by Eric Blair
December 17, 2011
Just when you thought the National Defense
Authorization Act (NDAA)
couldn't possibly be more dangerous than has already been exposed with its,
...it has now been revealed that it also serves
as a declaration of offensive cyber war.
Buried in the recently passed NDAA is a provision, perhaps just as
dangerous as its other transgressions, that permits the
Pentagon to wage an offensive cyberwar,
"to defend our Nation, Allies and
Section 954 of the NDAA titled Military
Activities in Cyberspace received no debate in Congress as well as in the
The section states clearly:
Congress affirms that the Department of
Defense has the capability, and upon direction by the President may
conduct offensive operations in cyberspace to defend our Nation, Allies
Even though there was virtually no debate about
this provision by Congress or the press, the intention of action was
expected. In July of this year, the
Pentagon announced their strategy to treat
cyberspace as an "operational domain" in their Department of Defense
Strategy for Operating in Cyberspace.
"The United States reserves the right, under
the laws of armed conflict, to respond to serious cyber attacks with a
proportional and justified military response at the time and place of
our choosing," said Deputy Defense Secretary William Lynn at a speech
announcing the new strategy.
Department of Defense Strategy for Operating in
Cyberspace claims that,
"Hackers and foreign governments are
increasingly able to launch sophisticated intrusions into the networks
and systems that control critical civilian infrastructure."
Yet, Wired correctly
points out that,
"Despite mainstream news accounts, there’s
been no documented hacking attacks on U.S. infrastructure designed to
cripple it. A recent report from a post-9/11 intelligence fusion center
that a water pump in Illinois had been destroyed by Russian hackers
turned out to be baseless."
Indeed, we first reported that the alleged
hack attack on the Illinois water plant
was propaganda from the beginning to end.
Four days later the Federal government
admitted it was not a cyber attack after
the cyber scare was sold to the public.
If we've learned one thing from the recent past, the U.S. government doesn't
need real evidence or a real enemy to wage war. So what can we expect from
this new authorization for the Pentagon to wage offensive war on the
Department of Defense outlines five strategic initiatives which are just
organizational in nature:
DoD will treat cyberspace as an
operational domain to organize, train, and equip so that DoD can
take full advantage of cyberspace’s potential:
Not only are they planning to create an
army of cyber warriors, they also clam to have the authority to
combat Internet threats with a traditional military response:
"the United States reserves the
right, under the laws of armed conflict, to respond to
serious cyber attacks with a proportional and justified
military response," said Deputy Secretary Lynn.
DoD will employ new defense operating
concepts to protect DoD networks and systems:
"DoD will continue to operate
and improve upon its advanced sensors to detect, discover,
map, and mitigate malicious activity on DoD networks."
This is already being accomplished to
monitor government employees
through DARPA's PRODIGAL project.
DoD will partner with other U.S.
government departments and agencies and the private sector to enable
the whole-of-government cybersecurity strategy:
The Director of the National Security
is dual-hated as the Commander of USCYBERCOM. The NSA connection
Facebook are already working for
This coincides with Lieberman's recent
urging of Google to
censor anti-West content. DoD
is also announces collaboration with DHS for domestic surveillance.
DoD will build robust relationships with
U.S. allies and international partners to strengthen collective
The goal is to,
This is also well underway with the
recent London cyberspace summit which was admittedly used to work on
global Internet treaty.
DoD will leverage the nation’s ingenuity
through an exceptional cyber workforce and rapid technological
The intention is to fund and reward
cyber warfare innovators. In other words, they'll fund a new aspect
of the military-industrial complex that pertains to cyber security.
Although neither the NDAA, nor the DoD road map
gives many details for how exactly this offensive cyber warfare will be
conducted, Wired reports that:
It's likely to include things like unleashing a worm like
the Stuxnet worm that damaged Iran’s
nuclear centrifuges, hacking into another country’s power grid to bring it
down, disabling websites via denial-of-service attacks, or as the CIA has
already done with some collateral damage, hacking into a forum where
would-be terrorists meet in order to permanently disable it.
Perhaps it is intended to just be a broad authorization to use force against
anyone considered to be a threat on the Internet, much like the
authorization to use force against Iraq in the war on terror.
As the Deputy Secretary of Defense noted, the
military is authorized to combat threats with a "justified military
Surely that sweeping authority won't be
Offensive Cyberspace Operations, The NDAA, and The...
Title 10-Title 50 Debate
by Robert Chesney
Back in May, I
noted that the House version of the NDAA
contained a very interesting section addressing “military activities” in
Section 962 of
that bill would have “affirmed” that DOD
may conduct military activities in cyberspace (including clandestine
operations at least when acting in support of military activity under the
9/18/01 AUMF and the target is outside the United States, or when the
activity is responsive to an attack on DOD assets).
I wrote at the time that this seemed responsive,
albeit in a fuzzy way, to the so-called “Title
10-Title 50” debate and thus had implications for the various
issues that debate entails.
(I write about these issues in much more detail
here; they include questions such as what
counts as “covert action” subject to finding and notification requirements,
what counts as “traditional military activity” that is exempt from the
“covert action” definition even though the US role is not intended to be
acknowledged, and whether the applicable substantive legal constraints
differ depending on whether one is acting under the Title 10 or the Title 50
The Senate, for its part, ultimately included
nothing comparable in its NDAA bill, and so the discrepancy had to be
addressed during the recently-concluded conference.
The end result is section 954 of the Conference version of the NDAA. The new
language is brief, yet very interesting:
SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE
Congress affirms that the Department
of Defense has the capability, and upon direction by the President may
conduct offensive operations in cyberspace to defend our Nation, Allies
and interests, subject to—
(1) the policy principles and legal
regimes that the Department follows for kinetic capabilities,
including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
So…what does this accomplish?
First I’ll discuss the issues impacted by the
text itself. Second, I’ll discuss some important issues directly addressed
only (or at least only clearly) in the explanatory statement promulgated by
the Conference Committee in connection with this section.
I. The Text of Section 954
Based on the text alone, there are
three components to this provision: An affirmation of authority, a
requirement of presidential authorization somewhat akin to the covert
action requirement of a presidential finding, and a limited
clarification of how such operations relate to various other bodies of
Affirmation of Authority to Conduct
First, section 954 makes
clear that DOD can conduct offensive cyberspace operations (OCOs)
under certain conditions, defined very, very loosely as the
defense of the nation, of allies, and of our “interests.”
That’s not much of a limitation, of
course; the reference to interests would seem to encompass just
about any scenario in which one might like to be able to conduct
an offensive operation. And I suppose some might look at this
language and draw the conclusion that section 954 is some kind
of free-standing cyber-AUMF, usable at presidential discretion.
But I really do not think this is
what the “affirmation” language means to signify. On the
contrary, with respect to separation of war powers I think the
whole section is premised on the notion that there already is
some separate underlying legal foundation for the action, such
as the 9/18/01 AUMF in the case of an OCO directed at an al
Qaeda website or Article II national self-defense for fact
patterns that might fall under that heading.
Put another way, I don’t think the
purpose of section 954 is to grant new authority, but rather to
clarify a variety of procedural and substantive questions OCOs
raise. So on to the first such issue, which concerns the
Requirement of Presidential
Substantive conditions aren’t
the only way to limit how an authority can be used.
Procedural constraints, such as
requiring the affirmative approval of senior officials, can
contribute to this end as well. We see this in the context of
“covert action” under Title 50, for example, in the requirement
of a presidential finding approving such actions.
As I explain in Part II below, one
intended consequence of section 954 seems to be to make clear
that OCOs need not be categorized as “covert action” even when
conducted in a manner in which the US role is not meant to be
apparent or acknowledged, but instead may be categorized under
the “Traditional Military Activities” (TMA) exemption.
That has the effect, among other
things, of making clear that no presidential finding is
But presumably out of recognition
that at least some such operations are sufficiently
consequential to in fact warrant presidential involvement as a
condition precedent, the text of section 954 imposes a
stand-alone requirement that covered OCOs must be authorized by
A few observations about this:
Programmatic OCO “Findings”
First, I would imagine we
would see “findings”-style authorizations in which
programmatic approval can be provided for certain categories
of OCOs, thus enabling specific OCO activities to be
undertaken in real time as circumstances warrant rather than
having to go find the President and get approval for every
Section 954 does not really
weigh in on this, so that’s just my speculation.
Interagency Vetting of OCO
Second, the utility of
insisting upon presidential authorization, as opposed to
just SecDef authorization or that of a commander, is that it
makes it likely if not certain that there would be
interagency screening of the proposed OCO (or set thereof)
under the auspices of the NSC staff process, with more than
just DOD weighing in on the question.
For example, the State
Department – which institutional equities disposing it to
perhaps pay more attention to collateral/unintended
consequences that an operation might have on other countries
– might well have more of a voice as a proposal for a
particular operation makes its way up the chain to the
In this respect, I should
emphasize at this point that the public record reveals that
there has been a fairly long-running fight over just these
sorts of issues within the executive branch over the past
couple of years. Ellen Nakashima’s
story last week is highly
relevant here, and there also is relevant material in the
Schmitt & Shanker book Counterstrike.
Hard to tell from the outside if
section 954 is a codification of what has been worked out,
or if instead it will break some sort of logjam.
Which OCOs Really Require This?
A third issue arises when
one considers the fuzzy lines distinguishing among OCOs,
defensive cyberspace operations, and cyber-exploitation, all
of which may have effects comparable to an OCO.
The presidential authorization
requirement obviously is meant to attach only to offensive
operations, but it seems clear that there could be lots of
disagreement as to when this obligation truly must be
brought to bear.
As I note below, it may be that
nothing turns on this insofar as Congress is concerned, and
so any disputes on these points most likely would arise as
an interagency matter…assuming, of course, that non-DOD
elements in the interagency actually learn about whatever
operation is in question.
Further complicating matters, it may be that there are
cyberspace operations that are best thought of as
“offensive,” yet which are relatively de minims in
significance, not rising to the level of “use of force”
implicating jus ad bellum and LOAC concerns….and as to
those, it is not quite clear that this language is meant to
require presidential authorization.
That is, it may be that OCOs as used
in this context are meant to encompass only those more serious
uses of (cyber)force.
Other Legal Constraints:
Section 954 calls for OCOs to
be conducted subject to the same policies and legal frameworks
that govern kinetic ops, and also references the WPR.
Most interesting to me is
the specific imposition of two sets of additional
constraints on offensive operations carried out under 954.
First, the statute makes
explicit that such operations must comply with the policy
and legal frameworks that would govern a kinetic operation.
This includes, explicitly, the law of armed conflict. The
million dollar question is whether and to what extent it
also includes neutrality/sovereignty considerations.
As the public reporting has
repeatedly emphasized, the big stumbling block in such
operations is the fact that they can have a debilitating
impact on servers located in other countries, raising the
question whether this amounts to an infringement of that
other country’s sovereignty or perhaps even its rights as a
“neutral” in an armed conflict.
Section 954 arguably speaks to
this question by requiring that the offensive cyberoperation
be governed by the same rules as would a kinetic
operation…yet it seems to me that even if you agree which
rules apply, cyber operations by their nature and effects
still may be difficult to analyze under those frameworks.
That is, it will remain as hard
as ever to say whether a particular action with some complex
impact on a server in some other country is properly viewed
as violating that state’s sovereignty/neutrality.
In any event, this language
perhaps helps minimize the range of issues in dispute.
Then there is the
reference to the WPR, which has a similarly unclear effect.
It seems likely that the aim
here was to dispell any argument that section 954 itself
might be read as a congressional authorization sufficient to
discharge any WPR-related requirements, assuming the
operation in question otherwise would implicate the WPR.
But it’s not clear to me, come
to think of it, how a cyber operation might ever implicate
the WPR. More specifically, it’s not clear to me how cyber
operations might implicate the triggers listed in WPR
section 4(a), such as 4(a)(1)’s reference to introduction of
U.S. forces into hostilities (or circumstances of imminent
hostilities) or 4(a)(2)’s reference to deployment while
equipped for combat.
Even without embracing the
administration’s position on the WPR in regards to Libya (i.e,.
that the use of armed drones do not constitute the presence
of U.S. forces in hostilities, given the lack of exposure to
U.S. personnel), it is not easy to map the WPR triggers onto
the cyber operation example.
Which raises the question whether
there isn’t some better way to ensure some amount of legislative
awareness of such operations.
The original House bill, notably,
simply required quarterly briefings to SASC and HASC for
operations carried out under this authority.
That was the right way to do it, in
my view, and I’m sorry to see that this is not part of 954.
II. The Explanatory Statement for Section
954 - The covert action/TMA distinction
As I noted above, the original House
version of the bill had been framed very much as an effort to address
(also) questions as to whether OCOs should be deemed “covert action” or,
instead, “traditional military activity” (TMA).
If the former, then a presidential finding
is required, and the finding must be shared with SSCI and HPSCI. If TMA,
neither is required (though as noted above, OCOs under section 954 now
will require presidential authorization nonetheless). Some take the view
that the covert action/TMA distinction also impacts the question of
which substantive bodies of law constrain the underlying activity (and
Nothing in the text I review above speaks to this issue. But note that
it is still addressed explicitly in the
explanatory statement accompanying the
In relevant part, the conferees wrote:
…The conferees recognize that because of
the evolving nature of cyber warfare, there is a lack of historical
precedent for what constitutes traditional military activities in
relation to cyber operations and that it is necessary to affirm that
such operations may be conducted pursuant to the same policy,
principles, and legal regimes that pertain to kinetic capabilities.
The conferees also recognize that in
certain instances, the most effective way to deal with threats and
protect U.S. and coalition forces is to undertake offensive military
cyber activities, including where the role of the United States
Government is not apparent or to be acknowledged…
That is not the clearest language ever.
It seems to me, however, that this is meant
to overcome any argument that OCOs cannot qualify as “traditional
military activities” simply because of the novelty of their nature and
the technologies involved. I can’t resist pointing out that the novelty
argument probably should not matter in the first place, at least not if
you buy the arguments I spell out in
Title 10-Title 50 article.
But set that aside, and assume they do
matter to at least some participants in the internal government debates.
In that case, one can imagine arguments running back and forth as to
what an OCO might be comparable to in terms of military activity in the
pre-digital world, with some feeling that there are good analogies and
others thinking it is all quite novel and unprecedented and hence not
The explanatory statement, on this view, is
an effort to put that issue to bed in favor of applying TMA to OCOs.
Of course, none of this TMA business is in the
text of the statute, and so the analysis above matters only assuming one
gives weight to what appears in this explanatory statement.
In my view, the explanatory statements and
committee reports have always been unusually important in the Title 10-Title
50 debate context, as repositories and expressions of carefully-negotiated
compromise positions, and so I’m not surprised to see that same approach
carried forward here.
It may be that since these aren’t the sort of
issues that get litigated in court anyway, it is more sensible than normal
to leave such important details in the legislative history documentation
rather than ensuring their clear expression in the statutory text.