In the wake of President Obama’s release of legislative proposals to enhance cybersecurity, there have been a number of developments addressing the use of proactive cyber “weapons” or defensive counter-measures. While the President’s proposal addressed these issues to some extent, it appears that others would prefer to see clearer policies and authorities, or on the other hand enhanced controls.
For example, the House of Representatives recently passed H.R. 1540, the National Defense Authorization Act for Fiscal Year 2012. The version that passed the House included language giving the Secretary of Defense authority to conduct military actions in cyberspace. This authority, outlined in Section 962, includes conducting a clandestine operation outside the U.S. or to defend against a cyber attack against an asset of the Department of Defense.
The New York Times reported yesterday that the Pentagon plans to create a formal strategy to deter cyberattacks. There are several actions on the table that administrations officials have suggested as means to deter such attacks, including economic sanctions, retaliatory cyberattacks or a military response. The Pentagon has declared that any computer attack that threatens widespread civilian casualties could be treated as an act of aggression and can be treated as an ‘act of war’. The problem as noted by a former Pentagon official is how can the Pentagon or another government entity be sure where and who the attack came from? As result the White House has directed billions of dollars toward several security agencies’ budgets, including the CIA, NSA and Department of Homeland Security, to come up with approaches that fit the international cyberstrategy that Obama called for back in May.
PLC Chairman Michael Rake of one of the world’s leading telecommunications companies, GT Group, voiced concerns today about the risks of escalating attacks and enhanced capabilities. He suggested an international pact to control the proliferation of cyber attacks. He compared the increasing number of cyber attacks to a 21st century arms race and that the international community should form some sort of cyber technology nonproliferation treaty. Mr. Rake voiced his suggestion to a group of policymakers and business leaders in London. Many dismissed his idea but one academic suggested using the U.N.’s telecommunication agency as a cyber-nonproliferation watchdog.
As Congress evaluates the White House Cybersecurity proposal and DOD moves forward to enhance its authorities and capabilities, the use of cyber countermeasures or proactive cyber attacks will clearly be an important part of the conversation. These issues raise significant legal issues which will hopefully be appropriately vetted before legislation or government policies are finalized. Specifically, it will be interesting to know what safeguards will prevent private industry and consumers from getting “caught in the cross-fire” and to fully understand the legal ramifications of declaring cyberattacks “acts of war” — which may give the federal government wide-ranging authority from enhanced surveillance powers to even the potential for making use of private industry resources.