Cyber Command’s Lawyer: Scrambling of War Rules in Internet Conflict Includes Need for Automated Responses
BERKELEY, Calif. -- Cyberwar’s hyper speed raises a need to prepare automatic responses by the U.S., said the senior lawyer at the U.S. Cyber Command at Fort Meade, Md. A serious attack “would be over before the second call” up the chain of command, raising the prospect of “autonomous decision-making,” Col. Gary Brown said late last week. At a University of California seminar on cyberwar law, ethics and policy, he said, “Everybody thinks Dr. Strangelove,” a Cold War black comedy involving an automatic nuclear doomsday system and the destruction of the world. “So do I,” Brown acknowledged. An automated system would involve programming in scenarios so that, for example, “if these 17 things happen, I want you to cut off Internet access to this country,” he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Conflict in cyberspace also creates a mismatch regarding the crucial distinction in international law between those in and out of military uniform, Brown said. “I'm just not sure it makes any difference” whether a cyber combatant sitting in a room with a keyboard is “wearing a uniform,” he said. Brown said he’s “just not sure” the distinction drawn in the Hague rules is “helpful” when “it comes to cyber operations.”
Cyberwar activity is full of legal unknowns, Brown acknowledged. “There are a whole lot of questions in cyber and not a whole lot of answers.” That’s largely unavoidable, because the arena is new and developing fast, he indicated. There’s “significant tension” within U.S. military policy and law on the subject, Brown said. Questions of geography have “us tied up in knots,” he said. Whenever anything occurs online, often “things are happening in the United States,” which isn’t the U.S. military’s operational turf, Brown said. But “does it really matter that a packet or a copy of a file is in the United States?” Anyone who attacks the U.S. is unlikely to be concerned about details of geography, he said. U.S. options shouldn’t be foreclosed against those who don’t worry about the rule of law, he said.
It’s much simpler legally to kill an enemy fighter than “do something to his email,” Brown said. He lamented the danger of missing an “unprecedented opportunity” to use cyber conflict as a “more humane form of warfare.” He said he’s surprised that humanitarian organizations don’t recognize this adequately. The Stuxnet virus that destroyed Iranian nuclear facilities was a “good example of a cybertechnique” in international conflict that’s “a better way to go” than killing people, but it’s unclear whether it would be considered an attack under the laws of war, he said. Anne Quintin, a public affairs officer for the International Committee of the Red Cross, acknowledged that cyber attacks “sometimes can be the best way to minimize collateral damage.” But she mainly advocated liberal application to cyberwar of international-law restrictions on armed conflict. Military lawyers pushed back by stressing the Internet’s “dual use” for military and civilian purposes.
DOD policy is muddled in some ways, Brown said. “I don’t know” the definition of cyberspace, “but I'm pretty sure it’s not what DOD says it is,” because it remains one of the undefined terms on the subject, he said. Cyberspace is “not the same as the Internet,” Brown said. “A lot of people make that mistake.” The Internet is the physical infrastructure underlying cyberspace and usually is what’s subject to attack in cyberwar, he said. But “standalone networks” detached from the Internet also are part of cyberspace in this context, he said.
Brown suggested that privacy worries about “militarizing cyberspace” are peculiar. The federal government spends a great deal of money ensuring that its Internet monitoring doesn’t include surveillance of U.S. citizens’ data, he said. “You can be assured the U.S. government will not be on your computer if you're a U.S. national,” Brown said. That fact affects the government’s ability to protect the network, a relationship that’s “kind of a poison subject in public,” he said.
Lawyers are so deeply involved in U.S. cyber warfare that their work is “almost indistinguishable from operations,” Brown said. But “military guys generally like to act,” he said. “Lawyers typically like to talk.” There’s a need for “standing ground rules” for cyber conflict, so each deliberation doesn’t start from scratch, Brown said. Cyber conflict is “nonheroic warfare,” because the participants aren’t “in harm’s way,” he said. In this sense, the participants are like those who direct drone aircraft attacks, Brown said. That affects how they're seen by other military personnel, he said. “It’s just not the same being the guy pulling nine G’s in the F-16 as it is pulling the joystick in the cushy chair.”