17 August 2018

Science Board Advises Fighting War Without End in Cyberspace

Robert Levinson

A Pentagon advisory panel recommends that the military and other government agencies seek authority to engage in a permanent state of conflict in cyberspace. It also recommends that the military become much more deeply involved in protecting key private-sector networks. The Defense Science Board, an independent federal advisory committee providing scientific advice to the Defense Department, in July released the executive summary of its report, “Cyber as a Strategic Capability.” The summary promotes the idea that the military’s efforts in cyberspace must be integrated with the other agencies of the U.S. government as well as the private sector. No. 15 of the report’s 16 recommendations would direct DOD officials to review existing statutes governing Pentagon and U.S. action in cyberspace and “update or draft replacement language to enable continuous offensive and defensive actions for protecting and promoting national interests in cyberspace.”

A sub-bullet clarifies:

“Specifically, this task should include drafting legal statutes for enabling anticipatory defense, active defense, and other countermeasures in cyberspace in accordance with national and international law, and providing liability protection and other legal incentives for robust private sector participation to support national interests in cyberspace.”

There’s no guarantee that DOD will actually seek the legislative changes the report suggests. However, should DOD pursue this sort of statutory authority, and Congress agree to it, it would be a significant departure from previous U.S. policy and law.

Although cyberattacks are often seen as distinct from more conventional military operations, when one nation deliberately attacks another, legally the method of the attack doesn’t really matter. According to U.S. military doctrine, “The laws that regulate military actions in U.S. territory also apply to cyberspace.” The Department of Defense’s Law of War Manual states that “if the physical consequences of a cyber attack constitute the kind of physical damage that would be caused by dropping a bomb or firing a missile, that cyber attack would equally be subject to the same rules that apply to attacks using bombs or missiles.” The manual also states that “Cyber operations that constitute uses of force within the meaning of Article 2(4) of the Charter of the United Nations and customary international law must have a proper legal basis.”

Cyberattacks such as those on Hillary Clinton’s presidential campaign in 2016, or North Korea’s attack on Sony Pictures Entertainment in 2014, didn’t cause physical risk to people. But more recent Russian attacks on the electrical grid and other infrastructure demonstrate that a cyberattack could harm people and property.

Under U.S. law, Congress is given the power to declare war, and the president is the commander in chief of the armed forces. The U.S. hasn’t declared war since World War II, but other statutes such as the War Powers Resolution in 1973 and the Authorization for Use of Military Force following the terrorist attacks of Sept. 11, 2001, have involved Congress in authorizing military operations.

Although there is tension between how much authority the president can exercise and what permission is required from Congress, there have been limitations on past military operations. The Defense Science Board report would appear to advocate ceding war-making authority to the military and other government agencies without limitations in time, space or enemy.

This idea of authority for continuous offensive cyber-operations is controversial, and it’s not clear how Congress would respond. The attacks on Sony, the Clinton campaign and U.S. infrastructure were all conducted by foreign nations during peacetime. Seeking executive and congressional approval before responding may prove too slow and cumbersome to provide any sort of effective deterrence against future attacks.

On the other hand, it is possible that a response to a cyberattack could prompt an enemy to escalate and retaliate with conventional or even nuclear weapons. Civilian officials may be very uncomfortable allowing military personnel to judge the level of risk and determine when and how to respond.

This analysis was first available to Bloomberg Government subscribers. To read more exclusive analysis and learn how BGOV helps federal contractors win more business, please request a demo.

The DSB also calls for much closer cooperation between the military and the private sector. Specifically, the report recommends expanding Pentagon support “to the protection of private sector and critical infrastructure in advance of contingency and crisis.” This effort could include using DOD assets to monitor and defend private-sector entities that provide critical infrastructure.

Establishment of closer cyberspace ties between the private sector and the Pentagon would also be a significant departure from past practice. Historically, both the military and the private sector have been wary of the Pentagon’s playing too great a role in private-sector cybersecurity. The Defense Department does not have the resources or legal authority to protect huge civilian networks and assets. For its part, private industry is always wary of greater government involvement in its affairs, fearing costly regulatory burdens and backlash over user privacy.

The Defense Science Board’s somewhat radical ideas demonstrate one of the central challenges that both the federal government and the private sector face in dealing with malign activity in cyberspace. While technology is constantly moving ahead at nearly unbelievable speed, laws, policy, and even strategic thinking are struggling to catch up. In a domain that has no geographic boundaries, can expand almost limitlessly and moves valuable assets around at the speed of light, the DSB’s ideas may become influential.

No comments: