clear rules, I worry about the dangers of unintended consequences over differing understandings of the rules (i.e., a cyber-op that U.S. forces don't view as an armed attack is treated as such by foreign military forces and produces an armed, non-virtual response).  I also think that we're missing an opportunity to require cyberoperations to supplant guns and missiles when they can achieve the same military objective.  

At a minimum, therefore, I'd hope today's announcement serves to revive the conversation over what rules govern conflicts in cyberspace.  With or without a new cybercommand, we're certainly going to need them.

UPDATE — The President's speech is now available as is the Cyberspace Policy Review.  Interestingly, it hints at some movement on the need for clarifying or devising new laws for cyberspace. Under near-term action items, the Review recommends the Executive Branch take two actions on this front:

5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government. 7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.

No comments: