When Russia escalated its war of aggression against Ukraine in February of 2022, many predicted it would unleash catastrophic cyber attacks as part of its overall operations. When these did not materialize, at least overtly, some observers concluded that worries about cyber threats were overblown. Contrary to these assessments, cyber operations have indeed played a role in Russia’s campaign, just as they have at various points since 2014, beginning when Russia occupied Ukraine’s Crimea and instigated conflict in the Donbass and continuing with cyber operations against Ukraine’s power grid in 2015 and 2016, see Donghui Park & Michael Walstrom, Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks, Jackson School of Int’l Studies, Oct. 11, 2017, and the launch of a devastating malware attack in 2017. Sarah Marsh, US Joins UK in Blaming Russia for NotPetya Cyber-Attack, The Guardian, Feb. 15, 2018. On the eve of the 2022 invasion, Russia conducted a supply chain attack that corrupted and disabled thousands of satellite modems in Ukraine and across Europe, knocking customers offline and disrupting Ukrainian military command and control. AJ Vicens, UK, EU, US Formally Blame Russia for Viasat Satellite Hack Before Ukraine Invasion, CyberScoop (May 10, 2022); Patrick Howell O’Neill, Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion, MIT Technology Review (May 10, 2022). There is growing evidence of ongoing Russian cyber operations targeting Ukraine and accompanying concerns that Russia may escalate and target the United States and other allies. See James Pearson & Christopher Bing, The Cyber War Between Ukraine and Russia: An Overview, Reuters (May 10, 2022); Tom Burt, The Hybrid War in Ukraine, Microsoft (Apr. 27, 2022); Gordon Corera, Ukraine War: Don’t Underestimate Russia Cyber-Threat, Warns US, BBC News (May 11, 2022).
None of this comes as a surprise to those who have followed cyber threats in recent decades. Since the birth of the Internet, criminals, non-state actors, and states have leveraged the inherent vulnerabilities of cyberspace to do harm. Data theft, ransomware attacks, and critical infrastructure disruptions, to name a few, are now near daily occurrences. For instance, the Conti ransomware group, believed to operate out of St. Petersburg, Russia, encrypted critical systems throughout Costa Rica and then threatened the overthrow of the newly elected government in May 2022. President Rodrigo Chaves’s emergency declaration and assertion that his country was “at war” with “an international terrorist group” illustrates the magnitude of the problem. Corin Faife, Costa Rican President Says Country Is “at War” with Conti Ransomware Group, The Verge (May 18, 2022).
The use of information and communications technologies (ICT) has also elevated the age-old art of propaganda and malign influence operations to unprecedented levels and effect. States, Russia and China first among them, have engaged in sophisticated and sustained campaigns of covert deception and influence to weaken democratic institutions and fracture alliances, all with a broader aim of undermining the rules-based international order. As one expert has described, the modern information environment is “a qualitatively new landscape of influence operations, persuasion, and, more generally, mass manipulation.” Rand Waltzman, The Weaponization of Information: The Need for Cognitive Security: Hearing Before Subcomm. on Cybersec. of S. Comm. on Armed Services, 115th Cong. 1 (2017).
Many view Russia’s 2007 distributed denial of service attack against Estonia as a watershed moment when offensive cyber and ICT-enabled information operations became staples of both statecraft and warfare. Over the last decade, the U.S. intelligence community has identified cyber and information threats as primary national-security concerns and noted that U.S. adversaries, especially China, Russia, North Korea, and Iran, have used and will continue to use cyber operations to “threaten our infrastructure and provide avenues for foreign malign influence threats against our democracy.” Office of the Director of National Intelligence, Annual Threat Assessment of the U.S. Intelligence Community, Feb. 2022. In the years since 2007, the level, sophistication, and frequency of malicious cyber events have steadily increased. See, e.g., Center for Strategic & International Studies, Significant Cyber Incidents (listing cyber incidents since 2006, including WannaCry, NotPetya, and Solar Winds).
Furthermore, cyber threats are not contained to circumstances of traditional warfare. Instead, they are manifesting predominantly in the so-called “Gray Zone,” the uncertain space between peace and armed conflict. The Commander of U.S. Cyber Command, General Paul Nakasone, characterized the evolving threat to the House Armed Services Committee in 2020:
A decade ago, we trained and postured our cyber forces like any other military force: to prevail in future conflict. A central challenge today is that our adversaries compete below the threshold of armed conflict, without triggering the hostilities for which [the Department of Defense] has traditionally prepared. That short-of-war competition features cyber and information operations employed by nations in ways that bypass America’s conventional military strengths.
Before H. Subcomm. on Intelligence and Emerging Threats and Capabilities of H. Comm. on Armed Services, 116th Cong. (2020) (statement of General Paul M. Nakasone, Commander, United States Cyberspace Command).
The need to deter and actively counter these threats and, when appropriate, leverage cyber capabilities to affirmatively advance U.S. national interests has become increasingly evident and the years since 2012 have seen a profound shift in the U.S. approach to the realities of cyber and information conflict. Yet U.S. law and policy have struggled to keep pace. The introduction of technologies such as artificial intelligence and quantum computing will only exacerbate these challenges going forward.
Before turning to a survey of domestic legal and policy developments, a note on terminology is in order. The term “offensive cyber operations” or OCO means different things to different communities. Many refer to non-passive, cyber-enabled intelligence collection activities, or espionage, as “offensive.” For example, U.S. Department of Defense (DoD) doctrine includes cyberspace exploitation, i.e., intelligence and information collection, within its broad definition of OCO. Joint Publication 3-12, Cyberspace Operations II-7 (Jun. 8, 2018). For the DoD, OCO also encompasses cyberspace attack — the creation of “noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial effects in the physical domains.” Id. Although many of the tools and methodologies of cyber espionage may overlap with — and at times be difficult to distinguish from — operations designed to generate disruption or denial effects inside or outside of cyberspace, effects operations present markedly different risk profiles and implicate different legal and policy questions than intelligence collection. As such, the DoD definition of OCO is overbroad and can lead to confusion. Thus, this review focuses on the OCO “subset” of out-of-network effects operations, whether offensive or defensive.
Cyber Operations: From Apathy to Security Awareness
Although the Internet grew out of a 1969 DoDresearch project called the ARPANET, see Giovanni Navarria, How the Internet Was Born: From the ARPANET to the Internet, The Conversation (Nov. 2, 2016), decades passed before the DoD and broader national-security community recognized that this new technology was something more than just a benign means of data curation and communication and began to grapple with the implications of cyberspace for national security. The realization that cyberspace also offers opportunities for offensive action took even longer.
While basic computer and information security initiatives began as early as 1972, the true nature and extent of the cyber threat were not immediately apparent. In 1986, a German citizen employed by the KGB, the Soviet security agency, gained access to the ARPANET to steal information about the U.S. Strategic Defense Initiative in one of the first known examples of cyber espionage. The Spy Who Hacked Me, Infosecurity Magazine (Oct. 31, 2011). Two years later, the Morris Worm took down 10 percent of the embryonic Internet — the first real alert to the inherent vulnerabilities of the emerging ICT environment. Taking notice, the DoD set up its first Computer Emergency Response Team, and in 1990 President George H.W. Bush designated the National Security Agency (NSA) responsible for protection of national security systems, classified and critical command and control networks. National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems (Jul. 5, 1990). But these early initiatives were limited, stove-piped, and defensive in nature.
It was not until 1995 that “DoD leaders publicly acknowledged that U.S. military networks were vulnerable to remote attacks,” U.S. Cyber Command, Our History, and it took nearly another ten years before the Joint Chiefs of Staff recognized cyberspace as a domain of conflict in and through which the U.S. military needed to operate. National Military Strategy of the United States of America 2004. In 2004, President George W. Bush promulgated the first U.S. policy to address potential out-of-network cyber operations with National Security Presidential Directive (NSPD) 38, National Strategy to Secure Cyberspace (Jul. 7, 2004), a directive that remains classified although it has been superseded.
During these early years, U.S. efforts to develop strategies and structures to address emerging cyber threats were often disjointed and primarily focused on the security of domestic networks. For example, in 2008, the Federal Bureau of Investigation and the Department of Homeland Security established, respectively, the National Cyber Investigative Joint Task Force and the National Cybersecurity and Communications Integration Center. In 2010, prompted by a breach of classified networks, the DoD stood up U.S. Cyber Command as a subordinate unit to U.S. Strategic Command for the purpose of “integrating cyber defense operations across the military.” William F. Lynn III, Defending a New Domain: The Pentagon’s Cyberstrategy, 89 Foreign Affairs 97, 98 (Sept.-Oct. 2010)
Despite these efforts, the United States Government was “not organized to address [the] growing problem effectively [then] or in the future,” with “[r]esponsibilities for cybersecurity . . . distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way.” The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure 2009. Structural and policy deficiencies continued to hamper effective action for several years and, to some extent, continue today. Moreover, to the extent OCO were contemplated, they were considered through the lens of traditional warfighting and only as a supporting effort to combat operations. Even then, capacity lagged far behind theory, and supporting law and policy were embryonic.
Cyber Offense: From Theory to Action
In 2016, the DoD publicly acknowledged having conducted OCO as part of its broader campaign to defeat the Islamic State in Iraq and Syria (ISIS). According to then Secretary of Defense Ash Carter, U.S. Cyber Command had conducted the operations to cause ISIS to “lose confidence in their networks, to overload their networks so that they can’t function, and do all of these things that will interrupt their ability to command and control forces.” Sean Lyngaas, Carter: U.S. Disrupting Islamic State Computer Networks, The Business of Federal Technology, FCW, Feb. 29, 2016. Although little detail was provided, this was considered an extraordinary revelation.
Part of the U.S. campaign against ISIS involved a highly sophisticated and coordinated operation to degrade its digital media and propaganda infrastructure, an operation dubbed Glowing Symphony. Dina Temple-Raston, How the U.S. Hacked ISIS, National Public Radio, Sept. 26, 2019. Although cyber operations were conducted as part of combat operations, U.S. Cyber Command assessments later revealed the inordinate difficulty of the approval process, where, for example, “interagency non-concurs” prevented execution of Glowing Symphony as originally designed and ultimately required elevation of the decision to the White House. USCYBERCOM After Action Assessments of Operation GLOWING SYMPHONY, National Security Archive (Jan. 21, 2020).
Lessons learned from the counter-ISIS operations later informed U.S. activities to defend the 2018 midterm elections from Russian interference. Maryann Lawlor, The Past Can Profit Cyber Planning, SIGNAL, Jul. 1, 2021. That effort, led by a U.S. Cyber Command-National Security Agency task force, involved a range of innovative initiatives, including discrete OCO, in support of wider U.S. government actions to protect the 2018 elections. As important as the cyber operations were for election security, gaining approval for their execution was anything but assured. The pre-2018 legal and policy frameworks were simply not conducive to action. As Admiral Michael Rogers, the Commander of U.S. Cyber Command and Director of the NSA, noted in 2017, outside of limited authority delegated in an order from the Secretary of Defense regarding Countering Adversary Use of the Internet, or CAUI , any cyber operation intended to create an effect on non-U.S. networks required the President’s approval. Foreign Cyber Threats to the United States: Hearing Before S. Comm. on Armed Services, 115th Cong. 418 (2017). Obtaining that approval faced significant legal, policy, and bureaucratic hurdles. And, as Glowing Symphony illustrates, not even operations in support of ongoing hostilities were immune from these challenges.
In 2012, NSPD-38 was superseded by Presidential Policy Directive 20 (PPD-20). PPD-20 was anchored on a declared policy of restraint, under which the United States would “undertake the least action necessary to mitigate threats” by prioritizing “network defense and law enforcement as preferred courses of action” to responding to hostile cyber incidents. Office of the White House Press Sec’y, Fact Sheet on Presidential Policy Directive 20 (2013). It established a review process for cyber operations that became infamous for stifling action. As the Joint Staff Deputy Director for Global Operations later described, PPD-20 required “an interagency process that went through the National Security Council and all the way up from a policy coordination committee to a deputies’ committee to a principals’ committee” and meant “anyone could stop the process at any point.” Sydney J. Freedberg, Jr., Trump Eases Cyber Ops, But Safeguards Remain: Joint Staff, Breaking Defense (Sept. 17, 2018). According to public reporting, the number of operations conducted under the PPD-20 approval framework were few. See, e.g., Hearing to Receive Testimony on the Posture of United States Special Operations Command and United States Cyber Command in Review of the Defense Authorization Request for Fiscal Year 2023 and the Future Years Defense Program: Hearing Before the S. Comm. on Armed Services, 117th Cong. 40-41 (Apr. 5, 2022).
Congress expressed frustration at the executive branch’s lack of an effective strategy and inaction in the face of increasing cyber threats. See, e.g., Joseph Marks, McCain Leaves a Rich Cyber Legacy, Nextgov (Aug. 27, 2018) (noting Senator John McCain’s view that the U.S. cyber posture failed to adequately recognize the magnitude of the problem, failed to deter U.S. adversaries, and was “overgrown with bureaucracy and choked by duplication”). Members of Congress expressed the view that, “in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities.” H.R. Rep. No. 112-329, at 686 (2011) (Conf. Rep.). And Congress used the annual National Defense Authorization Act (NDAA) to press for executive-branch action, provide substantial funding for cyber capability and capacity building, and set the groundwork in the 2017 NDAA for U.S. Cyber Command’s elevation to full combatant command status in 2018. At the same time, Congress missed several opportunities to provide the legal foundation for the OCO it was urging.
Whether the President requires congressional approval to authorize OCO or can rely simply on Article II of the U.S. Constitution is a complex, fact-dependent question beyond the scope of this review. However, one thing is certain. Under longstanding doctrines of executive authority, see Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952), presidential power is at its zenith when exercised pursuant to an express or implied authorization of Congress. In the absence of such an authorization, the President proceeds in a “zone of twilight” of constitutional powers with its attendant legal uncertainties.
Given the novelty and inherently clandestine nature of cyber operations, the President’s authority to direct OCO prior to 2018 hovered between twilight-zone uncertainty and possible conflict with express statutory restrictions, particularly the Covert Action Statute (CAS), 50 U.S.C. § 3093. The longstanding friction as to whether clandestine DoD activities trigger the statute’s oversight regime and effectively bar the DoD from conducting any activity other than “traditional military activities” (TMA) was acute and created “difficulties within the interagency [process for the DoD] obtaining mission approval.” H.R. Rep. No. 115-874, at 1049 (2018). Congressional attempts to eliminate this friction fell short. Provisions such as Section 954 of the 2012 NDAA, Pub. L. No. 112-81 (2011), and Section 1642 of the 2016 NDAA, Pub. L. No. 114-92 (2015), although strong statements of policy, had little actual effect. And while the 2012 NDAA tried to clarify that, for purposes of the CAS, cyber operations should be treated the same as other military operations, the clarifying language never made it into the final bill. H.R. Rep. No. 112-329, at 686 (2011). It would take the galvanizing pressure of Russian efforts to interfere with the 2018 elections to move the needle.
2018: A Watershed Year
By 2018, the DoD recognized that the policy of restraint resulted in a failure to respond to cyber threats in a timely and meaningful way and encouraged, instead of deterring, adversaries. In 2017, President Donald Trump committed the United States to deterring and disrupting malicious cyber actors before they are able to impact U.S. interests. National Security Strategy of the United States of America, Dec. 2017. Building on this direction, the DoD shifted its strategic approach from a reactive posture to “one of persistent engagement with a persistent force.” C. Todd Lopez, Persistent Engagement, Partnerships, Top Cybercom’s Priorities, Defense.gov, May 14, 2019. To effect this vision, the DoD Cyber Strategy (2018) introduced the operational concept of “defend forward,” whereby the DoD embraced “disrupt[ing] or halt[ing] malicious cyber activity at its source, including activity that falls below the level of armed conflict.” However, strategies alone were not enough.
For its part, Congress passed two critical pieces of cyber-enabling legislation as part of the 2019 NDAA, Pub. L. 115-232 (2018). Congress expressed in Section 1642 of the NDAA its “support for the conduct of military cyber operations to defend the nation against Russian, Chinese, North Korean, and Iranian ‘active, systematic, and ongoing campaigns of attacks’ against U.S. interests, including attempts to influence U.S. elections.” Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, Defense.gov, Mar. 2, 2020. Some have described Section 1642 as a grant of “pre-authorization” for certain cyber operations. Robert Chesney, The Law of Military Cyber Operations and the New NDAA, Lawfare (Jul. 26, 2018). However characterized, Section 1642 was a significant step forward in bolstering the President’s authority to conduct OCO in furtherance of national security interests. Congress also ended the debate as to whether, and if so when unattributable cyber operations qualify as TMA and are exempt from the strictures of the CAS. Section 1632 of the 2019 NDAA made clear that, when authorized, the Secretary of Defense may direct clandestine military activities or operations in cyberspace as TMA, even if the operations will not be acknowledged publicly.
Also in 2018, President Trump policy that reportedly provided for the delegation of greater authority to the DoD to conduct cyber operations and reduced bureaucratic hurdles to interagency coordination and approval. Ellen Nakashima, White House Authorizes ‘Offensive Cyber Operations’ to Deter Foreign Adversaries, Wash. Post, Sept. 20, 2018. National Security Presidential Memorandum 13, United States Cyber Operations Policy (2018), replaced PPD-20, effectively rescinding the policy of restraint and allowing “for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace.” Ney, supra .
By all accounts, the DoD has leveraged the 2018 authorities on multiple occasions since their creation. Referencing the work done to protect the 2018 midterm elections, General Nakasone brought the “band . . . back together” and established the joint NSA-Cyber Command Election Security Group to defend the 2022 midterms from foreign interference. Katrina Manson, U.S. Brings Back Cyber Team to Combat Possible Election Meddling, Bloomberg (May 6, 2022). U.S. Cyber Command has also been active in disrupting ransomware threats, and, notably, General Nakasone made headlines in June 2022 when he publicly acknowledged that U.S. Cyber Command had “conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations” in support of Ukraine. Ines Kagubare, Cyber Command Chief Confirms US Took Part in Offensive Cyber Operations, The Hill (Jun. 1, 2022).
Into the Future
Cyberspace is now a recognized and rapidly evolving domain of interstate competition and conflict, with unique characteristics that do not adhere neatly to the premises underlying more traditional environments of adversarial engagement. It is perhaps the most hyper-dynamic strategic environment the United States has ever faced. The technologies that make up the ICT ecosystem are in constant flux, malicious tools are increasingly diffuse and accessible, adversary capabilities morph and grow continuously — all against a backdrop of outdated or immature and often discordant legal and policy structures. Unsurprisingly, basic strategic and operational assumptions about cyberspace and the role of cyber capabilities as tools of statecraft and conflict are embryonic and inconstant. However, certain lessons are already emerging to guide next steps and to build on.
For one, in the cyber domain initiative is rewarded and complacency punished. Events like Solar Winds, the Microsoft Exchange Server hack, and the growing problem of ransomware are proof that we have yet to achieve an acceptable level of national cyber security. The developments in cyber strategy, law, and policy, especially those of 2018, were a significant step forward, but much work remains.
Certainly, OCO are not the sole or even necessarily the primary tool needed to effectively address cyber threats. Cybersecurity is a multi-faceted and multi-disciplinary process. As National Cyber Director Chris Inglis has argued, it requires a fundamental reconceptualization, a new “cyber social contract” to better define shared roles and responsibilities across the whole of society and to create “a clear framework for collaboration across the public and private elements of the United States shared cyber-ecosystem.” Chris Inglis and Harry Krejsa, The Cyber Social Contract: How to Rebuild Trust in a Digital World, Foreign Affairs (Feb. 21, 2022). Collaboration is no easy task, but the creation of the Joint Cyber Defense Collaborative at the Cybersecurity and Infrastructure Security Agency (CISA), and the evolution of legal and policy frameworks, like the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Pub. L. No. 117-103, Div. Y, 136 Stat. 49 (2022), foster greater public-private cooperation and forge new paths.
Meanwhile, the ability to disrupt threats as early and far forward as possible and achieve true defense in depth, or what the Cyberspace Solarium Commission calls “layered cyber deterrence,” must be part of the equation. Cyberspace Solarium Commission Final Report (Mar. 2020). The speed of cyber has always stressed traditional national security decision-making paradigms and will continue to do so. Quantum computing, artificial intelligence, and other over-the-horizon advancements in computing will only condense decision timelines and necessitate more streamlined processes and approaches to risk tolerance and management. The United States must continue to build on the foundation that has been laid and advance our cyber capabilities in the interest of national security or risk falling behind in this 21st century domain of conflict.
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.
The views expressed herein represent the opinions of the authors. They have not been approved by the House of Delegates or the Board of Governors of the American Bar Association and, accordingly, should not be construed as representing the position of the Association or any of its entities. Nothing contained in this publication is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. This publication is intended for educational and informational purposes only.