A formal, three-year legal and policy review of US cyberweapons that concluded last fall has effectively cleared their use alongside other weapons systems in the US arsenal, a stamp of approval that propels the fledgling US Cyber Command toward a fully operational role within the nation's military structure, cyberwar experts say.
Cyberweapons have been available to the US military since at least the first Gulf War against Iraq, but when, how, and under what conditions they could or should be deployed has been subject to vigorous debate among military and civilian policymakers.
Now it appears cyberweapons and cyberwarfare have nudged up alongside other legally approved military theaters and techniques, including space warfare and electronic war as well as the use of drones, sabotage, and special operations. In particular, cyberweapons were approved in the review for "preemptive" attacks if authorized by the president and if an imminent attack on the US warranted it, the New York Times reports.
While most details of the legal authorizations aren't known, the Times quoted anonymous sources as saying that the new policies "govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code – even if there is no declared war."
"The fact that DOD has moved to the point where it felt required to [conduct the policy review] is a step toward normalization and operationalization of cyberweapons," says Dan Kuehl, a professor of intelligence studies at Mercyhurst University and formerly at National Defense University. "If you've got a new bomb or a tank or a weapons system, there's a requirement to do a legal review of its usage – under the Law of Armed Conflict. With DOD having done that for cyber, it's a significant step toward normalization of cyber as a weapon we can actually use militarily."
Word that legal hurdles have been largely surmounted for cyberweapons comes amid a backdrop of daily reports of cyberespionage attacks on US businesses, government agencies, and the Pentagon – not to mention numerous recent statements of concern by the nation's military officials.
In a speech last fall, Secretary of Defense Leon Panetta warned of the potential for a "cyber 9/11" and urged tougher laws that would help protect US critical infrastructure like the power grid and water systems. Other current and former senior administration and Pentagon officials have echoed that concern – and say that the legal review is long past due.
"This legal review of cyberweapons has been far too slow, too lawyer-and-State Department-ridden," says Stewart Baker, a former assistant secretary at the Department of Homeland Security and now a partner at Steptoe & Johnson, a Washington law firm. "What we've needed is a faster process that allows us to actually come up with a strategy for actually winning a cyberconflict. But this is clearly a step in the right direction. It's clear that cyberweapons are going to be used. If so, then we need to be better at using them than our adversaries."
Defending the nation from cyberattack was a priority reflected in the formal establishment of US Cyber Command in 2009. But whether cyberweapons truly fit into and complied with international legal norms and structures such as the International Law of Armed Conflict, which sets humanitarian norms during war – has been a question mark.
Debate over US cyberweapons policy for DOD was in full swing in early 2009. As in the past, when critical military policy questions were at stake, the Pentagon threw the problem over to the Defense Science Board and the Defense Policy Board to analyze and develop a cyberwar-fighting policy structure, cyberexperts told the Monitor.
"If we have the capability of using something that will disrupt, degrade, or deny an enemy at less than lethal force, we have an ethical conundrum," says Sam Liles, a professor of cyberforensics at Purdue University. "Should we use this – if cyber gives us that capability? Perhaps we're morally and ethically required to use it. On the other hand, if that weapon can be turned around and used against us, perhaps we shouldn't use it. That's what the policy discussion has been about."
Such a policy debate was made more urgent by the furor surrounding Stuxnet, the world's first publicly known cyberweapon, which was utilized by the US to sabotage Iran's nuclear fuel-refining facilities. It also accelerated debate about the wisdom of releasing such weapons, especially since they can be reverse-engineered and used against the US.
By last fall, the process had reached a series of conclusions after a lengthy internal debate. The result: DOD had a first cut, an organized structure that includes rules for engagement and a decisionmaking process for using cyberweapons, says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington.
The new cyberarms policy reflects a push by powerful military figures as well, including Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, which is a sub-unified command under the US Strategic Command. But with this step, it's likely that the US Cyber Command will be propelled to equal footing alongside other commands, Dr. Lewis says.
Two key other architects of the cyberpolicy that has just emerged publicly were William Lynn III, a former deputy secretary of Defense, and the former vice chairman of the Joint Chiefs of Staff, Gen. James E. Cartwright, former head of the US Strategic Command. Both were central in helping set up US Cyber Command, Dr. Lewis says. General Cartright, who retired from service in August 2011, was well positioned to assist in the cyber review, joining the Defense Policy Board Advisory Committee two months later.
Cartright has warned of the US need for better cyber preparedness. The Chinese, he told the US-China Economic and Security Review Commission in March 2007, are making “plans to use this type of capability in a military context.” He added, “I don’t think the [United States] has gotten its head around this issue yet, but I think we should start to consider that the regret factors associated with a cyberattack could, in fact, be in the magnitude of a weapon of mass destruction.”
"We're seeing plenty of signs that cyber deterrence hasn't worked," Dr. Lewis says. "If that doesn't work, well, then you have to preempt. This is where we see a potential attack, some planning going on, and we would be able to go in an stop it. Suppose we could turn off the attack computer the moment they pressed the key sequence. We could say: Well, we saw he was going to hit me and hit him first."
Another backdrop for the US authorization of the use of cyberweapons is the prospect that President Obama, in the absence of congressional action, will issue an executive order to require federal agencies to tighten regulations to bolster cyberdefenses at US critical infrastructure like the electric grid, refineries, and telecommunications.
What appears to be emerging, then, is an overlapping set of mandates to protect the US against attack. On a strategic level, the US has now authorized the use of cyberweapons. On a middle level, Internet service providers could also detect and mitigate an attack to some degree. Finally, the Department of Homeland Security is working to implement policies, presumably with sharper teeth under a coming executive order, to bolster defenses at the individual company level.
"What's happening is that all these mandates are really overlapping and to some degree connected," Dr. Kuehl says. "There's now a growing awareness that cyberspace is absolutely crucial to US national security – not just militarily, but societally. All these forces are gelling to protect the nation's critical infrastructure."