The Department of Defense’s (DoD) new Cyber Strategy is a refinement of past attempts at codifying and understanding the “new terrain” of cybersecurity threats to the United States. While I actually applaud many of the acknowledgements in the new Strategy, I am still highly skeptical of the DoD’s ability to translate words to deeds. In particular, I am so because the entire Strategy is premised on the fact that the “DoD cannot defend every network and system against every kind of intrusion” because the “total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities (13).
Juxtapose this fact to the statement that “from 2013-2015, the Director of National Intelligence named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001.” (9). What we have, then, is the admission that the cyber threat is the top “strategic” –not private, individual or criminal—threat to the United States, and it cannot defend against it. The Strategy thus requires partnerships with the private sector and key allies to aid in the DoD’s fight. Here is the rub though: private industry is skeptical of the US government’s attempt to court it and many of the US’s key allies do not trust much of what Washington says. Moreover, my skepticism is furthered by the simple fact that one cannot read the Strategy in isolation. Rather, one must take it in conjunction with other policies and measures, in particular Presidential Policy Directive 20 (PPD 20), H.R. 1560 “Protecting Cyber Networks Act”, and the sometimes forgotten Patriot Act.
PPD 20, written and classified as “top-secret” in 2012, outlines the US national cybersecurity policy. It outlines the different types of actions in cyberspace and clearly notes that cyber actions that result in “significant consequences” such as “loss of life, significant responsive actions against the United States, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States” require the explicit authorization of the President. Only in an “emergency” situation would the Secretary of Defense (SecDef) be authorized to order such acts. Let us put aside the question of whether PPD 20 permits the President to wage war through cyber means without the approval of the US Congress for a moment, and turn our attention to the transition from PPD 20 to the Strategy. In a span of three years, no longer is it only the President allowed to pursue such acts, but now in the new Strategy the SecDef is permitted to do so too. Expansion of cyber powers, check.
Second, H.R. 1560 offers private companies almost carte blanche to collect and monitor private Internet communications and engage in private enforcement, or “defensive measures,” without fear of criminal liability (as long as private information and data is shared with the government). The Act is a serious worry for privacy advocates, as well as those concerned with “hacking back” and its affect on escalation and stability. Moreover, the Act only underscores much of the acrimony between private industry in Silicon Valley and the government because it further entrenches surveillance of US citizens, despite the DoD’s recent attempt to court Silicon Valley.
If one does not think this is so, then I only implore you to wait. Section 215 of the Patriot Act is set to expire about a month and the Congressional debate is already on its way. Section 215 (and 206) is the “Lone Wolf Provision” that permits the NSA, the FBI, and in some cases local law enforcement, to engage in bulk telephony meta-data collection, surveillance of non-U.S. persons suspected of engaging in international terrorism, and other more concerning actions pertaining to the Foreign Intelligence Surveillance Court (FISC). In other words, they permit all those actions that caused Edward Snowden to blow the whistle. The new Strategy, is tightly linked to surveillance because the Strategy relies on private industry partnerships to help the DoD protect various networks, but those private industry partnerships need to share the data with the government, and where they will not share it, the government needs some sort of legal justification to take it either covertly (FISC) or overtly.
Finally, the Strategy explicitly states that the US will act “in accordance with applicable law” when considering any cyber operation (11). Yet this is cold comfort to any who think that the current legal structure permits far too much to begin with, and second, if an cyber operation rises to the level of hostilities, how will we know if the US is upholding the laws of armed conflict in cyberspace? What sorts of laws will it see as “applicable,” given that the Strategy seems to slip in a fundamental change to targeting law? The Strategy, for example, states that the U.S. military will “conduct cyber operations to disrupt an adversary’s military-related networks or infrastructure” but what is “military-related”? Is this a step removed from “dual-use”? Or does it extend the option of military targets to anything a military happens to be “related to,” like all infrastructure? Such an admission seems to bend if not already break the law of armed conflict regarding the principle of distinction.
The conclusion is that in the face of the “biggest threat” to strategic security, and the fact that the DoD does not possess the capability to thwart that threat on its own, it is undermining further its ability to do so. For it is cutting off its two other legs, private industry and allies, that could carry it to security. By continuing to engage in its present practice of cyber “security” measures, it will further anger private industry and risk undermining the necessary trust of allies. Moreover, that the new Strategy seems to embrace a more expansive definition of permissible targets, it may also undermine the very norms of cyber governance it wants to establish.