What is an Act of War in Cyberspace?

What constitutes an act of war in the cyber domain?

It’s a question that officials have wrestled with for some time without being able to provide a clear-cut answer.

But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that “The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.”

“Specifically,” wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, “cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war.'”

Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse.

Accordingly, Mr. Lettre declared last year that “As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war.”

See Cybersecurity, Encryption and United States National Security Matters, Senate Armed Services Committee, September 13, 2016 (published September 2017), at p. 85.

See related comments from Joint Chiefs Chairman Gen. Joseph Dunford in U.S. National Security Challenges and Ongoing Military Operations, Senate Armed Services Committee, September 22, 2016 (published September 2017), at pp. 56-57.

In January 2017, outgoing Obama DHS Secretary Jeh Johnson for the first time designated the U.S. election system as critical infrastructure. “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” he wrote. It follows that an attack on the electoral process could now be considered an attack on critical infrastructure and, potentially, an act of war.

“Russia engaged in acts of war against America, not with bullets and bombs, but through a modern form of warfare, a cyberattack on our democracy,” opined Allan Lichtman, a history professor at American University, in a letter published in the latest issue of the New York Review of Books.

Not so fast, replied Noah Feldman and Jacob Weisberg: “The US is not now in a legal state of war with Russia despite that country’s attempts to affect the 2016 election.”

The current issue of the US Army’s Military Intelligence Professional Bulletin (Oct-Dec 2017) includes an article on Recommendations for Intelligence Staffs Concerning Russian New Generation Warfare by MAJ Charles K. Bartles (at pp. 10-17).

Senate Intelligence Authorization Report Filed

Do the security clearance procedures that are used for granting access to classified information actually serve their intended purpose?

To help answer that question, the Senate Intelligence Committee mandated a review of security clearance requirements, including “their collective utility in anticipating future insider threats.”

See the Committee’s new report on the Intelligence Authorization Act for Fiscal Year 2018, filed September 7, 2017.

The report summarizes the content of the pending intelligence authorization bill (S. 1761), which was filed last month, and adds Committee comments on various aspects of current intelligence policy.

So, for example, “The Committee remains concerned about the level of protection afforded to whistleblowers within the IC and the level of insight congressional committees have into their disclosures.”

The central point of contention in the bill is a provision (sec. 623) declaring a sense of Congress “that WikiLeaks and the senior leadership of WikiLeaks resemble a non-state hostile intelligence service often abetted by state actors and should be treated as such a service by the United States.”

The provision had originally stated that WikiLeaks and its leadership “constitute” a non-state hostile intelligence service. But this was amended to replace “constitute” with “resemble”. That move might have attenuated the provision’s significance except that it went on to say — whether WikiLeaks constitutes or merely resembles a non-state hostile intelligence service — that the U.S. should treat it as such.

A hostile state-based intelligence service would presumably be subject to intense surveillance by the US. A competent US counterintelligence agency might also seek to infiltrate the hostile service, to subvert its agenda, and even to take it over or disable it.

Whether such a response would also be elicited by “a non-state hostile intelligence service” is hard to say since the concept itself is new and undefined.

“The Committee’s bill offers no definition of ‘non-state hostile intelligence service’ to clarify what this term is and is not,” wrote Sen. Kamala Harris, who favored removal of this language, though she said WikiLeaks has “done considerable harm to this country.”

Sen. Ron Wyden, who likewise said that WikiLeaks had been “part of a direct attack on our democracy,” opposed the bill due to the WikiLeaks-related provision.

“My concern is that the use of the novel phrase ‘non-state hostile intelligence service’ may have legal, constitutional, and policy implications, particularly should it be applied to journalists inquiring about secrets,” Sen. Wyden wrote in minority views appended to the report. “The language in the bill suggesting that the U.S. government has some unstated course of action against ‘non-state hostile intelligence services’ is equally troubling.”

Special Ops, Counter-Propaganda, Overclassification

The House Armed Services Committee took a retrospective look at US special operations forces earlier this year, thirty years after the establishment of US Special Operations Command (SOCOM).

“SOCOM has a lot of missions it is responsible for, and has had several new ones added to it,” said Rep. Elise M. Stefanik (R-NY) at a hearing earlier this year. “Are there any of those missions that should go away or be reassigned?”

SOCOM Commander Gen. Raymond A. Thomas was ready with the answer: “There are no missions that should go away or be reassigned.”

See Three Decades Later: A Review and Assessment of our Special Operations Forces 30 Years After the Creation of U.S. Special Operations Command, House Armed Services Committee, May 2, 2017.

Some other notable congressional hearing volumes that have recently been published include:

Crafting an Information Warfare and Counter-propaganda Strategy for the Emerging Security Environment, House Armed Services Committee, March 15, 2017

Examining the Costs of Overclassification on Transparency and Security, House Oversight and Government Reform Committee, December 7, 2016

OLC Nominee: Every Member of Congress Can Do Oversight

The nominee to lead the Justice Department Office of Legal Counsel acknowledged that all members of Congress have the authority to conduct oversight of the executive branch, and that agencies have a responsibility to accommodate requests by members for information needed to perform their oversight function.

That might seem like a statement of the obvious. But the Office of Legal Counsel issued a controversial opinion earlier this year that took a much more limited view of congressional oversight power:

“The constitutional authority to conduct oversight — that is, the authority to make official inquiries into and to conduct investigations of executive branch programs and activities — may be exercised only by each house of Congress or, under existing delegations, by committees and subcommittees (or their chairmen),” the OLC opinion said. “Individual members of Congress, including ranking minority members, do not have the authority to conduct oversight in the absence of a specific delegation by a full house, committee, or subcommittee.”  See Authority of Individual Members of Congress to Conduct Oversight of the Executive Branch, Office of Legal Counsel, May 1, 2017.

Objecting to this narrow OLC conception of oversight, Sen. Chuck Grassley placed a hold on the nomination of Steven A. Engel to become the new Assistant Attorney General in charge of the OLC until Mr. Engel provided an acceptable response to Grassley’s concerns on the matter.

Yesterday, Senator Grassley withdrew his hold after Mr. Engel admitted, in written responses to questions from Grassley entered into the Congressional Record, that the OLC opinion was defective.

“Mr. Engel’s responses, both in writing and in person, indicate that he agrees each Member, whether or not a chairman of a committee, is a constitutional officer entitled to the respect and best efforts of the executive branch to respond to his or her requests for information to the extent permitted by law,” Sen. Grassley said.

“I am satisfied that Mr. Engel understands the obligation of all Members of Congress to seek executive branch information to carry out their constitutional responsibilities and the obligation of the executive branch to respect that function and seek comity between the branches. Therefore, I agree a vote should be scheduled on his nomination, and I wish him the very best in his new role,” he said.

See Removal of Nomination Objection, Congressional Record, July 19, 2017, pp. S4077-4079.

The Fifth Amendment in Congressional Investigations

Individuals have a broad right to refuse to testify before Congress by invoking the Fifth Amendment right against self-incrimination, the Congressional Research Service explained last week.

“Even a witness who denies any criminal wrongdoing can refuse to answer questions on the basis that he might be ‘ensnared by ambiguous circumstances’.”

On the other hand, the scope of the Fifth Amendment privilege applies more narrowly when it comes to a congressional demand that a witness produce documents. “The Supreme Court has made clear that the mere fact that the contents of a document may be incriminating does not mean that the document is protected from disclosure under the Fifth Amendment.”

See The Fifth Amendment in Congressional Investigations, CRS Legal Sidebar, May 26, 2017.

Other new and updated products from the Congressional Research Service include the following.

President’s FY2018 Budget Proposes Cuts in Public Health Service (PHS) Agency Funding, CRS Insight, May 24, 2017

President John F. Kennedy Assassination Records Collection: Toward Final Disclosure of Withheld Records in October 2017, CRS Insight, May 26, 2017

Trump Objects to Legislated Limits on Secrecy

In the new Consolidated Appropriations Act of 2017 (section 8009), Congress mandated that no new, highly classified special access programs may be created without 30 day advance notice to the congressional defense committees.

But in signing the bill into law last Friday, President Trump said he would not be bound by that restriction.

“Although I expect to be able to provide the advance notice contemplated by section 8009 in most situations as a matter of comity, situations may arise in which I must act promptly while protecting certain extraordinarily sensitive national security information. In these situations, I will treat these sections in a manner consistent with my constitutional authorities, including as Commander in Chief,” he wrote in a May 5 signing statement.

More generally, Trump suggested that his power to classify national security information is altogether independent of Congress. “The President’s authority to classify and control access to information bearing on the national security flows from the Constitution and does not depend upon a legislative grant of authority,” he wrote.

This is a paraphrase of language in the 1988 US Supreme Court opinion in Department of the Navy v. Egan (The President’s “authority to classify and control access to information bearing on national security… flows primarily from this Constitutional investment of power in the President and exists quite apart from any explicit congressional grant.”)

But left unsaid in President Trump’s signing statement was that the Supreme Court has also held that Congress could modify existing classification procedures or create its own secrecy system.

Thus, in EPA v. Mink (1973), the Supreme Court stated: “Congress could certainly have provided that the Executive Branch adopt new [classification] procedures, or it could have established its own procedures — subject only to whatever limitations the Executive privilege may be held to impose upon such congressional ordering.”

And, as noted by Jennifer Elsea, Congress has in fact legislated a classification regime for nuclear weapons-related information in the Atomic Energy Act.

So the newly legislated notification requirements concerning special access programs appear to be well within the constitutional authority and power of Congress.

The Intelligence Authorization Act for FY 2017 was incorporated into the Consolidated Appropriations Act as “Division N” and enacted into law.

President Trump’s reservations about various provisions in the new appropriations act were presented in the first signing statement issued by the current Administration (h/t Charlie Savage).

Is “Cyberwar” War?

Are offensive cyber operations an act of war?

“I would say specifically to your question what defines an act of war [in the cyber domain]– that has not been defined. We are still working towards that definition across the interagency,” said Thomas Atkin of the Office of Secretary of Defense at a congressional hearing last year.

He elaborated in newly published responses to questions for the record:

“When determining whether a cyber incident constitutes an armed attack, the U.S. Government considers a number of factors including the nature and extent of injury or death to persons and the destruction of, or damage to, property. Besides effects, other factors may also be relevant to a determination, including the context of the event, the identity of the actor perpetrating the action, the target and its location, and the intent of the actor, among other factors.” See Military Cyber Operations, hearing of the House Armed Services Committee, June 22, 2016.

If cyberwar is in fact war, would civilians who support military cyber operations be lawful combatants? They might not be, Mr. Atkin said.

“During armed conflict, some civilians who support the U.S. armed forces may sit at the keyboard and participate, under the direction of a military commander, in cyberspace operations. The law of war does not prohibit civilians from directly participating in hostilities, such as offensive or defensive cyberspace operations, even when that activity would be a use of force or would involve direct participation in hostilities; however, in such cases, a civilian is not a ‘lawful combatant’ and does not enjoy the right of combatant immunity, is subject to direct attack for such time as he or she directly participates in hostilities, and if captured by enemy government forces may be prosecuted for acts prohibited under the captor’s domestic law.”

But any such danger to unlawful civilian cyber-combatants is probably not an imminent hazard, he added. “Most, if not the great majority, of our civilian cyber workforce involved in providing support to cyberspace operations during armed conflict will not be serving on the battlefield where they may be the object of attack or risk being detained by the enemy. Instead, most will be providing their support remotely from areas outside the area of hostilities, are not easily identifiable as an individual, and are likely serving in the United States.”

White House: Prepare for the Unpredictable

“The Nation must prepare to mitigate an unpredictable global security and national emergency environment,” the White House said in a report to Congress this month.

The report, transmitted by President Trump on April 3, provided principles for reform of the selective service process by which young Americans enter the military. The report was required by section 555 of the 2017 defense authorization act.

“The Nation must be ever mindful of the unpredictable global security environment that requires an effective and efficient means to provide manpower to the national security community, including military and non-military support in a national emergency,” the President’s report said.

How to prepare in practice for the unpredictable is not clear, except that it involves flexibility.

“Any system, process, or program used to identify, recruit, and employ additional skill sets should be effective in times of peace, war, and other levels of conflict or emergency response. Associated initiatives, systems, and processes must be seamless, robust, and able to expand and contract as needed,” the report said.

Congress established a new National Commission to consider changes to the selective service system, and to develop “the means by which to foster a greater attitude, ethos, and propensity for military services among United States youth.”

Sharing Classified Info with Foreign Governments

Disclosing classified information to foreign government personnel is ordinarily forbidden, and may constitute espionage. But sometimes it is permitted, even to non-allies.

“National Disclosure Policy Committee (NDPC) policy prohibits the release of classified information [to] a foreign government without an explicit authorization, such as an Exception to United States (U.S.) National Disclosure Policy (ENDP), and an information sharing agreement,” explained VADM James D. Syring, director of the Pentagon’s Missile Defense Agency, in response to a congressional question last year.

Such Exceptions are occasionally requested, however, and granted.

“The Missile Defense Agency (MDA) submitted three requests for Exception to United States National Disclosure Policy (ENDP) from 2007–2011 seeking authority to disclose classified information to the Russian Federation (RF) relating to three ballistic missile defense flight test events,” VADM Syring said.

“In each case, authority granted by the NDPC was limited to oral and visual disclosure only under controlled conditions. The RF sent attendees to two of the three test events (in 2007 and 2010). No invitations were extended for the third event (in August 2011), and no disclosure occurred. MDA has not submitted any further requests for ENDP for the RF.”

“MDA has not sought ENDP [Exceptions] for release of any information to the People’s Republic of China,” he added.

The exchange between VADM Syring and Rep. Mike Rogers appeared in a newly published hearing volume on The Missile Defeat Posture and Strategy of the United States — The Fiscal Year 2017 President’s Budget Request, House Armed Services Committee, April 14, 2016 (at pp. 118-119).  The same volume notably includes discussion of “left of launch” approaches to countering ballistic missile threats.

At its best, congressional oversight can be a powerful engine of disclosure that matches or exceeds what the Freedom of Information Act or other mechanisms can offer. (The FOIA does not permit requesters to ask questions, only to request records.) Hearings of the House Armed Services Committee regularly generate new information on military policy, especially in the published hearing records.

Another newly published HASC hearing containing some nuggets of interest is National Security Space: 21st Century Challenges, 20th Century Organization, September 27, 2016.

Mandating Declassification in Congress

Last week a bill was introduced in the Senate “to require the Secretary of Defense to declassify certain documents related to incidents in which members of the Armed Forces were exposed to toxic substances.”

The bill (S. 726), introduced by Sen. Jerry Moran (R-KS) and Sen. Jon Tester (D-MT), generally requires declassification of all “documents related to any known incident in which not fewer than 100 members of the Armed Forces were exposed to a toxic substance that resulted in at least one case of a disability that a member of the medical profession has determined to be associated with that toxic substance.”

The bill is the latest example of congressional action to initiate, prioritize or override executive branch policy on declassification of national security records.

The new bill grants an exception from the declassification requirement “if the Secretary [of Defense] determines that declassification of those documents would materially and immediately threaten the security of the United States.” This is a notably narrower exemption than that provided by the Freedom of Information Act, which deems records properly classified and therefore exempt if their disclosure would simply cause “damage” to national security.

The bill would not provide any new funding for declassification. So it would presumably be implemented at the expense of current declassification programs.

The Moran-Tester bill may or may not advance through the legislative process. But numerous other congressional declassification initiatives have been enacted into law over the years.

In a report last week, for example, the Senate Intelligence Committee recalled that it had successfully legislated “a requirement that the DNI complete a declassification review of information on the past terrorist activities of detainees transferred or released from Guantanamo, [and] make resulting declassified information publicly available.”  See SSCI Report on activities during the 114th Congress, S.Rpt. 115-13, March 29.