Intel Chief Concedes That Legal Authorities on Military’s Cyber Command Need Clarification
Another thing that [Noah Shachtman got into during his interview Adm. Michael Mullen](http://www.wired.com/dangerroom/2010/04/top-officer-fears-cyberwar-hearts-karzai-tweets-with-help/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+WiredDangerRoom+(Blog+-+Danger+Room)), the chairman of the Joint Chiefs of Staff, was the military’s newest command, U.S. Cyber Command, which will probably be helmed by Army Lt. Gen. Keith Alexander, the head of the National Security Agency. At his confirmation hearing last week, Alexander indicated that he would focus CYBERCOM on defending the Defense Department’s information infrastructure from attack. “But,” Mullen told Shachtman, “there’s a blurring, if you will, in the speed of cyber between defense and offense. And so I think you’ll see that, as well.” And that blurring creates legal and policy concerns.
Imagine that the military finds its information networks under attack. An investigation determines that the culprit of the attack is using civilian servers in a friendly country to penetrate CYBERCOM’s defense. What to do? And who gets to do it?
My understanding is that there’s an ongoing debate within the Defense Department and the CIA about whose responsibility is to take out those servers, as well as who actually possesses the authority to do so. These are probably not going to be the sorts of things that the U.S. government is going to take credit for doing — in other words, those will be covert actions. And “blurring” the uniformed military into the realm of covert action is murky territory. The 1991 Intelligence Authorization Act also suggests that if it’s covert, the CIA gets to do it.
So I asked Adm. Dennis Blair, the nation’s top intelligence officer, at today’s commemoration of the creation of his job five years ago, if U.S. Cyber Command and the intelligence community had established clear divisions of legal and policy authority or responsibility. “It’s a really dynamic area,” Blair replied. “Technology has developed far faster than [the] legal or policy framework.” So, in short, not yet. Blair added, “We’ll do what we have to to get it done.”
Kate Martin, the director of the Center for National Security Studies, observed that even outside of CYBERCOM, whose mandate remains rather unclear, there’s an “ongoing controversy about what kinds of military activities in the context of armed conflict with al-Qaeda are governed by the [legal] covert-activities requirement. That’s not even resolved, outside of the realm of cyberattacks.” Inside that realm, there are any number of questions about specific circumstances that would impact whether CYBERCOM is entering new territory. For instance, launching a direct attack on an enemy’s information network is a pretty traditional feature of warfare — you’re trying to disrupt his ability to command and control his forces. But what if elements of his offensive capability bounce around the world, through systems and virtual avenues controlled by parties that don’t have any stake in a given conflict? What if there isn’t a state of war declared?
In the case of taking out someone else’s servers, Martin mused, “It wouldn’t necessarily be a covert action, because you could argue that it’s closer to the military taking out a traditional supply line, and not using lethal force to do so.” So CYBERCOM might be in the clear there under existing authorities, even if Alexander told Congress that’s not the direction he wants to chart for the command. Or it might not be!
A spokesman for the CIA didn’t respond to a request for clarification. And I was unable to buttonhole Alexander at the ceremony today, although I saw him talking for a bit to CIA Director Leon Panetta and that naturally got my mind racing with speculation.