Understanding when the United States should engage in cyberwar and who should approve cyberattacks requires understanding that cyberwar has multiple personalities: operational, strategic, and that great gray area in-between.
Operational cyberwar, for instance, is the use of cyberattacks to support the use of traditional use of physical (aka kinetic) force. An example (if true) would be how cyberattacks on air-defense radar enabled Israeli jets to safely knock out a Syrian nuclear reactor in 2007. Operational cyberwar is no more problematic than the kinetic operation it would support. If lethal means are acceptable, non-lethal means cannot be a problem. Thus operational cyberwar decisions need not be made by the president, at least not once a precedent is set.
Strategic cyberwar, for its part, is the use of cyberattacks to punish, harass, or annoy the people of another country. The attack by Russians on Estonians in 2007 was an act of strategic cyberwar, albeit one that stayed comfortably within the zone of annoyance rather than anything worse. Once a country has carried out a strategic cyberwar campaign on another country, there is no hiding the fact that the attacker rejoices in the other's discomfort. The decision to carry out a strategic cyberwar campaign has to be a decision made by a head of state — the president, in the case of America — and not by any military command or intelligence agency, just as the decision to blockade another country's harbors cannot be made by the U.S. Navy acting on its own.
It's that great gray area in between where the authority to carry out cyberattacks could profit from further definition. Take Stuxnet. Whoever carried it out is not at war with Iran (no one is), and the Natanz enrichment plant was not a military system in a war zone. So it wasn't an operational cyberattack. However, the purpose of the attack did not appear aimed at making life miserable for the average Iranian; so it really could not be characterized as a strategic attack, either. Stuxnet was closer to an act of sabotage. Although sabotage is not an act of war, the difference between sabotage and a strategic bombing campaign is a matter of degree (and, invariably, casualties). At a lower level, the United Kingdom reportedly penetrated a jihadist web site and substituted a harmless article (on cupcake manufacturing) for a harmful one (bomb manufacturing); this may not have been the only interference with such web sites. A good rule of thumb is that if the results of the action are going to come to the president's attention then the responsibility rests there as well. Whether repeat applications need specific authorization is a matter of details.
But the most difficult example is an action that (supposedly) has to take place faster than presidential authorization can be acquired. Let's say there's an incoming cyberattack, which as we all know takes place at the speed of light. All will be lost if no one can pre-empt or at least react to it at comparable speed. And so, a return cyberattack takes place, and the president is awakened to find that disaster has been averted. Hence, the case for pre-authorization of “active defense.” But is pre-authorization wise? If intelligence on the nature, potential, and source of an attack were perfect, the response precise, and the rationale unassailable, why not? Alas, not only do men fall short of gods, but cyberwar does not really work that way. Consider, again, Stuxnet. By the time it wormed its way into the right computers at Natanz, exactly which system it came out of is not only past but irrelevant; it's gone. It worked for months before the Iranians caught on (perhaps only by reading the New York Times). The cyberespionage campaigns that suck intellectual property from U.S. corporations take place over months; indeed, such attacks typically go on for a year prior to discovery. The attacks on bank web sites that Secretary of Defense Panetta ascribed to the Iranians did not have a detonation point that had to be stopped within milliseconds. And even if one could imagine an attack in progress that has yet to reach an imminent detonation point, blocking the attack at its destination rather than source is technically easier and raises fewer issues.
And that takes us back to our first rule. If the president has to answer to it, the president has to authorize it. In cyberspace, as in physical space, the buck stops there.
Martin Libicki, author of Cyberdeterrence and Cyberwar (RAND, 2009), is a senior management scientist at the nonprofit, nonpartisan RAND Corporation.
This article was originally published by the Federation of American Scientists on January 9, 2013 as part of a debate, "How should the United States operate within the cyber domain?"
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.