Armed with a Keyboard: Presidential Directive 20, Cyber-Warfare, and the International Laws of War

Author:Matthew Rinear
Position:Matthew Rinear received his Juris Doctor Candidate as a member of the 2014 class of Capital University Law School.
Pages:679-720
SUMMARY

Preceding the President’s NSA nomination, U.S. focus on cyber policy peaked in October of 2012, when President Obama issued Presidential Policy Directive 20 (Directive). The unpublished Directive, leaked in June of 2013, contains measures to strengthen America’s offensive and defensive cyber capabilities, including orders for intelligence officials to create overseas target lists for cyber-attacks... (see full summary)

 
FREE EXCERPT
ARMED WITH A KEYBOARD: PRESIDENTIAL
DIRECTIVE 20, CYBER-WARFARE, AND THE
INTERNATIONAL LAWS OF WAR
MATTHEW RINEAR*
I. INTRODUCTION
On a chilly morning in November 2012, a doctor in a small American
town visited his favorite local coffee shop. With the sight of familiar faces
and the smell of freshly-brewed coffee surrounding him, the doctor was
lulled into an ignorant-bliss of the malicious, invisible element lurking
ominously in the shadows behind this seemingly innocuous daily routine.
After sitting down in his usual seat, the doctor used the shop’s free WiFi
Internet to remotely connect to his hospital’s internal computer network—a
practice he had engaged in countless times before. Unbeknownst to the
doctor, however, on this occasion, he was the subject of a covert surveillance
operation implemented by a foreign intelligence agent. As soon as the
doctor connected to the coffee shop’s unprotected WiFi, the agent exploited
the unsecured connection, monitored the doctor’s computer activity, and
stole the doctor’s hospital network username and password. Once inside the
hospital’s network, the agent shifted focus to his real target: an American
VIP (and patient) at the hospital. After per using hospital records, the agent
ascertained the VIP’s weakness: a severe allergy to a certain medication.
Using the network’s web-based prescription system, the agent inserted a
small, but sufficient, dose of the drug into one of the VIPs daily
prescriptions—the doctor, the hospital staff, and the VIP none the wiser.
Just like that, despite operating thousands of miles away, a foreign
operative successfully assassinated an important American figure. With the
stroke of a few keys, t he foreign o perative elimin ated a high priority target,
eroded the confidence of the American public, and left intelligence officials
scrambling to catch an invisible culprit without possessing even a morsel of
physical evidence.
Fortunately for the VIP, the preceding tale is a fictionalized account
based on events that occurred in the imaginary municipality of CyberCity, a
virtual town created f or the specific purpose of training government-
employed hackers to prepare for battle on what may be the final frontier of
Copyright © 2015, Matthew Rinear.
*Matthew Rinear recei ved his Juris Doctor Candidate as a member of the 2014 class of
Capital University Law School.
680 CAPITAL UNIVERSITY LAW REVIEW [43:679
modern warfare—cyberspace.1 Unfortunately, however, scenarios of this
variety no longer solely play out in imaginary cyber-towns or fantastical
Hollywood screenplays; the recent rise in real-world implementation of
these types of attacks continually expose the delicate vulnerabilities in both
national infrastructures and private industries.2
United States policy makers, law enforcement agencies, and military
branches continue to recognize this evolving threat to our virtual borde rs.3
In 2005, the Air Force expanded its mission statement to read, to fly and
fight in air, space , and cyberspace.”4 In early 2009, the assistant director of
the FBI’s cyber division ranked cyber-attacks as the third most su bstantial
risk to national security, just behind nuclear war and weapons of mass
destruction.5 In 2011, the Department of Defense moved towards a
comprehensive cyberspace policy when it published its strategy for
operating in cyberspace.6 In February 2013, President Obama nominated
the head of the Navy’s Cyber Command as the next director of the National
Security Agency (NSA).7
Obama’s nomination of a cyber-expert to head the NSA comes as no
surprise to those following the recent heightened focus on the development
of cyber-operations. Preceding the President’s NSA nomination, U.S. focus
on cyber policy peaked in October of 2012, when President Obama issued
Presidential Policy Directive 20 (Directive).8 The unpublished Directive,
leaked in June of 2013, contains measures to strengthen America’s offensive
and defensive cyber capabilities, including orders for intelligence officials
1 See Robert O’Harrow Jr., CyberCity Allows Government Hackers to Train for Attacks,
WASH. POST, Nov. 27, 2012, at A1.
2 Id. at A6.
3 Id.
4 Major Arie J. Schaap, Cyber Warfare Operations: Develo pment and Use Under
International Law, 64 A.F. L. REV. 121, 131 (2009) (emphasis added).
5 Id. at 123.
6 See Department of Defense Strategy for Operating in Cyberspace (July 2011),
http://www.defense.gov/news/d20110714cyber.pdf.
7 Michael F. Cochrane, Next NSA director knows cyber warfare, WORLD (Feb. 3, 20 14,
2:12 PM), http://www.worldmag.com/2014/02/next_nsa_director_knows_cyber_warfare.
8 Obama tells intelligence chiefs to draw up cyber target list – full document text,
GUARDIAN (June 7, 2013, 3:07 PM), http://www.theguardian.com/world/interactive/2013/
jun/07/obama-cyber-directive-full-text. [hereinafter The Directive].
2015] DIRECTIVE 20 AND CYBER-WARFARE 681
to create overseas target lists for cyber-attacks.9 While the leaked Directive
does not contain details of specific cyber operations, the Directive’s
overarching purpose is to “put in place tools and a framework to enable the
government to make decisions on cyber actions.”10 The Directive introduces
an aggressive cyber warfare doctrine, including an order for officials to
identify overseas targets for cyber-attacks.11 Additionally, the Directive’s
defensive measures call for the government to proactively “seek
partnerships with industry . . . and other nations and organizations to
promote cooperative defensive capabilities.”12 The Directive also reserves
the right for government and military officials to make use of defensive
cyber operations when traditional law enforcement measures are deemed
inefficient to neutralize the threat.13
This Comment examines America’s growing dependency on the cyber-
world and the significance of international cyber-operations—both of which
strongly indicate the urgency of the Directive’s implementation.14
Additionally, this Comment analyzes the complex intricacies of this
relatively new form of combat and how the Directive’s execution may
sufficiently comply with the current laws of war.15
Part II examines how the government and the private sector’s ever-
increasing interconnectivity with cyberspace and the Internet open the door
to cyber intrusions.
16 Part III scrutinizes the technical details of cyber-
attacks—definitional issues, types of attacks, and general tactics used.17 P art
IV analyzes the laws of armed conflict and its application to offensive and
defensive cyber-actions, as well as the Directive itself.18 Finally, taking into
account the background and analyses contained within Parts II–IV, Part V
supports the proposition that a swift and effective implementation of the
9 See Glenn Greenwald & Ewen MacAskill, Obama orders US to draw up overseas target
list for cyber-attacks, GUARDIAN (June 7, 2013, 3:06 PM), http://www.theguardian.com/
world/2013/jun/07/obama-china-targets-cyber-overseas.
10 Id.
11 Id.
12 The Directive, supra note 8, at 8.
13 Id.
14 See infra Part V.A.
15 See infra Part IV.A.
16 See supra Part II.
17 See infra Part III.
18 See infra Part IV.

To continue reading

FREE SIGN UP