Crossing the Line: Law of War and Cyber Engagement-The U.S. Position

• Author: Philip O'Neill, Jr.
• Position: This article is based upon a presentation by Mr. O'Neill at the ABA Spring meeting of the International Section in Washington D.C. on April 26, 2017, available at https://static.ptbl.co/ static/attachments/150017/1495047643.pdf?1495047643. Mr. O'Neill taught Nation Security Law at Boston University Law School, and is the author of books on...
• Pages: 589-611

Crossing the Line: Law of War and Cyber

Engagement-The U.S. Position

P

HILIP

D. O’N

EILL

, J

R

.

1

I. Introduction

The basic U.S. policy regarding the applicability of the law of war to cyber

engagement is of recent vintage, articulated largely during this decade,

impelled as the range of actions and actors on the threat continuum evolved

with increasingly acute results.

2

To begin to meet the challenge of cyber competition yielding to conflict,

in 2011 President Obama recognized as a matter of declaratory policy in his

“International Strategy for Cyberspace”

3

that “[l]ong-standing international

norms guiding state behavior — in times of peace and conflict — also apply

in cyberspace.”

4

That said, President Obama’s policy pronouncement also

cautioned that: “unique attributes of networked technology require

additional work to clarify how these norms apply and what additional

understandings might be necessary to supplement them.”

5

A legal and political policy debate over cyber “acts of war,” “use of force,”

and “armed attacks” ensued in recent years, with the notion of “equivalence”

to traditional military force triumphing doctrinally through adoption of an

“effects-based” standard. Reduced to essentials, we gauge attacks, including

those perpetrated through cyber operations, by their consequences, not the

means of delivery. This evaluative approach was desirable both for what it

prohibits and for what it permits as a two-edged sword. According to public

acknowledgement by former Chairman Dempsey of the Joint Chiefs of

Staff, the U.S. had not declared exactly what kinds of cyber-attacks and what

1. This article is based upon a presentation by Mr. O’Neill at the ABA Spring meeting of the

International Section in Washington D.C. on April 26, 2017, available at https://static.ptbl.co/

static/attachments/150017/1495047643.pdf?1495047643. Mr. O’Neill taught Nation Security

Law at Boston University Law School, and is the author of books on national security law and

arms control published by Oxford University Press. He presently serves as co-chair of the ABA

International Section’s National Security Law Committee.

2. See, e.g., Office of the Director of National Intelligence, Worldwide Threat Assessment of the

U.S. Intelligence Community, at pp. 5-6 (Feb. 13, 2018) https://www.dni.gov/files/documents/

Newsroom/Testimonies/2018-ATA—-Unclassified-SSCI.pdf.

3. See generally International Strategy for Cyberspace, obamawhitehousearchives.org (May 1,

2011), https://www.google.com/search?client=safari&rls=en&q=international+Strategy+or+

Cyberspace”++2011&ie=UTF-8&oe=UTF-8.

4. Id. at 9.

5. Id.

THE INTERNATIONAL LAWYER

A TRIANNUAL PUBLICATION OF THE ABA/SECTION OF INTERNATIONAL LAW

PUBLISHED IN COOPERATION WITH

SMU DEDMAN SCHOOL OF LAW

590 THE INTERNATIONAL LAWYER [VOL. 51, NO. 3

level of damage hits the threshold of an “act of war.”

6

The position received

an updated confirmation in June 2016 in testimony before the House Armed

Services Committee; then acting Department of Defense (DOD) Assistant

Secretary for Homeland Defense and Global Security Atkins confirmed that

a cyber-strike as an act of war “has not been defined. We’re still working

toward that definition.”

7

His testimony was the same as to a lack of

definition when asked about state or non-state actor cyber-attacks against

civilian targets with “significant consequences.”

8

The Trump administration, pursuant to Congressional direction,

submitted a classified national policy for cyberspace and cyber warfare in

April 2018.

9

Little has emerged since then publicly.

10

In April 2018,

testimony before the House Armed Services Committee, former DHS

Secretary (and DOD General Counsel) Jeh Johnson observed in testimony

at hearings on information warfare below the traditional level of armed

conflict that: “Under what circumstances can a cyberattack constitute an act

of war? At the moment there is no legal definition for the term. Essentially,

the answer from [legal scholars] and me, is “maybe,” or “it depends” or “we

will know it when we see it.”

11

Most recently, in a reported remark that did

not even warrant a headline, General Paul Nakasone, the head of the

National Security Agency and U.S. Cyber Command, stated (apparently

without qualification) at an Aspen conference that “cyber attack from

6. See Gen. Dempsey’s Remarks and Q&A on Cyber Security at the Brookings Institute at 5, J

OINT

C

HIEFS OF

S

TAFF

(2013), http://www.jcs.mil/Media/Speeches/Article/571864/gen-dempseys-

remarks-and-qa-on-cyber-security-at-the-brookings-institute/.

7. Statement of Mr. Thomas Atkin Acting Assistant Sec’y of State of Def. of Homeland Def. and

Global Sec. Office of the Sec’y of Def.; Lt. Gen. James K. McLaughlin Deputy Commander, U.S. Cyber

Command; and Brigadier Gen. Charles L. Moore Jr. Deputy Director Global Operations (J-39), J

OINT

S

TAFF

B

EFORE THE

H

OUSE

A

RMED

S

ERVICES

C

OMMITTEE

(June 22, 2016), https://docs.house

.gov/meetings/AS/AS00/20160622/105099/HHRG-114-AS00-Wstate-AtkinT-20160622.pdf.

8. Military Cyber Operations: Hearing Before the Committee on Armed Services at 16, 114th

Cong. 2 (2016) (statement of Assistant Secretary for Homeland Defense and Global Security

Thomas Akins), https://fas.org/irp/congress/2016_hr/mil-cyber.pdf.

9. See, e.g., Morgan Chalfant, Trump sends cyber warfare strategy to Congress, T

HE

H

ILL

, Apr.

19, 2018, http://thehill.com/policy/cybersecurity/384017-trump-sends-cyber-warfare-strategy-

to-congress; See also Derek Hawkins, The Cybersecurity 202: Senate defense bill pushes Trump to get

tougher on Russian hacking, June 19, 2018, https://www.washingtonpost.com/news/powerpost/

paloma/the-cybersecurity-202/2018/06/19/the-cybersecurity-202-senate-defense-bill-pushes-

trump-to-get-tougher-on-russian-hacking/5b279a0c1b326b3967989b34/?utm_term=.082718

d587f5.

10. Derek Hawkins, The Cybersecurity 202: Congress isn’t happy with Trump’s cyber strategy. It

wants a commission to help., W

ASH

. P

OST

(July 25, 2018), https://www.washingtonpost.com/

news/powerpost/paloma/the-cybersecurity-202/2018/07/25/the-cybersecurity-202-congress-

isn-t-happy-with-trump-s-cyber-strategy-it-wants-a-commission-to-help/5b5751da1b326b1e

64695504/?utm_term=.4f8188b1484e.

11. Prepared Statement of Jeh Charles Johnson before the House Armed Services Committee

hearing on “Cyber Operations Today: Preparing for 21st Century Challenges in an

Information-Enabled Society”, 2 nt. 5 (Apr. 11, 2018), https://docs.house.gov/meetings/AS/

AS00/20180411/108077/HHRG-115-AS00-Wstate-JohnsonJ-20180411.pdf.

THE INTERNATIONAL LAWYER

A TRIANNUAL PUBLICATION OF THE ABA/SECTION OF INTERNATIONAL LAW

PUBLISHED IN COOPERATION WITH

SMU DEDMAN SCHOOL OF LAW