Armed with a Keyboard: Presidential Directive 20, Cyber-Warfare, and the International Laws of War

• Author: Matthew Rinear
• Position: Matthew Rinear received his Juris Doctor Candidate as a member of the 2014 class of Capital University Law School.
• Pages: 679-720

ARMED WITH A KEYBOARD: PRESIDENTIAL

DIRECTIVE 20, CYBER-WARFARE, AND THE

INTERNATIONAL LAWS OF WAR

MATTHEW RINEAR*

I. INTRODUCTION

On a chilly morning in November 2012, a doctor in a small American

town visited his favorite local coffee shop. With the sight of familiar faces

and the smell of freshly-brewed coffee surrounding him, the doctor was

lulled into an ignorant-bliss of the malicious, invisible element lurking

ominously in the shadows behind this seemingly innocuous daily routine.

After sitting down in his usual seat, the doctor used the shop’s free WiFi

Internet to remotely connect to his hospital’s internal computer network—a

practice he had engaged in countless times before. Unbeknownst to the

doctor, however, on this occasion, he was the subject of a covert surveillance

operation implemented by a foreign intelligence agent. As soon as the

doctor connected to the coffee shop’s unprotected WiFi, the agent exploited

the unsecured connection, monitored the doctor’s computer activity, and

stole the doctor’s hospital network username and password. Once inside the

hospital’s network, the agent shifted focus to his real target: an American

VIP (and patient) at the hospital. After per using hospital records, the agent

ascertained the VIP’s weakness: a severe allergy to a certain medication.

Using the network’s web-based prescription system, the agent inserted a

small, but sufficient, dose of the drug into one of the VIP’s daily

prescriptions—the doctor, the hospital staff, and the VIP none the wiser.

Just like that, despite operating thousands of miles away, a foreign

operative successfully assassinated an important American figure. With the

stroke of a few keys, t he foreign o perative elimin ated a high priority target,

eroded the confidence of the American public, and left intelligence officials

scrambling to catch an invisible culprit without possessing even a morsel of

physical evidence.

Fortunately for the VIP, the preceding tale is a fictionalized account

based on events that occurred in the imaginary municipality of CyberCity, a

virtual town created f or the specific purpose of training government-

employed hackers to prepare for battle on what may be the final frontier of

Copyright © 2015, Matthew Rinear.

*Matthew Rinear recei ved his Juris Doctor Candidate as a member of the 2014 class of

Capital University Law School.

680 CAPITAL UNIVERSITY LAW REVIEW [43:679

modern warfare—cyberspace.1 Unfortunately, however, scenarios of this

variety no longer solely play out in imaginary cyber-towns or fantastical

Hollywood screenplays; the recent rise in real-world implementation of

these types of attacks continually expose the delicate vulnerabilities in both

national infrastructures and private industries.2

United States policy makers, law enforcement agencies, and military

branches continue to recognize this evolving threat to our virtual borde rs.3

In 2005, the Air Force expanded its mission statement to read, “to fly and

fight in air, space , and cyberspace.”4 In early 2009, the assistant director of

the FBI’s cyber division ranked cyber-attacks as the third most su bstantial

risk to national security, just behind nuclear war and weapons of mass

destruction.5 In 2011, the Department of Defense moved towards a

comprehensive cyberspace policy when it published its strategy for

operating in cyberspace.6 In February 2013, President Obama nominated

the head of the Navy’s Cyber Command as the next director of the National

Security Agency (NSA).7

Obama’s nomination of a cyber-expert to head the NSA comes as no

surprise to those following the recent heightened focus on the development

of cyber-operations. Preceding the President’s NSA nomination, U.S. focus

on cyber policy peaked in October of 2012, when President Obama issued

Presidential Policy Directive 20 (Directive).8 The unpublished Directive,

leaked in June of 2013, contains measures to strengthen America’s offensive

and defensive cyber capabilities, including orders for intelligence officials

1 See Robert O’Harrow Jr., CyberCity Allows Government Hackers to Train for Attacks,

WASH. POST, Nov. 27, 2012, at A1.

2 Id. at A6.

3 Id.

4 Major Arie J. Schaap, Cyber Warfare Operations: Develo pment and Use Under

International Law, 64 A.F. L. REV. 121, 131 (2009) (emphasis added).

5 Id. at 123.

6 See Department of Defense Strategy for Operating in Cyberspace (July 2011),

http://www.defense.gov/news/d20110714cyber.pdf.

7 Michael F. Cochrane, Next NSA director knows cyber warfare, WORLD (Feb. 3, 20 14,

2:12 PM), http://www.worldmag.com/2014/02/next_nsa_director_knows_cyber_warfare.

8 Obama tells intelligence chiefs to draw up cyber target list – full document text,

GUARDIAN (June 7, 2013, 3:07 PM), http://www.theguardian.com/world/interactive/2013/

jun/07/obama-cyber-directive-full-text. [hereinafter The Directive].

2015] DIRECTIVE 20 AND CYBER-WARFARE 681

to create overseas target lists for cyber-attacks.9 While the leaked Directive

does not contain details of specific cyber operations, the Directive’s

overarching purpose is to “put in place tools and a framework to enable the

government to make decisions on cyber actions.”10 The Directive introduces

an aggressive cyber warfare doctrine, including an order for officials to

identify overseas targets for cyber-attacks.11 Additionally, the Directive’s

defensive measures call for the government to proactively “seek

partnerships with industry . . . and other nations and organizations to

promote cooperative defensive capabilities.”12 The Directive also reserves

the right for government and military officials to make use of defensive

cyber operations when traditional law enforcement measures are deemed

inefficient to neutralize the threat.13

This Comment examines America’s growing dependency on the cyber-

world and the significance of international cyber-operations—both of which

strongly indicate the urgency of the Directive’s implementation.14

Additionally, this Comment analyzes the complex intricacies of this

relatively new form of combat and how the Directive’s execution may

sufficiently comply with the current laws of war.15

Part II examines how the government and the private sector’s ever-

increasing interconnectivity with cyberspace and the Internet open the door

to cyber intrusions.

16 Part III scrutinizes the technical details of cyber-

attacks—definitional issues, types of attacks, and general tactics used.17 P art

IV analyzes the laws of armed conflict and its application to offensive and

defensive cyber-actions, as well as the Directive itself.18 Finally, taking into

account the background and analyses contained within Parts II–IV, Part V

supports the proposition that a swift and effective implementation of the

9 See Glenn Greenwald & Ewen MacAskill, Obama orders US to draw up overseas target

list for cyber-attacks, GUARDIAN (June 7, 2013, 3:06 PM), http://www.theguardian.com/

world/2013/jun/07/obama-china-targets-cyber-overseas.

10 Id.

11 Id.

12 The Directive, supra note 8, at 8.

13 Id.

14 See infra Part V.A.

15 See infra Part IV.A.

16 See supra Part II.

17 See infra Part III.

18 See infra Part IV.