Uncertain Rules of Engagement in Cyberspace

Ellen Nakashima of the Washington Post, whose reporting on cybersecurity issues (including counterespionage and offensive computer network operations) is indispensible, had an extraordinary piece yesterday concerning an episode that occurred in 2008, and the impact it had on the process of crafting rules for cyberoperations.  She writes that NSA analysts detected a piece of malware (dubbed Agent.btz) residing on SIPRnet and JWICS, two networks used by the military and the Intelligence Community for classified communications.  The problem was resolved, but difficult questions arose as the same malware was located on various other networks, including networks that were in some sense located “in other countries.”  Specifically, debate took place as to whether it would be justified to conduct a computer network operation (“CNO”) to remove the malware off those other networks.  Here is how Nakashima summarizes the question:

Officials debated whether to use offensive tools to neutralize the malware on non-military networks, including those in other countries. The military’s offensive cyber unit...proposed some options for doing so.  Senior officials rejected them on the grounds that Agent.btz appeared to be an act of espionage, not an outright attack, and didn’t justify such an aggressive response, according to those familiar with the conversations. ... “You have the right of self-defense, but you don’t know how far you can carry it and under what circumstances, and in what places,” Cartwright said. “So for a commander who’s out there in a very ambiguous world looking for guidance, if somebody attacks them, are  they supposed to run? Can they respond?”

These events helped draw attention to the need for clearer rules regarding when, where, and how the military could conduct a variety of CNOs.  Nakashima reports that the first fruits of this effort, in 2009, was an attempt to craft an ExOrd (i.e., an Execute Order, providing standing rules governing a military operation) establishing “comprehensive rules of engagement” governing how the military could  respond to malware threats to privately-held systems within the US.  Nakashima writes that one proposal was to permit a responsive CNO, the following conditions would have to be met:

The provocation had to be hostile and directed at the United States, its critical infrastructure or citizens. It had to present the imminent likelihood of death, serious injury or damage that threatened national or economic security. The response had to be coordinated with  affected government agencies and combatant commanders. And it had to be limited to actions necessary to stop the attack, while minimizing impacts on non-military computers.

Nakashima writes that the effort failed in the face of opposition from other agencies:

The Justice Department feared setting a legal precedent for military action in domestic networks. The CIA resisted letting the military infringe on its foreign turf. The State Department worried the military would accidentally disrupt a server in a friendly country without  seeking consent, undermining future cooperation. The Department of Homeland Security, meanwhile, worked to keep its lead role in securing the nation against cyberthreats.

There was disagreement both with respect to threats emanating from abroad and from within the U.S.  As to the former, the difficulty in part stemmed from the likelihood that an attack might be routed through multiple servers physically located in an array of countries, thus potentially requiring a form of intrusion into the affairs of those countries.  As to the latter, Nakashima characterized the problem in these terms:

The questions were even more vexing when it came to potentially combating an attack launched from servers within the United States. The military has no authority to act in cyberspace when the networks are domestic — unless the operation is on its own systems.

The story concludes by depicting DOD and DHS as continuing to tussle over the domestic responsibility issue, with DOD lamenting that it cannot act at “network speed” to defend civilian networks, and DHS insisting that cyberspace “is fundamentally a civilian space.” The final paragraph indicates that an ExOrd was signed this February, offering only the following insight as to its contents as to domestic networks:

The standing rules of engagement limit the military to the defense of its own networks and do not allow it to go outside them without special permission from the president.

A few thoughts on all this:  First, we obviously are only getting an incomplete glimpse of the current rules, and so we need to be careful in drawing conclusions about what can and cannot currently be done.  Second, the article as a whole does a great job of conveying the difficulties associated with questions of geography/neutrality/sovereignty when it comes to CNOs.  It also draws attention to the not-so-clear line between cyberexploitation (ala conventional espionage) and a cyberattack, and the problems this can raise insofar as the latter would justify, legally, a different set of responses than the former.  The article also draws attention to the persistent problem of attribution in cyberspace, talking in detail about lingering uncertainty as to who might have been responsible for Agent.btz (new versions of which apparently still emerge frequently).  Finally, one issue that the article does not address, but that lurks beneath its surface, is the question of whether and how framing a CNO in terms of “Title 10” authority versus “Title 50” authority might matter. Nakashima’s work in this area is remarkable, and those interested in keeping up with these developments from an external perspective will of course want to follow her future reporting closely.