A recently published story from the New York Times reports a “secret legal review” has been conducted on the use of cyber warfare by the United States. It concluded President Barack Obama has “the broad power to order a preemptive strike if the United States detects credible evidence of a major digital attack looming from abroad.”
Unnamed officials involved in the review inform that the administration is moving in the coming weeks to “approve the nation’s first rules for how the military can defend, or retaliate, against a major cyber attack.” These rules, according to David Sanger and Thom Shanker, will “govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States.” If the president approves a strike, the government will be able to “attack adversaries by injecting them with destructive code — even if there is no declared war.”
It further adds, “The Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools. Domestically, that responsibility falls to the Department of Homeland Security, and investigations of cyberattacks or theft are carried out by the FBI.”
The Times story points out the rules—like the rules “governing drone strikes”—are highly classified and will be kept secret. The officials from the administration providing details spoke “on condition of anonymity because they were not authorized to talk on the record.” They selectively leaked a scant amount of details on evolving cyber warfare policy to allay concerns about this power the administration is claiming.
One official claimed the US had been “restrained in its use of cyberweapons” and said, “There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done.” A “senior American official” said cyberweapons were as powerful as nuclear weapons and “should be unleashed only on the direct orders of the commander in chief.” The official added the decision to launch cyber operations will rarely be made by someone at a level “below the president,” which means “‘automatic’ retaliation if a cyber attack on America’s infrastructure is detected” has reportedly been “ruled out.”
The story suggests the Obama administration had their best and brightest minds think about preemptive attack and the ramifications of launching such strikes on a country. “One senior official” said a country could “claim it was innocent” and undermine the “justification for the attack” because it would be “very hard to provide evidence to the world that you hit some deadly dangerous computer code.” They also thought through “‘what constitutes reasonable and proportionate force’ in halting or retaliating against a cyber attack,” according to another official.
The leaking of details on the “secret legal review” comes just over a week after the Washington Post reported the FBI was engaging in a fishing expedition for journalistic communications as part of an investigation into the sources of leaks on Stuxnet or Olympic Games, the cyber warfare against Iranian nuclear enrichment facilities that was launched by Obama (which Sanger published details on in a major story in June of last year and also described in detail in his book, Confront & Conceal).
It is a bit appalling that officials are speaking without authorization when it is known the FBI has spent the past six or seven months prying into the communications of government employees, who were sources for the Times story.
Back in November, the Post reported the White House was engaged in “the most extensive” effort “to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.” This “secret legal review” may or may not be a result of this effort that was authorized by Presidential Policy Directive 20 to make it possible for the United States military to respond more aggressively to “thwart cyberattacks on the nation’s web of government and private computer networks.” But, given what Ellen Nakashima reported, the secret directive was to “establish” a “broad and strict set of standards to guide the operations of federal agencies.” It was also to, for the first time, make “a distinction between network defense and cyber operations to guide officials charged with making often rapid decisions when confronted with threats.”
As I wrote, the “secret policy” was to map out a process for vetting “operations outside government and defense networks” and ensuring “US citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.” As one senior administration official told the Post, “What it does, really for the first time, is it explicitly talks about how we will use cyber operations…Network defense is what you’re doing inside your own networks. . . .Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
On May 30, 2011, the Wall Street Journal reported the Pentagon had “concluded that computer sabotage from another country” could “constitute an act of war.” WSJ suggested this would open the door to responding to sabotage with “traditional military force.” These details came from a formal cyber strategy the Pentagon had put together for responding to cyber threats to critical infrastructure. One imperious military official was quoted, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
About a week ago, the Pentagon announced it would be expanding its “cyber security unit.” Glenn Greenwald detailed how the force that was expected to go from 900 to over 4000 individuals would continue a trend of “disguising aggression as ‘defense.’”
The Pentagon now has a policy, a “cyber security” policy authorized by a presidential directive has now pushed for the development of policy and a “secret legal review” has grappled with questions and determined preemptive strikes on countries’ infrastructure could be carried out if the president orders such attacks.
What we know about the legal questions Obama has grappled with is all secret. The development of “cybersecurity” policy or cyber warfare policies indicate a further expansion of the body of secret law under Obama.
The government has secret legal opinions on when it can and cannot kill US citizens with drones. Senator Ron Wyden of Oregon has made requests to view these opinions but the Obama administration has refused to let him see targeted killing memos, even though he is by law supposed to view them so he can conduct oversight. The ACLU has requested these memos be released but a judge ruled that the government was within its right under FOIA to not release the legal interpretations.
The Foreign Intelligence Surveillance Court makes rulings authorizing warrantless surveillance under the FISA Amendments Act (FAA). Despite efforts by Senator Jeff Merkley of Oregon to amend the reauthorization of the FAA at the end of 2012, this was rejected by the Obama administration (even though the administration had previously indicated to Wyden it would be open to a process of making the court’s secret rulings public in some form).
The government also has secret interpretations of at least one section of the PATRIOT Act—Section 215. The ACLU’s Alexander Abdo said they make it possible for “the government to get secret orders from a special surveillance court (the FISA Court) requiring Internet service providers and other companies to turn over ‘any tangible things.’” (Not to mention the fact that there are national security directives issued by President George W. Bush that to this day remain secret and could have been released at least in summary form.)
The administration’s argument for keeping the “rules” or legal basis is that sources or methods would be revealed that would make it easier for adversaries to attack the United States. That is simply an argument to provide cover for the fact that the government wants wide latitude to be able to respond without being constrained by the law or politics. It is possible to inform the public of when the administration thinks the government has the power to launch attacks and go through several hypothetical scenarios. The reality is the government just does not want to do that because, if the scenario occurred and the administration responded differently, there could be controversy if it was found out they did not follow the “rules.”
Finally, like with the drone program, President Barack Obama is presiding over the creation and development of a power that previous presidents never imagined having. The national security state is effectively appointing him and all future presidents the proverbial judge, jury and executioner when it comes to cyber warfare.
There is no indication that any group of members in Congress or judicial body will have to approve of a preemptive strike before it is carried out. As has become typical, the president wants to be able to conduct war without needing authorization.
The policy will expand the imperial presidency and the public and civil society organizations, which have a distinct interest in knowing what the government is doing, will be kept in the dark on what is legal and illegal in cyber operations. The Congress will barely make any effort to defend its right to provide oversight of this new power. And any future details on this power will mostly come from selective leaks provided by officials, who do not think they will face repercussions for talking to the press. The policy itself, the rules for cyber war, will remain concealed.