When Gen. Keith Alexander, the head of the Pentagon’s Cyber Command, comes to the Hill on Tuesday, he will probably be asked to describe his plans for building a military force to defend the nation against cyberattacks.
But one question remains unclear: Under what circumstances will these cyberwarriors be used?
President Obama last fall signed a classified directive that requires an “imminent” or ongoing threat of an attack that could result in death or damage to national security before a military cyber-action can be taken to thwart it.
But the definition of “imminent” is, like the definition of an “act of war,” subjective and dependent upon circumstances.
A century ago, when one nation’s army massed at another’s border, imminence was clearer. An attack seemed about to happen. Most acknowledged the threatened nation had a right to defend itself.
But today, technology and terrorism have confused the application of old rules. In cyberspace, where attacks can launch in milliseconds, a nation might not have enough time to detect an attack and mount a defense.
In fact, the last clear “window of opportunity” to counter a threat may be hours or days or months before it is launched. That broader concept of imminence was advanced, to some lawmakers’ concern, in a recently leaked Justice Department white paper outlining the rationale for lethal drone strikes against certain al-Qaeda operational leaders.
Administration officials have struggled in recent months to determine when Cyber Command, under new rules of engagement soon to be issued, should be empowered to neutralize an attack without presidential permission.
“We’ve run through dozens of scenarios, and each time you get to the point where you say, ‘You mean you really couldn’t get to the president in time?’ ” said one senior military official, who like other U.S. officials spoke on the condition of anonymity to discuss internal deliberations. “Until something happens, our best guess is it’s going to be an extremely narrow circumscribed set of conditions that would really be imminent.”
As officials debate — largely in secret — how to apply traditional concepts such as imminence to modern warfare, they say that in cyberspace, a clear line is virtually impossible to draw between a justified strike in self-defense and a preemptive one that is considered an unprovoked act of aggression.
“Suppose that somebody’s sending a signal to freeze all our computer networks,” an administration official said in a recent interview. “I think most people would agree that we can neutralize that virus and we can do that in self-defense.”
Under the concept of anticipatory self-defense, “you don’t have to wait until they paralyze the server, because, once they do, the damage is done,” the official said. “But then the issue is, if you’re running around the world freezing servers of everybody you don’t like, it looks very offensive,” he added. “That looks preemptive.”
In fact, said Michael Schmitt, chairman of the International Law Department at the U.S. Naval War College, “the law of self-defense does not allow you to strike at a state merely because they have the capability to attack you.”
Schmitt, who is part of an international group of experts who have issued a handbook on cyberwarfare called the Tallinn Manual, agrees with the white paper’s broader view of imminence. In its legal manual, the group concluded that a state may act in self-defense “when the attacker is clearly committed to launching an armed attack and the victim-State will lose its opportunity to effectively defend itself unless it acts.”
Determining hostile intent is challenging. One senior defense official said if the United States identified a cyber-tool in an adversary’s network that could be used only for a potentially lethal purpose — such as disrupting an entire operating system on a military command and control server, then he believes that “disabling that tool is justified under international law.”
Moreover, he said, U.S. intelligence analysts have developed “a pretty good idea what activities on a network would be a prelude to an attack.” Still, he noted, “there’s always risk in getting it wrong, just like we got it wrong with drone strikes sometimes.”
Senior administration officials stress that under the new Obama directive, they would use law enforcement or diplomatic means before turning to military cyberwarfare. The order does not alter the rules for intelligence agencies’ covert use of cyber-operations.
Today, Cyber Command’s authority to conduct cyber-strikes outside its networks is highly constrained, largely because of uncertainties about the military’s ability to prevent unintended damage to other countries’ civilian systems.
The military, for instance, does not have standing authority to conduct any cyber action in self-defense outside its networks that could be construed as a “use of force” — say, shutting down a server in another country — without presidential permission.
Schmitt said he believes rules will change as the threat evolves. “A decade from now, the concept of use of force and armed attack will change dramatically,” he said. “I believe the bar will go down as to what is wrongful use of force and as to when you can act in self-defense.”
Georgetown University law professor Catherine Lotrionte said that if states start to take more aggressive measures at a lower threshold, the risk of escalation and “tit for tat” goes up. “There needs to be international agreement on rules to prevent that escalation,” she said, “or we’re looking at a really ugly world.”