9 July 2018

How this one Pentagon office could wage war without oversight

by Bonnie Kristian

U.S. Cyber Command — the Defense Department’s cyberspace wing newly elevated to the status of a Unified Combatant Command — is not what it used to be. This Pentagon entity has operated without much congressional oversight, but with an ambitious and aggressive understanding of its mandate. This is constitutionally suspect and a recipe for trouble. Permanently founded less than a decade ago, the command previously operated in a mostly defensive posture, warding off digital threats and only occasionally going on the offensive, most notably to attack an Iranian nuclear facility and to target the Islamic State. But this spring, the Pentagon authorized the Cyber Command to move into an even more aggressive role. Cyber Command is now empowered to conduct “constant, disruptive ‘short of war’ activities,” targeting terrorists and foreign countries alike, the New York Times reports.

The idea is to occupy potential enemies with cyberattacks and thus diminish their ability to attack us. Cyber Command may believe its attacks fall “short of war,” but will its targets agree?

This always-on-offense approach seems to have been set with little meaningful oversight — certainly not from Congress, and apparently not from the White House, either. “The change in approach was not formally debated inside the White House before it was issued, according to current and former administration officials,” the Times reports, and national security adviser John Bolton eliminated the role of White House cyber coordinator right around the time Cyber Command’s mission was changed.

Underlying this issue is a tough question that also hasn’t had a proper hearing in Congress or the public square: When do we consider a cyberattack an act of war? If a foreign government hacks American voting machines, is that an act of war? What if a terrorist group breaks into the president’s Twitter account? Or accesses federal employee data? Or breaches the State Department? Or remotely sabotages U.S. missiles so they can’t be launched? Is physical destruction or the death of American citizens necessary for a cyberattack to constitute war? Or if economic disruption is enough, is there a dollar amount that crosses the line?

In 2016, former Under Secretary of Defense for Intelligence Marcel Lettre gave his answer in Senate testimony, with the concurrence of then-NSA and Cyber Command chief Adm. Mike Rogers, that “what constitutes an ‘act of war’ in … cyberspace” — as well as what cyberattacks would warrant an act of war in retaliation—“would be made on a case-by-case and fact-specific basis by the president.” Plausible cases for the war designation and response, he continued, include “significant loss of life, injury, destruction of critical infrastructure, or serious economic impact,” as well as “malicious cyber activities that threaten our ability to respond as a military, threaten national security, or threaten national economic collapse.”

Keep that definition in mind when you consider a Pentagon document from revealing the Trump administration’s plans to use cyberattacks to disable missiles from countries like North Korea and Iran before they’re launched. Under Lettre’s definition, that would be a digital act of war (“malicious cyber activities that threaten our ability to respond as a military”) if committed against the U.S. It is one thing to disable a missile on the launch pad for an imminent attack on the U.S., but to employ this method to disable a foreign power’s weapons absent that imminent threat is a very different matter.

Taken together, this all means the Pentagon now has an office that can initiate an act of war without sign-off from either Congress or the president. If our elected officials don’t bring the Cyber Command to heel, it would be a gross abdication of responsibility by Congress and the White House alike — not to mention a flagrant violation of our Constitution, which gives the legislature alone the power to declare war and the president alone the power to wage it.

As digital threats evolve, it is to be expected that Cyber Command’s purview would as well. But a shift to global offense against state and non-state actors is totally irresponsible without even a real debate about its constitutionality, viability, effectiveness, and consequences. Tools intended to keep Americans safe may end up doing the exact opposite.

No comments: