CYBER MAVEN: When and How Should the US Launch "Offensive" Cyberattacks?
By Ross Rustici - Warrior Maven Columnist and Senior Contributor -
Rustici Previously Served as a Technical Lead, Intrusion Analyst and East Asia Cyber Lead at the Department of Defense
“War is too important to be left to the politicians. They have neither the time nor inclination for strategic thought.”
The New York Times reported that the U.S. Government has delegated authority to “take a far more aggressive approach to defending the nation against cyberattacks.” This is a policy change that will likely lead to outcomes worse than the problem it is attempting to solve. Increasing the authority of any Commander to take offensive extraterritorial action outside defined conflict zones erodes civilian oversight of the military and increases the likelihood of miscalculation and actions working at cross purposes across the federal government.
Along with the elevation of the U.S. Cyber Command, a new policy has permitted “nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed.”
This report, if accurate, fundamentally alters standing precedent of the Standing Rules of Engagement for the U.S. Armed Forces. Leveraging the delegated authority to Combatant Commanders of the Inherent Right of Self-Defense regarding attacks both on the unit under their command and the nation itself, it is possible to make an argument that disrupting offensive cyber capabilities of our adversaries is within the normal authorities.
However, given the ephemeral nature of the Internet, the burden of proof required to show emanate attack, and the perception of the military conducting covert operations, all serve to undermine any advantage the operations would give the United States.
Fundamentally, this new policy is moving offensive cyber operations from the clandestine world of covert operations to one that, by all rights should be executed with the cyber equivalent of a U.S. flag painted on the side of the weapon. Non-repudiation and non-attribution are things to be avoided if a traditional military unit is conducting the activity.
Anything short of publicly claiming every offensive operation, successful or not, should require additional authorities that the U.S. Cyber Command currently does not maintain.
Additionally, that use of force, akin to what America has prosecuted during its war on terror would require a use of force authorization from U.S. Congress. The primary advantage of using the CIA to execute the shadow cyber wars of the last decade was that covert actions could be authorized and carried out behind the cloak of Presidential findings.
The use of U.S. Cyber Command, and the U.S. military more broadly, needs to thrust this conversation into the center of the national debate on use of force, the military, and the pervasive authorizations the war on terror has allotted the executive branch. The longer, these conversations are ignored and downplayed because Cyber isn’t “real,” the more constrained policy makers become due to precedence setting and the weight of established bureaucratic processes.
Ultimately, this new policy raises the question: are we, as Americans, comfortable with any other combatant command running offensive, destructive operations against the like of Russia, China, North Korea, or Iran without prior authorization or debate?
Would we be comfortable with the commander of Indo-Pacific Command opening fire on Chinese military aircraft that intercept reconnaissance flights or Chinese fishing and coast guard vessels that impede freedom of navigation patrols in disputed waters? What about the U.S. military conducting sabotage operations within an adversary country?
Perhaps the cyber domain is so fundamentally different and unique that it can afford special rules of engagement and sustain a far more aggressive and constant military operations tempo than other domains. It might even be possible that increased action in cyber is used as a way to prevent spill over into other domains. Unfortunately, we have very little evidence to support that.
The current administration’s headlong push to militarize everything it can will push the policy debate to limit its options and focus first and foremost on the application of force and fundamentally alter the civil-military balance long enjoyed in this country.
 General Jack Ripper, Dr. Strangelove or: How I learned to Stop Worrying and Love the Bomb
-- Stay Tuned for more CYBER MAVEN Columns --
Ross Rustici - A Warrior Maven Columnist and Senior Contributor -
He Currently Serves as Senior Director, Intelligence Services, Cybereason.Cybereason
Ross previously served as Technical Lead - DoD, East Asia Cyber Lead - DoD, and Intrusion Analyst - DoD.