When Gen. Keith Alexander, the head of the Pentagon’s Cyber Command, comes to the Hill on Tuesday, he will probably be asked to describe his plans for building a military force to defend the nation against cyberattacks.
But one question remains unclear: Under what circumstances will these cyberwarriors be used?
President Obama last fall signed a classified directive that requires an “imminent” or ongoing threat of an attack that could result in death or damage to national security before a military cyber-action can be taken to thwart it.
But the definition of “imminent” is, like the definition of an “act of war,” subjective and dependent upon circumstances.
A century ago, when one nation’s army massed at another’s border, imminence was clearer. An attack seemed about to happen. Most acknowledged the threatened nation had a right to defend itself.
But today, technology and terrorism have confused the application of old rules. In cyberspace, where attacks can launch in milliseconds, a nation might not have enough time to detect an attack and mount a defense.
In fact, the last clear “window of opportunity” to counter a threat may be hours or days or months before it is launched. That broader concept of imminence was advanced, to some lawmakers’ concern, in a recently leaked Justice Department white paper outlining the rationale for lethal drone strikes against certain al-Qaeda operational leaders.
Administration officials have struggled in recent months to determine when Cyber Command, under new rules of engagement soon to be issued, should be empowered to neutralize an attack without presidential permission.
“We’ve run through dozens of scenarios, and each time you get to the point where you say, ‘You mean you really couldn’t get to the president in time?’ ” said one senior military official, who like other U.S. officials spoke on the condition of anonymity to discuss internal deliberations. “Until something happens, our best guess is it’s going to be an extremely narrow circumscribed set of conditions that would really be imminent.”
As officials debate — largely in secret — how to apply traditional concepts such as imminence to modern warfare, they say that in cyberspace, a clear line is virtually impossible to draw between a justified strike in self-defense and a preemptive one that is considered an unprovoked act of aggression.
“Suppose that somebody’s sending a signal to freeze all our computer networks,” an administration official said in a recent interview. “I think most people would agree that we can neutralize that virus and we can do that in self-defense.”
Under the concept of anticipatory self-defense, “you don’t have to wait until they paralyze the server, because, once they do, the damage is done,” the official said. “But then the issue is, if you’re running around the world freezing servers of everybody you don’t like, it looks very offensive,” he added. “That looks preemptive.”
In fact, said Michael Schmitt, chairman of the International Law Department at the U.S. Naval War College, “the law of self-defense does not allow you to strike at a state merely because they have the capability to attack you.”
Comments
Post a Comment