You might be forgiven for thinking the thorniest part of cyber operations is their technical execution, but the speakers at US Cyber Command’s annual Legal Conference provided a fuller view of the thicket. The conference surveys “law and policy issues related to offensive and defensive cyberspace operations.” This year’s discussions covered a lot of ground, but one of their most interesting themes was the advantage adversaries now find in legal ambiguity and uncertainty: deterrence, as it took shape during the Cold War’s nuclear competition, hasn’t been successfully transposed to cyberspace.
Legal ambiguity, the Gray Zone, and cyber deterrence: notes from the 2021 USCYBERCOM Legal Conference.
US Cyber Command’s annual Legal Conference surveys “law and policy issues related to offensive and defensive cyberspace operations.” This year’s discussions covered a lot of ground, but one of their most interesting themes was the advantage adversaries now find in legal ambiguity and uncertainty: deterrence, as it took shape during the Cold War’s nuclear competition, hasn’t been successfully transposed to cyberspace.
Defending forward and persistent engagement with cyber adversaries.
US Cyber Command Commander General Paul Nakasone opened the 2021 USCYBERCOM Legal Conference, held on March 4, with comments on current cyber threats, the United States’ response, and the role of CyberCom. Nakasone highlighted threat actors ranging from lone wolves and criminal gangs to extremist organizations and advanced persistent threats, observing that “great power competition lives in cyberspace.” He said Beijing is the worst in terms of cyberespionage and intellectual property theft, while Moscow is our “most sophisticated cyber adversary,” and targets democratic institutions. North Korea exploits global financial networks to circumvent United Nations sanctions, and Iran deserves honorable mention for its advanced capacities and hostile intentions. Nakasone noted that bad actors are taking full advantage of present legal ambiguities.
Since 2018, the United States has pursued a strategy of defending forward via persistent engagement. Nakasone defined the two components of persistent engagement as enable, which involves sharing resources and intelligence, and act, comprised of hunt forward campaigns launched upon the request of allies. CyberCom’s three mandates, as a refresher, are to protect Defense Department networks, shield the country from attacks, and buttress the joint force.
Nakasone also spotlighted the work of the NSA’s Cybersecurity Collaboration Center and his team’s ongoing collaborations with Microsoft. He praised the whole-of-government 2020 election initiative, marking its goals of developing knowledge, bolstering security, and delivering consequences. CyberCom’s legal team, which he called “operationally critical to our mission,” also earned a shout out for their diverse competencies in communications, cyber, national security, intelligence, international law, the Constitution, and executive orders.
The case for a cyber show of force.
Reiterating some points from a piece covered by The CyberWire in December, Center for Strategic and International Studies Senior Vice President James Lewis spoke on the need to revamp the US’ cyber strategy. He characterized the current US position as defensive, reactive, and ineffective in the face of opponents who want to reshape the global order via a new, ambiguous genre of conflict.
Lewis argued that it’s time to retire outdated Cold War concepts of deterrence, set aside fruitless measures like sanctions and indictments, and forge a more forceful strategy that will change rivals’ cost-benefit analyses. Fears of inaugurating a cycle of retribution, he said, are misplaced, since that’s already the situation we find ourselves in, and escalation has not come to pass. The ideal target would be opponents’ cyber capabilities, and important questions about messaging, timing, scale, and endurance would need to be settled in advance.
Such “assertive” action would help restore Washington’s cyber credibility, Lewis reasoned, and encourage opponents to enter negotiations about what behavior is acceptable in cyberspace. Diplomacy is more compelling when paired with a stick.
Prior legal review of proposed cyber operations.
Navy Judge Advocate Commander Robin Crabtree shared insights from her cyberspace operations law experience at the Defense Department’s Office of General Counsel, explaining the role lawyers play in formulating and enacting cyber missions. Defense lawyers help the Department prepare for questions that other domestic and international authorities might raise and “bake the answers to those questions into their products.”
Crabtree said the job requires “extensive coordination” with partners. While some view the Defense Department as the “gazillion pound gorilla that…blocks out the cyber sun,” the agency’s responsibilities are quite narrow. They strive to stay in their lane, and spend a lot of time choosing the right words to clarify their authorities. Crabtree stressed the importance of understanding other agencies’ concerns and objectives so everyone can work together despite occasionally competing missions, and respecting the difference between legal and policy decisions. She also distinguished laws and norms, noting that violating norms is not unlawful.
The legal review process that occurs before an operation, Crabtree explained, considers the impacted technology, services, institutions, and people. One line lawyers often advise not crossing is describing an activity as a “use of force,” a designation that comes with added risk. For example some argue the breadth and potential for staging seen in the SolarWinds compromise could take it into the realm of an “armed attack,” but that understanding could also call into question US espionage operations. Another standard operating procedure allows uncertainties that don’t need to be resolved in order to take a desired action to remain unresolved.
What counts as "legitimate" cyberespionage.
University of Texas School of Law Professor Bobby Chesney, University of Virginia National Security Law Center Director Professor Kristen Eichensehr, and University of Reading International Law Professor Michael Schmitt rehashed longstanding debates in international law about when cyber operations qualify as attacks, and whether data qualifies as an object. France has promulgated the broadest view of attacks and objects, Israe, the narrowest. Schmitt and Eichensehr lean towards a middle ground. Some important considerations in making a use of force determination include the scale, target, effects, immediacy and duration of impact, and perpetrator of the operation. Where the line is drawn determines what counter-measures are acceptable. Schmitt reiterated Nakasone’s point that enemy states are actively exploiting current legal uncertainties.
The participants also discussed how best to understand sovereignty and intervention, with Chesney and Schmitt challenging the US to set aside the passing advantages of ambiguity, “get in the game,” and establish a clear, authoritative stance.
Eichensehr and Schmitt described Holiday Bear’s supply chain gambol as likely lawful espionage, noting their hesitation with the Biden Administration’s attempt to characterize “a lot of espionage” as something other than espionage.
Is Government interference in foreign information operations Constitutional?
Oklahoma University College of Law Professor Joseph Thai reviewed foreign information operations through the lens of the US Constitution. Thai explained that while the First Amendment does not grant foreign individuals the right to communicate with people in the United States, it does grant people in the United States the right to access foreign communications. He discussed how this right should (or should not) constrain the Government’s authority to block malicious foreign disinformation.
Case law generally comes down against prior restraint on publication, especially where political speech is concerned, with narrow carveouts for matters of national security and public safety, particularly those that pose “direct, immediate, and irreparable harm.” In Thai’s opinion, this means dangerous disinformation impacting public health might be permissible to censure, but election influence campaigns can’t be withheld from the American people, though the Capital riot could strengthen the case for censorship. Past judicial opinions have cast market forces as better arbiters of truth than a Government “Ministry of Truth.”
Thai would recommend amending Section 230 of the Communications Decency Act to require platforms to label foreign speech, a move that would not deny users foreign ideas but would better enable them to evaluate their merits.
Building a safer cyberspace together with allies and like-minded partners.
Former Deputy Assistant Secretary of Defense for Cyber Policy Thomas Wingfield recapped his time in the Department and his plans for his role as the cyber functional lead at the Defense Security Cooperation Agency’s Institute for Security Governance. The Institute’s mission is to “[a]dvance national security and foreign policy objectives by building partner institutional capabilities.”
Wingfield mentioned that an abiding “bottom-up” initiative to boost the capacities of less cyber competent countries is needed to complement the US’ already strong ties with more cyber capable nations. The results of this effort would be twofold: “more operational partners,” and decreased “unguarded grey space.” With a pinch of perseverance and a dash of determination, the results could be a “global network of like-minded cyber powers that will ensure this nation’s and the world’s security into the 21st century.”