Cyberattacks and the covert action statute: toward a domestic legal framework for offensive cyberoperations.

Author:Brecher, Aaron P.

Cyberattacks are capable of penetrating and disabling viral national infrastructure, causing catastrophic economic harms, and approximating the effects of war, all from remote locations and without the use of conventional weapons. They can be nearly impossible to attribute definitively to their sources and require relatively Jew resources to launch. The United States is vulnerable to cyberattacks but also uniquely capable of carrrying out cyberattacks of its own. To do so effectively, the United States requires a legal regime that is well suited to cyberattacks' unique attributes and that preserves executive discretion while inducing the executive branch to coordinate with Congress. The trouble is that it is unclear which domestic legal framework should govern these attacks. The military and intelligence communities have disputed which of their respective legal regimes should control. The choice between these frameworks raises important issues about the policy benefits of the executive branch keeping Congress informed regarding cyberattacks that it conducts. It also raises constitutional questions about the branches' respective roles in warmaking when the chosen course of conduct blurs the line between an intelligence operation and an act of war: This Note argues that, in the absence of an independent congressional authorization to use force against a target, the covert action statute, which demands written reports from the president to the congressional intelligence committees in advance of operations, should presumptively govern, and that the president should issue an executive order to that effect.

TABLE OF CONTENTS INTRODUCTION I. The Covert Action and Military Regimes Explored A. Comparing the Covert Action and Military Regimes 1. The Covert Action Regime: Written Findings and Advance Reports to Congressional Intelligence Committees 2. The Military Regime: Execute Orders and Limited Congressional Notification B. The Military and Cyberattacks: An Uncomfortable Fit C. The Covert Action Regime: Some Advantages and a Limitation II. The Covert Action Statute as an Independent Domestic Legal Basis For Use Of Force A. Separation of Powers and Constitutional War Powers B. Cyberattacks, Force, and Covert Action 1. Cyberattacks, Youngstown, and War Powers 2. The Covert Action Statute as Authorization to Use Force III. Enacting the Covert Action Regime as Presumptive Via Executive Order Conclusion INTRODUCTION

In the second half of 2009, a serious computer virus began working its way through Iranian computer systems, eventually reaching the Natanz nuclear enrichment facility, where it damaged many hundreds of centrifuges used to produce enriched uranium. (1) The virus, known as Stuxnet, was designed to target specific industrial control processes and appears to have been aimed specifically at the Natanz enrichment facility. (2) The damage from Stuxnet was so extensive that the facility had to be shut down briefly. (3) Though the source of Stuxnet is not known definitively, press reports suggest that the United States created the virus with assistance from Israel. (4)

The Stuxnet incident highlights the increasing importance of cybersecurity as a key aspect of national security. It shows that sophisticated software that is difficult to attribute definitively to its source can cause tangible damage beyond cyberspace--potentially enough damage to be considered an act of war. U.S. policymakers have considered the possible courses of action that could be adopted in a cyberwar, and in 2011, the Pentagon announced that it might respond to certain cyberattacks on critical U.S. infrastructure with counterstrikes using conventional weapons. (5) Much of the public debate on cybersecurity has focused on how to prevent cyberattacks. (6) This Note analyzes the domestic legal regime that should govern the use of cyberattacks by the United States, especially outside the context of an otherwise traditional conflict.

The term "cyberattack," as used in this Note, refers to a "deliberate action[] to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information [or] programs resident in or transiting these systems or networks." (7) Key characteristics of cyberattacks include the great difficulty of attributing them definitively to their sources, (8) and their potential to cause almost instantaneous effects from anywhere in the world. (9) Cyberattacks are frequently confused with cyberexploitation, which as a technical matter is similar. The key difference is that cyberexploitation involves only the monitoring or copying of data, while cyberattacks involve the manipulation of data. (10) This Note discusses only the latter.

One lens through which to evaluate the proper domestic legal framework for cyberattacks is whether such operations should rely on intelligence legal authority (called "title 50" authority) or military legal authority (called "title 10" authority). (11) Under the military framework, the president is often free to order a wide range of operations without giving advance notice to Congress. (12) However, under the intelligence regime, covert actions, which are "activities ... to influence political, economic, or military conditions abroad, where it is intended that the role of the [U.S. government] will not be apparent or acknowledged publicly," (13) require written findings by the president that the operation is important to U.S. national security and reports made to the congressional intelligence committees. (14) Many cyberattacks could conceivably be carried out under either military legal authority or intelligence legal authority, However, the choice of a presumptive legal regime for national security policies could have an important effect on strategy, (15) as well as profound implications for the accountability of the executive branch to Congress. (16)

Engaging with the issues surrounding cyberattacks is important in part because American dependence on networked communications in both the private and public spheres makes the United States extremely vulnerable to cyberattacks. (17) At the same time, the United States is also among the best-equipped countries in the world to carry out offensive cyberattacks of its own. (18) Having the proper legal framework to regulate America's offensive use of these powerful tools will prove increasingly important as cyberattacks emerge as attractive options for dealing with cyberthreats (and physical threats) posed by terrorist groups as well as dealing with individuals who have the ability to use this relatively inexpensive cyberattack system. (19)

This Note argues that the Intelligence Authorization Act for Fiscal Year 1991's definitions and regulations of covert action (20) (hereinafter the "covert action statute") should provide the presumptive legal framework for cyberattacks initiated by the U.S. government, especially when the operation may affect neutral parties or the target is not already the object of a congressional authorization to use force. Part I summarizes the competing intelligence and military legal regimes. It then argues that cyberattacks pose unique problems when carried out under the military framework because of the difficulty of attributing a cyberattack to its source and the possibility of an attack producing serious effects on persons and infrastructure in allied countries. It concludes that the intelligence (covert action) regime can properly govern a wider range of actions than the military regime. Part II contends that, for cyberattacks with warlike effects, the covert action statute might serve as an alternative domestic legal basis to a traditional authorization to use force. Part II also argues that there are constitutional advantages to executive-legislative coordination when it is uncertain whether an attack amounts to a use of force--the alternative source of statutory support strengthens the president's authority to act in ambiguous circumstances. Finally, Part III concludes that the covert action statute provides the best balance between executive independence and congressional oversight among the two existing legal frameworks. It advocates that the president issue an executive order making the covert action regime the presumptive procedure for conducting cyberattacks.


    It is first useful to delineate the detailed statutory requirements for carrying out covert actions, as well as the circumstances under which the military may engage in cyberattacks. To that end, Section I.A briefly summarizes the covert action and military regime procedures. Section I.B then argues that the unique features of cyberspace make applying the law of armed conflict very difficult. Specifically, uncertainty over which cyberattacks constitute a use of force under international law could hamper the military's legal ability to launch cyberattacks under the military authority regime. Section I.C argues that while the covert action framework is not a catchall for every cyberattack that the government may wish to initiate, it does provide a legal basis for a considerable range of offensive actions in cyberspace. Examining the definition of covert action and an important exception to this definition, Section I.C shows that the covert action framework can be used by any number of agencies operating under a single framework, and it adapts well to the increasing blending of military and intelligence functions in the American national security apparatus.

    1. Comparing the Covert Action and Milimlw Regimes

      Both military and intelligence activities are subject to complex internal planning and approval procedures. The most relevant difference between the respective legal regimes for purposes of this Note is that covert actions require the president to submit written "findings" to Congress whereas "execute orders" lack similarly rigorous reporting requirements. A "finding" is a written...

To continue reading