3 April 2021

AUTHORITIES AND LEGAL CONSIDERATIONS FOR US CYBER AND INFORMATION OPERATIONS IN A CONTESTED ENVIRONMENT

Gary Corn 

Editor’s note: This article is the third in a series, “Full-Spectrum: Capabilities and Authorities in Cyber and the Information Environment.” The series endeavors to present expert commentary on diverse issues surrounding US competition with peer and near-peer competitors in the cyber and information spaces. Read the first two articles in the series here and here.

Special thanks to series editors Capt. Maggie Smith, PhD of the Army Cyber Institute and MWI fellow Dr. Barnett S. Koven.

Perhaps taking cues from Russia, it appears China is upping the ante on its use of cyber as an aggressive tool of statecraft. Just as Russia has used Ukraine and Georgia as testbeds for its offensive cyber capabilities, reports are emerging that China may have used cyber tools to turn the lights out in India in response to violent border clashes in the Himalayas. Framed within the context of the so-called return of great power competition, this is a predictable but concerning development that puts increased pressure on the United States to proactively engage the evolving gray-zone national security threats posed by its adversaries—chiefly, China and Russia. How the United States navigates the amorphous threat environment raises difficult legal and policy questions that demand principled but practical responses. Ambiguity can be disorienting, but compensating through overreliance on legal, policy, and doctrinal constructs developed for traditional warfare should be approached with caution.

Since at least 2015, US national and defense strategy has oriented on the return of great power competition—the recognition that the brief, post–Cold War unipolar moment of unchallenged US hegemony has given way to an increasingly confrontational multipolar competition among the United States, China, and Russia. This evolving strategic landscape has many features and is playing out dynamically across myriad fronts, requiring a multifaceted and calibrated approach to employing all elements of national power, including the military, to protect US national security. One key facet of this renewed competition, however, is China’s and Russia’s growing use of assertive and at times aggressive military and paramilitary operations and capabilities in what has been dubbed the gray zone between normal, peacetime geopolitical interactions and overt war.

Ambiguity, and the attendant decision delay or paralysis it causes, is the hallmark of these emerging gray-zone conflicts—factual, policy, and legal ambiguities that China and Russia exploit through actions intended to alter the status quo and achieve strategic objectives normally associated with war while avoiding open military confrontation. This is especially true when it comes to cyber and information operations, which figure prominently in China’s and Russia’s gray-zone playbooks and that are extending across all operational domains including space. Russia’s well-documented efforts at election interference, NotPetya, SolarWinds, and China’s cyber-enabled mass intellectual property theft and COVID-19 disinformation efforts are but a few of the better-known examples. As the US intelligence community has consistently warned, China and Russia “increasingly use cyber capabilities—including cyber espionage, attack, and influence—to seek political, economic, and military advantage over the United States and its allies and partners.” China and Russia are leveraging cyber and information capabilities as an integrated whole to challenge the United States, its allies, and the rules-based international order at every turn.

The return of great power competition has driven a deliberate if sporadic pivot from a focus on combat and counterinsurgency operations to better posturing the US military to defeat these near-peer competitors in the event of open conflict. At the same time, the military has also been increasingly tasked with conducting a range of active operations outside of armed conflict to engage and counter gray-zone military threats and challenges from China, Russia, and other adversaries, maintain US advantages, and deter escalation to war. This is not entirely new territory. Whether under monikers like “Quasi War,” gunboat diplomacy, political warfare, or military operations other than war, the US military has been employed outside of clear situations of armed conflict numerous times throughout the nation’s history. Nonetheless, for a trained and ready warfighting institution, the world of non–armed conflict operations can quickly fall outside the military’s natural comfort zone, especially in today’s murky, contested gray-zone environment with its inherent legal and policy uncertainties.

This is especially true in the hyper-dynamic arenas of cyber and information conflict. Like the internet, cyberspace and the predominantly digitized information environment are in their relative infancy as are the strategic, operational, and doctrinal concepts governing military operations in this relative terra incognita. Not surprisingly, so too are the understandings of how existing legal paradigms apply to the evolving ways in which states employ cyber and information as means and methods of statecraft in gray-zone conflict.

Great power competition is not only pulling the military into an unfamiliar operational environment, for some it is challenging basic Clausewitzian dogma that although the character of war may evolve, the fundamental nature of war is immutable. Maybe Clausewitz was right. Or maybe his theory is an unevolved relic of the analog age. To the planners and operators confronted with the day-to-day reality that the United States is engaged in active, gray-zone conflicts with China and Russia, these esoteric debates are no more than a distraction better left to think tank and war college hallways.

Regardless of one’s view of the question, one thing is relatively certain—for better or worse, international law comes down decidedly in Clausewitz’s corner. International law, at least with respect to interstate engagement, draws a bright dichotomy between war and peace, however unsettling that peace may look. As set out in article 2 common to the four Geneva Conventions, other than situations of total or partial occupation, the law of war (also known as the law of armed conflict, LOAC) is triggered in the interstate context only in “cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if the state of war is not recognized by one of them.” And while it is widely accepted that the article 2 threshold for triggering law of war applicability is relatively low, it does require that the states involved be engaged in armed conflict—that is, a resort to armed force between them regardless of the scope, duration, and level of intensity. Fortunately, that is a Rubicon yet uncrossed in the competitive spaces with China and Russia.

The US military is generally well versed in the law of war and its applicability to combat operations. It is inculcated in its ethos and infused in its doctrine, training, regulations, and operational constructs. And while the law of war cannot provide ready answers to the myriad challenges that modern combat presents, it generally provides a substantial degree of guidance and clarity to the force on how to operate on the right side of legitimacy during combat. Outside of armed conflict, however, the sight picture gets fuzzy.

The Department of Defense has long approached the legal uncertainties endemic to non-international armed conflict, and other military operations not part of armed conflict, through a basic gap-filling approach. In response to complex conflict classification issues and related legal uncertainties during the Vietnam War, DoD adopted a policy that US forces would “comply with the law of war during all armed conflicts, however such conflicts are characterized, and in all other military operations (emphasis added).” Although well intended to prevent committing the force into legal voids, the policy was flawed from the outset to the extent it suggested that laws premised on the unique authority, among others, to employ lethal force against individuals based solely on their status has any play outside the extraordinary circumstance of war.

It took several decades to remedy this flaw, but DoD took a substantial step toward doing so in 2020 by amending its policy to read:

Members of the DoD Components comply with the law of war during all armed conflicts, however characterized. In all other military operations, members of the DoD Components will continue to act consistent with the law of war’s fundamental principles and rules, which include those in Common Article 3 of the 1949 Geneva Conventions and the principles of military necessity, humanity, distinction, proportionality, and honor.

The updated policy more clearly reflects the dichotomy between war and peace and the fact that LOAC compliance is limited, as a matter of law, only to the former. The change could have made clearer the policy’s emphasis on adherence to the humanitarian principles of the LOAC during all military operations, and not those rules and principles plainly incompatible with non–armed conflict operations such as those related to status-based lethal targeting. Nevertheless, the clarification on the scope of the policy is important not only as a matter of operational guidance, but also as a cautionary lesson against overreliance on familiar but often inapplicable warfighting doctrine, rules, and operational approaches to gray-zone operations.

Take, for example, operational risk-management frameworks like the “No-strike” process and the Collateral Damage Estimation Methodology (CDEM). At first blush, importing the CDEM whole cloth to manage the risks of collateral effects in the execution of gray-zone cyber and information operations may have some appeal. It is a well-worn, repeatable process that has served targeters well for decades. But at its core, the CDEM is built on and primarily intended to aid compliance with the LOAC prohibition against inflicting disproportionate physical harm to civilians or damage to civilian objects while conducting attacks during combat. Most cyber and information operations, even those conducted during armed conflict let alone outside it, do not constitute attacks as that term is defined and understood in the LOAC, nor do they risk the type of damage that the LOAC principle of proportionality mandates be considered before conducting an attack. And while other legal considerations may come into play, they are generally less constraining than the LOAC targeting rules. Ultimately, the risks to be managed during gray-zone operations will be, by and large, set by executive policy and commander’s intent and therefore variable. Overreliance on inapposite doctrine and frameworks can paradoxically risk both escalation and over-restraint, and thus distortion of operational outcomes.

Overreliance on warfighting doctrine and precepts can also distort strategic thinking and create unnecessary legal risk. When it comes to confronting China and Russia, “deterrence” and “cost imposition” are the buzzwords du jour, where cost is often viewed through the lens of degrading the enemy’s military capability and capacity. From the perspective of developing effective cyber and information targeting strategies, as well as measuring actual execution for legal compliance, approaching gray-zone operations through oversimplified and misapprehended deterrence and warfighting concepts is unhelpful and can be counterproductive.

Fully unpacking theories of deterrence and related debates about its efficacy in the cyber and information context are beyond the scope of this article. Suffice it to say that when it comes to cyber and information conflict, discussions about deterrence have failed first to distinguish between disruption and coercion, and second, between deterrence of adversaries’ malicious cyber operations on the one hand, and the use of cyber and information capabilities to deter or influence adversary decisions and actions more broadly (e.g., Chinese moves in the South China Sea, Russian aggression in the Baltics, etc.). Operational approaches, to include targeting strategies and related authorities and legal frameworks, will likely be very different depending on which of these buckets an operation falls into.

First, disruption and deterrence are not synonymous. Deterrence seeks to dissuade, by means of a credible threat of punishment, an adversary from taking unwanted action. For deterrence threats to be credible, they should be designed to hold at risk targets of critical importance to an adversary—targets that may or may not be military in nature. In contrast, disruption is aimed at countering unwanted actions an adversary is already engaged in, by degrading or neutralizing their effect. Disruption contributes to deterrence at most only indirectly by adding to the benefit denial to an adversary achieved through defense in depth. Generally, the targets relevant to deterrence will be quite different from, for example, cyber infrastructure and nodes the adversary uses to conduct malicious cyber and influence operations. The nature of the effect necessary to successfully disrupt versus deter will likely be quite different as well. Therefore, the distinct target sets present very different legal and policy risk profiles and should not be conflated.

Since at least 2018, the domestic legal and policy landscape around cyber and information operations has shifted significantly, providing greater clarity on domestic authorities and enabling DoD to more proactively confront China and Russia’s malicious campaigns against the United States and its allies and partners. In addition to the shift in national and DoD strategy, key legislation and more forward leaning presidential policy on offensive cyber operations were laid in place. This has paved the way for DoD to play a more active role in countering gray-zone threats, and out of necessity DoD has stepped across the line of departure.

International law is more static, and although an increasing number of states have offered their views on its applicability to gray-zone cyber operations, substantial questions remain. That is not to say there is an absence of law, or that the principles reflected in the LOAC cannot provide some guidance. For instance, the jus ad bellum certainly places boundaries on states’ use of force in the gray zone. As the DoD general counsel has noted, when reviewing proposed operations, “DoD lawyers provide advice guided by how existing rules [of international law] apply to activities in other domains, while considering the unique, and frequently changing, aspects of cyberspace.” This is a deliberate process that should be careful to balance the rule of law and principled decision with operational realities.

When in doubt, it is easy to fall back on what you know. But when it comes to the complex challenges of conducting military cyber and information operations in the gray zone of great power competition, easy is generally not the right or even the best answer. With respect to both defend-forward operations and true deterrence, there needs to be a more sophisticated approach to targeting strategies, resisting the tendency to revert to armed-conflict targeting paradigms and instead developing and instantiating targeting procedures better aligned to the unique operational environment and the non–armed conflict legal structures that apply.

Colonel (ret) Gary Corn is the director of the Technology, Law & Security Program at the American University Washington College of Law, a senior fellow in cybersecurity and emerging threats at the R Street Institute, and the founder and principal of Jus Novus Consulting, LLC. Prior to retiring in 2019, he served nearly thirty years in the US Army, the last twenty-five as a judge advocate. His last assignment was as the staff judge advocate to US Cyber Command, where he served for five years.

The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

No comments: