Towards a Cyberspace Legal Regime in the Twenty-first Century: Considerations for American Cyber-warriors

• Publication year: 2021
• Citation: Vol. 87

87 Nebraska L. Rev. 712. Towards a Cyberspace Legal Regime in the Twenty-First Century: Considerations for American Cyber-Warriors

712

Towards a Cyberspace Legal Regime in the Twenty-First Century: Considerations for American Cyber-Warriors

Major General Charles J. Dunlap, Jr.(fn*)

Presented at the Air University 2008 Cyberspace Symposium Maxwell AFB, AL 16 July 2008

Ladies and gentlemen, thank you very much for the opportunity to speak with you about the legal and, indeed, philosophical issues with which we are grappling to e proceeding, let me state for the record that I am giving you my personal opinion, and not necessarily that of the U.S. government or any of its instrumentalities.

Let me begin with the observation that the cyber world in all its many dimensions is embedded in virtually all national security issues.(fn1) Consider that the Department of Defense ("DoD") defines cyberspace as the "global domain within the information environment

713

consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers."(fn2)

Obviously, there is hardly any aspect of modern military operations that fails to involve cyberspace in some way, and much the same can be said about our economy(fn3) and, indeed, our way of life.

Defending our way of life is the raison d'etre of America's armed forces.(fn4) This brings me, however, to my first point, and this is simply that because a particular cyber-related matter has a national security dimension does not mean, necessarily, that it is appropriate for the armed forces to address.

I believe that in the twenty-first century, national security challenges do require a national response. We need to bring all elements of national power to bear and that, by definition, requires robust involvement of agencies and entities outside the DoD. This is particularly important in the context of cyber matters. Much of what transpires in the cyber realm that concerns us does not resemble traditional military threats.(fn5) That is something of an issue because our legal architecture for the law of war is built upon the concept of traditional military threats.

714

As I will discuss in a moment, that does not mean, however, that all the laws and treaties are irrelevant; rather, it means that it takes hard work and innovative analysis to apply existing law to emerging cyber issues.

For example, one of the central issues-a truly perennial one-is when does a specific cyber activity constitute the kind of peril that makes it appropriate for a national security response as opposed to a law enforcement response? This is not a new issue; as an aside, I wrote an article about this subject in 1996, yet here we are today still wrestling with it.(fn6)

I am an adherent of the "Schmitt test," which was enunciated in a 1999 law review article by Michael N. Schmitt, a retired Air Force judge advocate.(fn7) What he does, as many of you know, is lay out a number of factors to consider.(fn8) The aim of this analysis is to determine when the consequences of a particular cyber event have an effect that mirrors that of a traditional kinetic attack. If it does, the whole panoply of the law of war may apply.(fn9)

Sounds simple? The concept is simple, but its application is complicated because it requires subjective and qualitative judgments that, like so many judgments in the military and diplomacy realms, reside in an arena of imperfect information and grey areas.

The only solution to this is to attempt to work through various scenarios in exercises and other controlled situations so that we can develop robust ways of thinking about the criteria, and figure out the

715

optimal way to get the information under the stress and time pressure of an actual incident.

Looking ahead, it may be wise to build systems explicitly designed to obtain data to make this determination, and which can archive the decision-making process and rationale. As we have seen in the kinetic dimension,(fn10) we can almost be certain that cyber operations will be subject to exhaustive after-the-fact examinations aimed at accountability if things go awry-as will certainly be the case at some point.

On a related matter, if we are ever going to normalize cyberwar in the warfighting commander's toolkit, we are going to need robust systems that model the effects of a particular cyber technique.(fn11) We need this capability for two reasons; one is to help determine whether a cyber activity conducted by us, or against us, fulfills the Schmitt test so as to constitute the equivalent of a kinetic attack. As discussed, very different legal regimes flow from that critical, threshold determination.

If it equates to a kinetic strike against us, we then know we are likely free to conduct a national security response-whether that be diplomatic, economic, or military-as opposed to a law enforcement reaction. Similarly, if we are contemplating a cyber action that equates to a kinetic strike, a modeling capability will provide essential data to a decision-maker who must understand the effects in order to conduct a proportionality analysis, traditionally required under the law of war.(fn12)

716

Of course, the analysis does not stop at the "type of attack" determination, but next moves to a level of complexity embroiled with legal, policy, and even diplomatic entanglements. The real sticking point these days is a policy one, that is, the level of authority required to respond to an attack or launch a preemptory attack in light of a hostile threat or imminent attack.

As many of you know, that authority often rests at such a high level as to render a timely, viable response option almost impossible to implement. The bureaucratic coordination process renders potential cyber options too cumbersome for rapid, surgical responses. In my view, appropriate commanders must be given authority to utilize non-kinetic, or cyber, responses under the same rules that govern their use of weapon systems that result in kinetic effects. This "kinetic effects equivalency" is the "KEE" to making cyber responses a truly feasible option for commanders.(fn13)

The thorny questions, of course, often revolve around the legal parameters for cyber activities conducted under circumstances that invariably fall short of those that would justify the application of law of war principles.

Let me issue a clear warning. In the post 9/11 world, many legal experts believed that the President's commander-in-chief authority was readily applicable to threats presented by nontraditional actors such as terrorists and other subnational entities, and not subject to much in the way of other legal restraints.

In important ways, however, that concept of Presidential authority has been restricted by the courts. The Supreme Court's decision in Boumediene v. Bush,(fn14) released last June, is just the latest example. This is not to say that unilateral Presidential authority in the national security realm has been wholly eviscerated. Rather, it simply clarifies that the scope of that authority is more limited than some supposed.

I am particularly concerned about domestic cyber activity by the armed forces. I am not privy to what may or may not have been the involvement of military entities in domestic surveillance activities, but I would warn you that anything beyond activities very explicitly authorized by law must be avoided. You cannot be too careful here.

Apart from everything else, I believe that civilian agencies have much more robust capability(fn15) than may have existed in the after-

717

math of 9/11, so whatever exigency that may have...