What is an Act of War in Cyberspace?

What constitutes an act of war in the cyber domain?

It’s a question that officials have wrestled with for some time without being able to provide a clear-cut answer.

But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that “The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.”

“Specifically,” wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, “cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war.'”

Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse.

Accordingly, Mr. Lettre declared last year that “As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war.”

See Cybersecurity, Encryption and United States National Security Matters, Senate Armed Services Committee, September 13, 2016 (published September 2017), at p. 85.

See related comments from Joint Chiefs Chairman Gen. Joseph Dunford in U.S. National Security Challenges and Ongoing Military Operations, Senate Armed Services Committee, September 22, 2016 (published September 2017), at pp. 56-57.

In January 2017, outgoing Obama DHS Secretary Jeh Johnson for the first time designated the U.S. election system as critical infrastructure. “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” he wrote. It follows that an attack on the electoral process could now be considered an attack on critical infrastructure and, potentially, an act of war.

“Russia engaged in acts of war against America, not with bullets and bombs, but through a modern form of warfare, a cyberattack on our democracy,” opined Allan Lichtman, a history professor at American University, in a letter published in the latest issue of the New York Review of Books.

Not so fast, replied Noah Feldman and Jacob Weisberg: “The US is not now in a legal state of war with Russia despite that country’s attempts to affect the 2016 election.”

The current issue of the US Army’s Military Intelligence Professional Bulletin (Oct-Dec 2017) includes an article on Recommendations for Intelligence Staffs Concerning Russian New Generation Warfare by MAJ Charles K. Bartles (at pp. 10-17).

Is “Cyberwar” War?

Are offensive cyber operations an act of war?

“I would say specifically to your question what defines an act of war [in the cyber domain]– that has not been defined. We are still working towards that definition across the interagency,” said Thomas Atkin of the Office of Secretary of Defense at a congressional hearing last year.

He elaborated in newly published responses to questions for the record:

“When determining whether a cyber incident constitutes an armed attack, the U.S. Government considers a number of factors including the nature and extent of injury or death to persons and the destruction of, or damage to, property. Besides effects, other factors may also be relevant to a determination, including the context of the event, the identity of the actor perpetrating the action, the target and its location, and the intent of the actor, among other factors.” See Military Cyber Operations, hearing of the House Armed Services Committee, June 22, 2016.

If cyberwar is in fact war, would civilians who support military cyber operations be lawful combatants? They might not be, Mr. Atkin said.

“During armed conflict, some civilians who support the U.S. armed forces may sit at the keyboard and participate, under the direction of a military commander, in cyberspace operations. The law of war does not prohibit civilians from directly participating in hostilities, such as offensive or defensive cyberspace operations, even when that activity would be a use of force or would involve direct participation in hostilities; however, in such cases, a civilian is not a ‘lawful combatant’ and does not enjoy the right of combatant immunity, is subject to direct attack for such time as he or she directly participates in hostilities, and if captured by enemy government forces may be prosecuted for acts prohibited under the captor’s domestic law.”

But any such danger to unlawful civilian cyber-combatants is probably not an imminent hazard, he added. “Most, if not the great majority, of our civilian cyber workforce involved in providing support to cyberspace operations during armed conflict will not be serving on the battlefield where they may be the object of attack or risk being detained by the enemy. Instead, most will be providing their support remotely from areas outside the area of hostilities, are not easily identifiable as an individual, and are likely serving in the United States.”

US Military Advantage in Cyberspace is Challenged

The superiority of the US military in cyberspace, which once could be taken for granted, is gradually eroding, says an Army Field Manual published this week.

In the past decade, “U.S. forces dominated cyberspace and the electromagnetic spectrum (EMS) in Afghanistan and Iraq against enemies and adversaries lacking the technical capabilities to challenge our superiority in cyberspace.”

“However, regional peers have since demonstrated impressive capabilities in a hybrid operational environment that threaten the Army’s dominance in cyberspace and the EMS,” according to the new Field Manual.

“Rapid developments in cyberspace and the EMS will challenge any assumptions of the Army’s advantage in this domain. While it cannot defend against every kind of intrusion, the Army must take steps to identify, prioritize, and defend its most important networks and data.”

The underlying principles of US Army operations in cyberspace were described in the new Field Manual 3-12, Cyberspace and Electronic Warfare Operations, 11 April 2017 (unclassified, 108 pages).

Air Force Updates Doctrine on Cyberspace Operations

Within living memory, even a passing mention of cyber weapons or U.S. offensive activities in cyberspace was deemed sufficient to justify national security classification. Now, although the Obama Administration generally neither claims nor receives credit for it, military cyberspace doctrine has become one of a number of significant policy areas in which this Administration is demonstrably “more transparent” than its predecessors.

A new US Air Force directive “provides policy guidelines for planning and conducting AF cyberspace operations to support the warfighter and achieve national security objectives.”

“The AF will execute Cyberspace Operations” — including both offensive and defensive actions — “to support joint warfighter requirements, increase effectiveness of its core missions, increase resiliency, survivability, and cybersecurity of its information and systems, and realize efficiencies through innovative IT solutions.” See Cyberspace Operations, Air Force Policy Directive AFPD 17-2, April 12, 2016.

A companion directive further specifies, for example, that “Air Force Space Command (AFSPC) will… deploy AF approved cyber weapon systems.” See Air Force Policy Directive 17-1, Information Dominance, Governance and Management, 12 April 2016.

A Bureaucratic History of Cyber War

When Gen. Keith Alexander became the new director of the National Security Agency in 2005, “his predecessor, Mike Hayden, stepped down, seething with suspicion”– towards Alexander.

As told by Fred Kaplan in his new book Dark Territory, Gen. Hayden and Gen. Alexander had clashed years before in a struggle “for turf and power, leaving Hayden with a bitter taste, a shudder of distrust, about every aspect and activity of the new man in charge.” The feeling was mutual.

The subject (and subtitle) of Kaplan’s book is “the secret history of cyber war.” But the most interesting secrets disclosed here have less to do with any classified missions or technologies than with the internal bureaucratic evolution of the military’s interest in cyber space. Who met with whom, who was appointed to what position, or even (as in the case of Hayden and Alexander) who may have hated whom all turn out to be quite important in the ongoing development of this contested domain.

Kaplan seems to have interviewed almost all of the major players and participants in this history, and he has an engaging story to tell. (Two contrasting reviews of Dark Territory in the New York Times are here and here.)

Meanwhile, the history of cyber war is becoming gradually less secret.

This week, the Department of Defense openly published an updated instruction on Cybersecurity Activities Support to DoD Information Network Operations (DoD Instruction 8530.01, March 7).

It replaces, incorporates and cancels previous directives from 2001 that were for restricted distribution only.

Army: Rapid Reprogramming Needed for Cyber Ops

Changes in the cyber threat environment require the Army to be able to rapidly reprogram its own military software, a newly updated Army Regulation directs.

“Warfare is rapidly moving into a new domain: cyberspace. This will affect warfighting in all domains, and the Army will take measures to adapt to the cyberspace environment.”

“This increased responsiveness demands shortened timelines to combat enemy threats as they adapt to new technology and to new methods of employment.”

“RSR [Rapid Software Reprogramming] will be required to become even more adaptive, automated, and integrated with weapons systems operating in the EMS [electromagnetic spectrum].”

“This policy gives the Army a process which enables soldiers a reach-back RSR capability that will assist commanders to attain tactical superiority, achieve surprise, gain and retain the initiative, maintain awareness of new and emerging threats, and obtain decisive results…,” the unclassified Regulation said.

The Assistant Secretary of the Army (ALT) will “Ensure that sensor-based weapons and CEMA [Cyber Electromagnetic Activities] systems are developed using software reprogrammable signature detection, classification, and response capabilities that can be responsive and enabling to EW [Electronic Warfare], spectrum management and cyber operations.”

See Software Reprogramming for Cyber Electromagnetic Activities, Army Regulation 525-15, 19 February 2016.

Air Force: Cyber Warriors Need Plenty of Rest

New guidance from the U.S. Air Force on the use of cyberspace weapons directs Air Force personnel to get a good night’s sleep prior to performing military cyberspace operations and to refrain from alcohol while on duty.

“Crew rest is compulsory for any crew member prior to performing any crew duty on any cyber weapon system,” the May 5 guidance says. “Each crew member is individually responsible to ensure he or she obtains sufficient rest during crew rest periods.”

Furthermore, “Crew members will not perform cyberspace mission duties within 12 hours of consuming alcohol or other intoxicating substances, or while impaired by its after effects,” the new Air Force guidance stated.

“This instruction prescribes operations procedures for cyberspace weapons systems under most circumstances, but it is not a substitute for sound judgment or common sense,” the Air Force said.

The document discusses the general conduct of Air Force cyber operations, including so-called “Real-Time Operations & Innovation” (RTOI) projects that enable the USAF “to generate tools and tactics in response to critical cyber needs at the fastest possible pace.”

See Cyberspace Operations and Procedures, Air Force Instruction 10-1703, volume 3, 5 May 2015.

With the growing normalization of defensive and (especially) offensive military operations in cyberspace, more and more U.S. military doctrine governing such activity is gradually being published on an unclassified basis. Some of the principal components of this emerging open literature include the following:

Cyberspace Operations, Joint Publication 3-12, 5 February 2013

Cyberspace Operations, Air Force Policy Directive 10-17, 31 July 2012

Command and Control for Cyberspace Operations, Air Force Instruction 10-1701, 5 March 2014

Legal Reviews of Weapons and Cyber Capabilities, Air Force Instruction 51-402, 27 July 2011

Information Assurance (IA) and Support to Computer Network Defense (CND), Chairman of the Joint Chiefs of Staff Instruction 6510.01F, 9 February 2011

Department of Defense Strategy for Operating in Cyberspace, July 2011

The Department of Defense Cyber Strategy, April 2015