The head of U.S. Cyber Command, Adm. Michael Rogers, indicated that Department of Defense leaders are discussing the possibility of U.S. military cyber operations in nations where the United States is not actively involved in a conflict.
During testimony April 11 before the House Armed Services subcommittee on emerging threats and capabilities, Rogers explained he is comfortable with his authorities to use offensive cyber tactics in Iraq, Syria and Afghanistan.
However, he said that DoD needs more speed and agility in employing these capabilities “outside the designated areas of hostility.” He added that this possibility is currently under review.
U.S. military activity outside of so-called “areas of designated or active hostilities,” a policy term that bears no meaning in international law, is not unprecedented and has a long, even formalized history.
The Obama administration’s so-called “drone playbook,” which provided a policy framework for how to employ lethal force – be it ground raids or drone strikes – in nations where the United States was not engaged in combat, could help provide a template for how Cyber Command’s capabilities could be employed.
The Obama playbook, parts of which have been adopted and altered by the Trump administration, outlined that if lethal force had to be taken, there had to be near certainty that no civilians or non-combatants would be killed.
In some regards, the policy was aimed at calming the tension of critics for use of lethal force around the world by establishing constraints and parameters.
Insofar as one thinks that the drone playbook was a solid solution for lethal force, it stands to reason that a similar approach could be acceptable for cyber applications as well, said Bobby Chesney, the associate dean for academic affairs at the University of Texas School of Law.
One of the critical differences, however, between drone strikes and cyber operations, Chesney pointed out, is that the location of drone or other kinetic strikes is one and the same as the underlying target. Cyber operations, on the other hand, may involve effects on a server in an area of the globe quite far removed from the location of the actual adversary ― meaning that a “bystander” state’s sovereignty may be involved in surprising ways.
Still, an analogy to the drone playbook could help in ramping down those bystander-state concerns. For example, Chesney noted, the playbook’s focus on avoiding collateral damage could be applied, with “digital collateral damage” including unrelated data and services supported by the same server that the U.S. might be targeting for other reasons.
Potentially complicating matters are the legal authorities and hurdles.
While the drone strikes were often secret in nature, they were not always covert. This blurred the lines and led to some confusion regarding covert action authority and classic military functions under the law, more specifically, Title 50 and Title 10.
Military units can conduct covert action, but only under the operational control of certain intelligence agencies as authorized by the president. However, highly secretive military units, such as Joint Special Operations Command, often conduct what look like covert activities, but are generally within the resident military legal authorities.
Just as a special operations unit might act in those locations, he noted, so too Cyber Command might do the digital equivalent. Similar host-state sovereignty concerns might arise, which is why having a playbook of sorts might help minimize the tensions. But at the end of the day, Chesney added, international law questions will remain just as they would in a kinetic operation context.
This is why, in some cases, it might make more sense to have intelligence agencies take the lead.
“Intelligence agencies can more easily act in this setting when operating under Title 50 authority, as covert action status carries with it a statutory obligation to comply with the U.S. Constitution and U.S. statutes—but no more than that. Title 10, in contrast, carries with it no such implicit statutory shield against international law objections, and of course there is a general Defense Department policy of international law compliance,” Chesney wrote in a post for the Lawfare Blog April 12.
A recent story published by CyberScoop highlighted some of these friction points currently within the U.S. government.
“The part I’m trying to figure out,” Rogers said, “is what is an appropriate balance to ensure that the broader set of stake holders have voice in what we do but at the same time we empower our capabilities with speed and agility to actually have a meaningful impact.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.