* General Counsel, U.S. Department of Defense. This Essay is based on remarks given at the U.S. Cyber Command Legal Conference on March 2, 2020. Footnotes have been added and updated as of the date of publication of this Essay. I am grateful to Charles A. Allen, Eliana V. Davidson, Thomas H. Lee, Guillermo R. Carranza, Commander Robin Crabtree, Karl S. Chang, Matthew McCormack, John L. Muelheuser, Gary Corn, and Lieutenant Commander Lynn M. Cherry, for their assistance in preparing this Essay.<\/i><\/p>\n
[Click here for PDF]<\/a><\/p>\n General Nakasone, Colonel Smawley, distinguished panelists, and guests, thank you for the opportunity to speak with you today. Since its inception in 2012, the U.S. Cyber Command legal conference has provided the Department of Defense (DoD), other U.S. Government agencies, our Allies and partners, and interested members of the academy and the general public, with a unique opportunity to explore some of the complex legal issues facing our military and our Nation in cyberspace.<\/p>\n I have two objectives today. First, I\u2019ll offer a snapshot of how we in DoD are integrating cyberspace into our overall national defense strategy. Second, I will summarize the domestic and international law considerations that inform the legal reviews that DoD lawyers conduct as part of the review and approval process for military cyber operations. We at DoD now have considerable practice advising on such operations and are accordingly in a position to begin to speak from experience to some of the challenging legal issues that cyber operations present.<\/p>\n To set the scene, when I talk about \u201ccyberspace,\u201d I am referring to \u201cthe interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.\u201d[1]<\/b><\/a> Physically, and logically, the domain is in a state of perpetual transformation. It enables the transmission of data across international boundaries in nanoseconds\u2014controlled much more by individuals or even machines than by governments\u2014spreading ideas to disparate audiences and, in some cases, the generating of physical effects in far-flung places.<\/p>\n As we enter the third decade of the twenty-first century, people are imagining, developing, and creating new technologies and devices at a faster rate than ever before. These new technologies update on a near daily basis\u2014think of the software update that your phone automatically uploaded today.<\/p>\n Sophisticated technologies are now a part of nearly all aspects of military operations, creating opportunities and challenges. A recent Brookings paper makes the point well: \u201cBy\u00a0.\u00a0.\u00a0.\u00a0building Achilles\u2019 heels into everything they operate, modern militaries have created huge opportunities for their potential enemies. The fact that everyone is vulnerable\u00a0.\u00a0.\u00a0.\u00a0is no guarantee of protection.\u201d[2]<\/b><\/a><\/p>\n Constantly changing vulnerabilities exist not only within our Armed Forces but also in the private and public sectors, which provide critical support to our operations. This includes contractors that manage networks and other services; the defense industrial base that is the foundation of the United States\u2019 military strength; and critical public infrastructure upon which the entire country, including the Armed Forces, relies for water, electricity, and transportation.<\/p>\n From a strategic competition perspective, too, cyberspace is increasingly dynamic and contested, including as a warfighting domain. In the past few years, other nations, in part to make up for gaps in conventional military power vis-\u00e0-vis the United States, have developed cyber strategies and organized military forces to conduct operations in cyberspace. China\u2019s Strategic Support Force, for example, provides its People\u2019s Liberation Army with cyberwarfare capabilities to \u201cestablish information dominance in the early stages of a conflict to constrain [U.S.] actions\u00a0.\u00a0.\u00a0.\u00a0by targeting network-based [command and control,]\u00a0.\u00a0.\u00a0.\u00a0logistics, and commercial activities.\u201d[3]<\/b><\/a> Russia consistently uses cyber capabilities for what it calls \u201cinformation confrontation\u201d during peacetime and war.[4]<\/b><\/a> All of this is unsurprising because cyber is a relatively cheap form of gaining real power, especially for impoverished adversaries like North Korea: a cyber operation can require nothing more than a reasonably skilled operator, a computer, a network connection, and persistence.<\/p>\n A key element of the U.S. military\u2019s strategy in the face of these cyber-threats is to \u201cdefend forward.\u201d[5]<\/b><\/a> Implementing this element of the strategy begins with \u201ccontinuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver\u201d\u2014which we refer to as \u201cpersistent engagement.\u201d[6]<\/b><\/a> \u201cPersistent engagement recognizes that cyberspace\u2019s structural feature of interconnectedness and its core condition of constant contact creates a strategic necessity to operate continuously in cyberspace.\u201d[7]<\/b><\/a> As General Nakasone has said, \u201c[i]f we find ourselves defending inside our own networks, we have lost the initiative and the advantage.\u201d[8]<\/b><\/a> In short, the strategy envisions that our military cyber forces will be conducting operations in cyberspace to disrupt and defeat malicious cyber activity that is harmful to U.S. national interests.[9]<\/b><\/a><\/p>\n Cyber operations are also becoming an integral part of other military operations. As the 2018 National Defense Strategy emphasizes, \u201c[s]uccess no longer goes to the country that develops a new technology first, but rather to the one that better integrates it and adapts its way of fighting.\u201d[10]<\/b><\/a> For example, during operations in Iraq in 2017, U.S. forces used cyber and space capabilities to disrupt communications to and from the enemy\u2019s primary command post, forcing the enemy to move to previously unknown backup sites, thereby exposing their entire command-and-control network to U.S. kinetic strikes.[11]<\/b><\/a> Operations like this will become increasingly common.<\/p>\n Because of the complexity and dynamism of the domain and the threat environment, the need for persistent engagement outside U.S. networks, and the critical advantage that cyber operations provide our Armed Forces, DoD must develop, review, and approve military cyber operations at so-called \u201cwarp-speed.\u201d To this end, the U.S. Government has made meaningful strides. You heard in 2018 that the President had issued National Security Presidential Memorandum-13, United States Cyber Operations Policy<\/em>, or \u201cNSPM-13\u201d for short, which allows for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace. Congress also has clarified that the President has authority to direct military operations in cyberspace to counter adversary cyber operations against our national interests and that such operations, whether they amount to the conduct of hostilities or not, and even when conducted in secret, are to be considered traditional military activities and not covert action, for purposes of the covert action statute.[12]<\/b><\/a><\/p>\n Even as the United States takes action to secure its vital national interests and to support its Allies and partners in this complex environment, it is a Nation dedicated to the rule of law. Consequently, we must ensure that our efforts are not only effective but also consistent with law and wider U.S. Government efforts to promote stability in cyberspace and adherence to the rules-based international order. DoD lawyers have an important role to play as the Department develops and executes cyber operations to meet these mandates.<\/p>\n Let me turn now to providing you a sense of how DoD lawyers analyze proposed military cyber operations for compliance with domestic and international law.<\/p>\n To evaluate the legal sufficiency of a proposed military cyber operation, we employ a process similar to the one we use to assess non-cyber operations. We engage our clients to understand the relevant operational details: What is the military objective we seek to achieve? What is the operational scheme of maneuver and how does it contribute to achieving that objective? Where is the target located? Does the operation involve multiple geographic locations? What is the target system used for? How will we access it? What effects\u2014such as loss of access to data\u2014will we generate within that system? How will those effects impact the system\u2019s functioning? Which people or processes will be affected by anticipated changes to the system\u2019s functioning? Are any of those likely to be impacted civilians or public services? Answers to these questions will drive the legal analysis.<\/p>\n Let\u2019s take up considerations of U.S. domestic law first. We begin with the foundational question of domestic legal authority to conduct a military cyber operation. The domestic legal authority for the DoD to conduct cyber operations is included in the broader authorities of the President and the Secretary of Defense to conduct military operations in defense of the nation. We assess whether a proposed cyber operation has been properly authorized using the analysis we apply to all other operations, including those that constitute use of force. The President has authority under Article II of the U.S. Constitution to direct the use of the Armed Forces to serve important national interests, and it is the longstanding view of the Executive Branch that this authority may include the use of armed force when the anticipated nature, scope, and duration of the operations do not rise to the level of war under the Constitution, triggering Congress\u2019s power to declare war.[13]<\/b><\/a> Furthermore, the Supreme Court has long affirmed the President\u2019s power to use force in defense of the nation and federal persons, property, and instrumentalities.[14]<\/b><\/a> Accordingly, the President has constitutional authority to order military cyber operations even if they amount to use of force in defense of the United States. Of course, the vast majority of military operations in cyberspace do not rise to the level of a use of force; but we begin analysis of U.S. domestic law with the same starting point of identifying the legal authority.<\/p>\n In the context of cyber operations, the President does not need to rely solely on his Article II powers because Congress has provided for ample authorization. As I noted earlier, Congress has specifically affirmed the President\u2019s authority to direct DoD to conduct military operations in cyberspace.[15]<\/b><\/a> Moreover, cyber operations against specific targets are logically encompassed within broad statutory authorizations to the President to use force, like the 2001 Authorization for the Use of Military Force, which authorizes the President to use \u201call necessary and appropriate force\u201d against those he determines were involved in the 9\/11 attacks or that harbored them.[16]<\/b><\/a> Congress has also expressed support for the conduct of military cyber operations to defend the nation against Russian, Chinese, North Korean, and Iranian \u201cactive, systematic, and ongoing campaigns of attacks\u201d against U.S. interests, including attempts to influence U.S. elections.[17]<\/b><\/a><\/p>\n In addition to questions of legal authority, DoD lawyers advise on the Secretary of Defense\u2019s authority to direct the execution of military cyber operations as authorized by the President and statute,[18]<\/b><\/a> \u201cincluding in response to malicious cyber activity carried out against the United States or a United States person by a foreign power,\u201d[19]<\/b><\/a> and to conduct related intelligence activities.[20]<\/b><\/a> Our lawyers ensure that U.S. military cyber operations adhere to the President\u2019s specific authorizations as well as the generally applicable NSPM-13.<\/p>\n After concluding that the operation has been properly authorized, DoD lawyers assess whether there are any statutes that may restrict DoD\u2019s ability to conduct the proposed cyber operation and whether the operation may be carried out consistent with the protections afforded to the privacy and civil liberties of U.S. persons. To illustrate, I am going to talk about two statutes and the First Amendment as examples of laws that we may consider, depending on the specific cyber operation to be conducted.<\/p>\n First, let\u2019s look at federal criminal provisions in Title 18 of the U.S. Code that prohibit accessing certain computers and computer networks \u201cwithout authorization,\u201d[21]<\/b><\/a> or transmitting a \u201cprogram, information, code, or command,\u201d[22]<\/b><\/a> that intentionally causes \u201cany impairment to the integrity or availability\u201d of the computer or data on it [23]<\/a><\/b>\u2014provisions found in the Computer Fraud and Abuse Act or \u201cCFAA,\u201d as amended.[24]<\/b><\/a> These provisions contain exceptions for lawfully authorized activities of law enforcement agencies and U.S. intelligence agencies but do not refer to U.S. military cyber operations.[25]<\/b><\/a> Common sense and long-accepted canons of statutory interpretation suggest, however, that the CFAA will not constrain appropriately authorized DoD cyber operations.[26]<\/b><\/a><\/p>\n The CFAA was enacted to protect U.S. Government computers and critical banking networks against thieves and hackers,[27]<\/b><\/a> not vice versa; it expresses no clear indication of congressional intent to limit the President from directing military actions;[28]<\/b><\/a> and the more recent statutes I mentioned earlier specifically authorize or reaffirm the President\u2019s authority to direct DoD to conduct operations in cyberspace. In light of these considerations, it would be unreasonable and counterintuitive to interpret the CFAA as restricting properly authorized military cyber operations abroad against foreign actors.[29]<\/b><\/a><\/p>\n Second, DoD lawyers typically analyze whether the proposed cyber operation may be conducted as a traditional military activity\u2014or \u201cTMA\u201d\u2014such that it would be excluded from the approval and oversight requirements applicable to covert action under the Covert Action Statute.[30]<\/b><\/a> Because the statute does not define TMA, we look to the legislative history and a provision in the National Defense Authorization Act for Fiscal Year 2019 that clarifies that in general clandestine military activities in cyberspace constitute TMA for purposes of the Covert Action Statute, and reaffirms established congressional reporting requirements for military cyber operations.[31]<\/b><\/a><\/p>\n Third, DoD lawyers must assess whether a proposed operation will impact the privacy and civil liberties of U.S. persons. The practical reality of cyberspace today is that U.S. military cyber operations aimed at disrupting an adversary\u2019s ability to put information online or to distribute it across the worldwide web have the potential to affect U.S. persons\u2019 rights and civil liberties in ways that operations in physical domains do not.<\/p>\n Let me give you a concrete example. A core part of DoD\u2019s mission to defend U.S. elections consists of defending against covert foreign government malign influence operations targeting the U.S. electorate. The bulk of DoD\u2019s efforts in this area involve information-sharing and support to domestic partners, like the Department of Homeland Security and the Federal Bureau of Investigation. But what about a U.S. military cyber operation to disrupt a foreign government\u2019s ability to disseminate covertly information to U.S. audiences via the Internet by pretending that the information has been authored by Americans inside the United States? Can we conduct such an operation in a manner that contributes to the defense of our elections but avoids impermissible interference with the right of free expression under the First Amendment\u2014including the right to receive<\/em> information?[32]<\/b><\/a> The analysis often turns on the specifics of the proposed operation\u2014but, in short, we believe we can.<\/p>\n Few precedents address this issue directly; but, U.S. case law does provide a framework with at least three key strands. First, there are judicial decisions that stand for the proposition that the U.S. Government, in carrying out certain appropriately authorized activities, may incidentally burden the right to receive information from foreign sources without violating the First Amendment.[33]<\/b><\/a> Second, courts have recognized a compelling government interest in protecting U.S. elections from certain types of foreign influence\u2014especially when that influence is exercised covertly.[34]<\/b><\/a> Third, government action based on the content of the speech will be suspect.[35]<\/b><\/a><\/p>\n In light of these precedents, DoD lawyers analyzing particular cyber operations for First Amendment compliance will consider a number of factors, including: whether the operation is targeting the foreign actors seeking to influence U.S. elections covertly rather than the information itself; the extent to which the operation may be conducted in a \u201ccontent neutral\u201d manner; and, the foreign location and foreign government affiliation of the targeted entity.<\/p>\n We at DoD realize that military involvement in protecting U.S. elections is a sensitive mission, even when conducted in compliance with First Amendment protections and consistent with congressional intent. Virtually any military involvement in U.S. elections implicates the bedrock premise of maintaining civilian control of the military and our long tradition of keeping the military out of domestic politics. Accordingly, in assessing proposed operations related to elections, DoD lawyers pay particular attention to whether the proposed operation may be conducted consistent with legal and regulatory limits on the use of official positions to influence or affect the results of U.S. elections or to engage in, or create the appearance of engaging in<\/em>, partisan politics.[36]<\/b><\/a><\/p>\n Those are some highlights of U.S. domestic law considerations that may be implicated by proposed military cyber operations; let me turn now to international law.<\/p>\n We recognize that State practice in cyberspace is evolving. As lawyers operating in this area, we pay close attention to States\u2019 explanations of their own practice, how they are applying treaty rules and customary international law to State activities in cyberspace, and how States address matters where the law is unsettled. DoD lawyers, and our clients, engage with our counterparts in other U.S. Government departments and agencies on these issues, and with Allies and partners at every level\u2014from the halls of the United Nations to the floors of combined tactical operations centers\u2014to understand how we each apply international law to operations in cyberspace. Initiatives by non-governmental groups like those that led to the Tallinn Manual can be useful to consider, but they do not create new international law, which only states can make. My intent here is not to lay out a comprehensive set of positions on international law. Rather, as I have done with respect to domestic law, I will tell you how DoD lawyers address some of the international law issues that today\u2019s military cyber operations present.<\/p>\n I will start with some basics. It continues to be the view of the United States that existing international law applies to State conduct in cyberspace. Particularly relevant for military operations are the Charter of the United Nations, the law of State responsibility, and the law of war. To determine whether a rule of customary international law has emerged with respect to certain State activities in cyberspace, we look for sufficient State practice over time, coupled with opinio<\/em> juris<\/em>\u2014evidence or indications that the practice was undertaken out of a sense that it was legally compelled, not out of a sense of policy prudence or moral obligation.<\/p>\n As I discussed a few minutes ago, our policy leaders assess that the threat environment demands action today\u2014our clients need our advice today on how international legal rules apply when resorting to action to defend our national interests from malicious activity in cyberspace, notwithstanding any lack of agreement among States on how such rules apply. Consequently, in reviewing particular operations, DoD lawyers provide advice guided by how existing rules apply to activities in other domains, while considering the unique, and frequently changing, aspects of cyberspace.<\/p>\n First, let\u2019s discuss the international law applicable to uses of force. Article 2(4) of the Charter of the United Nations provides that \u201cAll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.\u201d[37]<\/b><\/a> At the same time, international law recognizes that there are exceptions to this rule. For example, in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack.[38]<\/b><\/a> This is true in the cyber context just as in any other context.<\/p>\n Depending on the circumstances, a military cyber operation may constitute a use of force within the meaning of Article 2(4) of the U.N. Charter and customary international law. In assessing whether a particular cyber operation\u2014conducted by or against the United States\u2014constitutes a use of force, DoD lawyers consider whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine.[39]<\/b><\/a> Even if a particular cyber operation does not constitute a use of force, it is important to keep in mind that the State or States targeted by the operation may disagree, or at least have a different perception of what the operation entailed.<\/p>\n Second, the international law prohibition on coercively intervening in the core functions of another State, such as the choice of political, economic, or cultural system,[40]<\/b><\/a> applies to State conduct in cyberspace.[41]<\/sup><\/strong><\/a> For example, \u201ca cyber operation by a State that interferes with another country\u2019s ability to hold an election\u201d or that tampers with \u201canother country\u2019s election results would be a clear violation of the rule of non-intervention.\u201d[42]<\/b><\/a> Other States have indicated that they would view operations that disrupt the fundamental operation of a legislative body or that would destabilize their financial system as prohibited interventions.[43]<\/b><\/a><\/p>\n There is no international consensus among States on the precise scope or reach of the non-intervention principle, even outside the context of cyber operations. Because States take different views on this question, DoD lawyers examining any proposed cyber operations must tread carefully, even if only a few States have taken the position publicly that the proposed activities would amount to a prohibited intervention.<\/p>\n Some situations compel us to take into consideration whether the States involved have consented to the proposed operation. Because the principle of non-intervention prohibits \u201cactions designed to coerce a State . . . in contravention of its rights,\u201d[44]<\/b><\/a> it does not prohibit actions to which a State voluntarily consents, provided the conduct remains within the limits of the consent given.[45]<\/b><\/a><\/p>\n Depending on the circumstances, DoD lawyers may also consider whether an operation that does not constitute a use of force could be conducted as a countermeasure. In general, countermeasures are available in response to an internationally wrongful act attributed to a State. In the traditional view, the use of countermeasures must be preceded by notice to the offending State, though we note that there are varying State views on whether notice would be necessary in all cases in the cyber context because of secrecy or urgency.[46]<\/b><\/a> In a particular case it may be unclear whether a particular malicious cyber activity violates international law. And, in other circumstances, it may not be apparent that the act is internationally wrongful and attributable to a State within the timeframe in which the DoD must respond to mitigate the threat. In these circumstances, which we believe are common, countermeasures would not be available.<\/p>\n For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State\u2019s territory. This proposition is recognized in the Department\u2019s adoption of the \u201cdefend forward\u201d strategy: \u201cWe will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.\u201d[47]<\/b><\/a> The Department\u2019s commitment to defend forward including to counter foreign cyber activity targeting the United States\u2014comports with our obligations under international law and our commitment to the rules-based international order.<\/p>\n The DoD OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018.[48]<\/b><\/a> We recognize that there are differences of opinion among States, which suggests that State practice and opinio<\/em> juris <\/em>are presently not settled on this issue. Indeed, many States\u2019 public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).<\/p>\n Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic<\/em> laws against espionage, but international law, in our view, does not prohibit espionage per se<\/em> even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se<\/em> international legal prohibition.[49]<\/b><\/a><\/p>\n Of course, as with domestic law considerations, establishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations.<\/p>\n As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory. The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.<\/p>\n It is also longstanding DoD policy that U.S. forces will comply with the law of war during all armed conflicts, however such conflicts are characterized, and in all other military operations.[50]<\/b><\/a> Even if the law of war does not technically apply because the proposed military cyber operation would not take place in the context of armed conflict, DoD nonetheless applies law-of-war principles.[51]<\/b><\/a> This means that the jus in bello<\/em> principles, such as military necessity, proportionality, and distinction, continue to guide the planning and execution of military cyber operations, even outside the context of armed conflict.<\/p>\n DoD lawyers also advise on how a proposed cyber operation may implicate U.S. efforts to promote certain policy norms for responsible State behavior in cyberspace, such as the norm relating to activities targeting critical infrastructure. These norms are non-binding and identifying the best methods for integrating them into tactical-level operations remains a work in progress. But, they are important political commitments by States that can help to prevent miscalculation and conflict escalation in cyberspace. DoD OGC, along with other DoD leaders, actively supports U.S. State Department-led initiatives to build and promote this framework for responsible State behavior in cyberspace. This includes participation in the UN Group of Governmental Experts and an Open-Ended Working Group on information and communications technologies in the context of international peace and security. These diplomatic engagements are an important part of the United States\u2019 overall effort to protect U.S. national interests by promoting stability in cyberspace.<\/p>\n Of course, the real work of analyzing specific military cyber operations in light of the domestic and international legal considerations I have mentioned falls to judge advocates and civilian attorneys at the tactical and operational levels\u2014which is to say, many of you. As one of my predecessors, Jennifer O\u2019Connor, noted in a speech in 2016, military operations\u2014including cyber operations\u2014are subject to a rigorous targeting process that involves both policy and legal reviews to ensure that specific operations are conducted consistent with the relevant authorization, domestic and international law, and any additional restraints imposed by the applicable orders. Particularly in areas like this one, in which not only the law but the domain itself is constantly evolving, I am extremely proud of the legal work many of you do for the Department of Defense and am humbled every day by your dedication to our Nation\u2019s defense.<\/p>\n Thank you all for what you do and for the opportunity to speak with you today.<\/p>\n [1]<\/b><\/a> \u00a0Dep\u2019t of Def., DOD Dictionary of Military and Associated Terms 55 (June 2020), https:\/\/www.jcs.mil\/Portals\/36\/Documents\/Doctrine\/pubs\/dictionary. [2]<\/b><\/a> \u00a0Michael O\u2019Hanlon, The Brookings Inst., Forecasting Change in Military Technology, 2020-2040 16 (2018), https:\/\/www.brookings.edu\/wp-content\/uploads\/2018\/09\/FP_20181218_defense_advances_pt2.pdf [https:\/\/perma.cc\/ [3]<\/b><\/a> \u00a0Def. Intelligence Agency, China Military Power: Modernizing a Force to Fight and Win 46 (2019), https:\/\/www.dia.mil\/Portals\/27\/Documents\/News\/ [4]<\/b><\/a> \u00a0Def. Intelligence Agency, Russia Military Power: Building a Military to Support Great Power Aspirations 38 (2017), https:\/\/www.dia.mil\/Portals\/27\/ [5]<\/b><\/a> \u00a0Dep\u2019t of Def., Summary: Department of Defense Cyber Strategy 1 (2018), https:\/\/media.defense.gov\/2018\/Sep\/18\/2002041658\/-1\/-1\/1\/CYBER_ [6]<\/b><\/a> \u00a0C. Todd Lopez, Persistent Engagement, Partnerships, Top Cybercom\u2019s Priorities<\/em>, Defense.gov (May 14, 2019), https:\/\/www.defense.gov\/Explore\/ [7]<\/b><\/a> \u00a0Michael P. Fischerkeller & Richard J. Harknett, Persistent Engagement and Tacit Bargaining: A Path Toward Constructing Norms in Cyberspace<\/em>, Lawfare (Nov. 9, 2018), https:\/\/www.lawfareblog.com\/persistent-engagement-and-tacit-bargaining-path-toward-constructing-norms-cyberspace [https:\/\/perma.cc\/U4W2-LE4U].<\/p>\n [8]<\/b><\/a> \u00a0An Interview with Paul M. Nakasone<\/em>, Joint Forces Q. (Jan. 2019), at 4, 7, https:\/\/ndupress.ndu.edu\/Portals\/68\/Documents\/jfq\/jfq-92\/jfq-92_4-9_Nakasone-Interview.pdf [https:\/\/perma.cc\/CCP7-9RBD].<\/p>\n [9]<\/b><\/a> \u00a0See <\/em>Hearing<\/em>, supra <\/em>note 6, at 3 (U.S. Armed Forces \u201cdefend forward by conducting operations that range from collecting information to gain insight about hostile cyber actors and their intent, to exposing malicious cyber activities and associated infrastructure publicly, to disrupting malicious cyber activities directly.\u201d).<\/p>\n [10]<\/b><\/a> \u00a0Dep\u2019t of Defense, Summary of the 2018 National Defense Strategy of the United States of America 10 (2018), https:\/\/dod.defense.gov\/Portals\/1\/ [11]<\/b><\/a> \u00a0See <\/em>Matthew Cox, US, Coalition Forces Used Cyberattacks to Hunt Down ISIS Command Posts<\/em>, Military.com (May 25, 2018), https:\/\/www. [12]<\/b><\/a> \u00a0See <\/em>John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115\u2013232 (2018) [hereinafter \u201cNDAA for FY 2019\u201d]. Several provisions in the NDAA for FY 2019 provide authority and express support for the conduct of cyber operations to disrupt, defeat, and deter \u201cactive, systematic, and ongoing campaign[s] of attacks against the Government or people of the United States in cyberspace, including [attempts] to influence American elections and democratic political processes\u201d by Russia, China, North Korea, or Iran. Id<\/em>. \u00a7 1642.\u00a0 The NDAA for FY 2019 also affirms the authority of the President and Secretary of Defense to conduct clandestine military operations in cyberspace, including operation short of hostilities (as such term is used in the War Powers Resolution) or in areas in which hostilities are not occurring. Id<\/em>. \u00a7 1632.<\/p>\n [13]<\/b><\/a> \u00a0See<\/em>, e<\/em>.g<\/em>., April 2018 Airstrikes Against Syrian Chemical-Weapons Facilities, 42 Op. O.L.C. slip op. at 9\u201310 (2018); Authority to Use Military Force in Libya, 35 Op. O.L.C. slip op. at 8 (2011) (quoting Deployment of United States Armed Forces to Haiti, 18 Op. O.L.C. 173, 179 (1994)); see also<\/em> The President\u2019s Power in the Field of Foreign Relations, 1 Op. O.L.C. Supp. 49, 56 (1937) (describing President Thomas Jefferson\u2019s actions leading to the Barbary War, the invasion of Mexico by Presidents Polk and Wilson, President McKinley\u2019s agreement to suppress the Boxer Revolution, and President Roosevelt\u2019s use of the military to support Colombia to acquire the Panama Canal Zone as examples of the exercise of presidential authority to use the military without Congressional approval.).<\/p>\n [14]<\/b><\/a> \u00a0See, e.g.<\/em>, The Prize Cases, 67 U.S. (2 Black) 635, 668\u201370 (discussing the authority of the President to resist foreign invasion and suppress insurrection); Fleming v. Page, 50 U.S. 603, 615 (1850) (\u201cAs commander-in-chief, [the President] is authorized to direct the movements of the naval and military forces placed by law at his command, and to employ them in the manner he may deem most effectual to harass and conquer and subdue the enemy.\u201d).<\/p>\n [15]<\/b><\/a> \u00a0See <\/em>National Defense Authorization Act for Fiscal Year 2012, Pub. L. No. 112-81 \u00a7 954, 125 Stat. 1298, 1551 (2011) (\u201cCongress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to\u2014(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution (50 U.S.C. 1541 et seq<\/em>.).\u201d).<\/p>\n [16]<\/b><\/a> \u00a0Authorization for the Use of Military Force, Pub. L. No. 107\u201340, 115 Stat. 224 (2001).<\/p>\n [17]<\/b><\/a> \u00a0NDAA for FY 2019, supra <\/em>note 12, \u00a7 1642 (2018).<\/p>\n [18]<\/b><\/a> \u00a0See <\/em>10 U.S.C. \u00a7 113(b) (2019) (the Secretary has \u201cauthority, direction, and control over the Department of Defense\u201d).<\/p>\n [19]<\/b><\/a> \u00a010 U.S.C. \u00a7 394(a) (2018).<\/p>\n [20]<\/b><\/a> \u00a0See <\/em>50 U.S.C. \u00a7 3038 (2016).<\/p>\n [21]<\/b><\/a> \u00a018 U.S.C. \u00a7 1030(a)(2) (2018).<\/p>\n [22]<\/b><\/a> \u00a0Id.<\/em> \u00a7 1030(a)(5)(A).<\/p>\n [23]<\/b><\/a> \u00a0Id<\/em>. \u00a7 1030(e)(8).<\/p>\n [24]<\/b><\/a> \u00a0Id<\/em>. \u00a7 1030.<\/p>\n [25]<\/b><\/a> \u00a0See <\/em>10 U.S.C. \u00a7 1030(f) (\u201cThis section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.\u201d).<\/p>\n [26]<\/b><\/a> \u00a0See, e.g.<\/em>, Nardone v. United States, 302 U.S. 379, 383\u201384 (1937); Hancock v. Train, 426 U.S. 167, 179 (1976) (\u201cStatutes which in general terms divest pre-existing rights or privileges will not be applied to the sovereign without a clear expression or implication to that effect.\u201d (citations omitted)); Dibble v. Fenimore, 545 F.3d 208, 215 (2d Cir. 2008) (describing the \u201ccanon of construction that limits the reach of statutes of general applicability to military affairs when Congress has not explicitly provided for application to the military\u201d); United States Assistance to Countries that Shoot Down Civil Aircraft Involved in Drug Trafficking, 18 Op. O.L.C. 148, 164 (1994) (explaining that statutes should not be \u201cbe construed to have the surprising and almost certainly unintended effect of criminalizing actions by military personnel that are lawful under international law and the laws of armed conflict\u201d).<\/p>\n [27]<\/b><\/a> \u00a0See <\/em>H.R. Rep. No. 98-894, at 4 (1984).<\/p>\n [28]<\/b><\/a> \u00a0See Nardone<\/em>, 302 U.S. at 383\u201384.<\/p>\n [29]<\/b><\/a> \u00a0Cf.<\/em> Application of the Neutrality Act to Official Government Activities, 8 Op. O.L.C. 58, 78\u201380 (1984) (reasoning that subsequent Congressional enactment of provisions regulating the use of the military and covert actions provided further evidence of Congressional intent that the Neutrality Act did not apply to the activities of the Department of Defense or the Central Intelligence Agency).<\/p>\n [30]<\/b><\/a> \u00a0See <\/em>10 U.S.C. \u00a7 3093(e) (2019); H.R. Rep. No. 102-166 at 29\u201330 (1991) (Conf. Rep.); see also<\/em> S. Rep. No. 102\u201385 at 46 (1991).<\/p>\n [31]<\/b><\/a> \u00a0NDAA for FY 2019, supra <\/em>note 12, \u00a7 1632.<\/p>\nI. Today\u2019s Cyber Threat Environment and DoD\u2019s Response<\/strong><\/h2>\n
II. Framework for Legal Analysis<\/strong><\/h2>\n
A. U.S. Domestic Law<\/em><\/strong><\/h3>\n
B. International Law<\/strong><\/em><\/h3>\n
\npdf [https:\/\/perma.cc\/E428-M2FP].<\/p>\n
\nYKA6-5FQL].<\/p>\n
\nMilitary%20Power%20Publications\/China_Military_Power_FINAL_5MB_20190103.pdf [https:\/\/perma.cc\/R53S-NMFN].<\/p>\n
\nDocuments\/News\/Military%20Power%20Publications\/Russia%20Military%20Power%20Report%202017.pdf [https:\/\/perma.cc\/ATQ8-DLEB] (citations omitted).<\/p>\n
\nSTRATEGY_SUMMARY_FINAL.PDF [https:\/\/perma.cc\/N9F9-GKWZ] [hereinafter DoD Cyber Strategy].<\/p>\n
\nNews\/Article\/Article\/1847823\/persistent-engagement-partnerships-top-cybercoms-priorities\/ [https:\/\/perma.cc\/RV8Z-G6GE]. See also id.<\/em>; Securing the Nation\u2019s Internet Architecture: Hearing Before the H. Armed Services Subcomm. on Intelligence & Emerging Threats & Capabilities & the H. Oversight & Reform Subcomm. on Nat\u2019l Sec. <\/em>(Statement of Edwin Wilson, Deputy Assistant Secretary of Defense for Cyber Policy at 3) (Sep. 10, 2019), https:\/\/docs.house.gov\/meetings\/AS\/AS26\/20190910\/
\n109894\/HHRG-116-AS26-Bio-WilsonB-20190910.pdf [https:\/\/perma.cc\/T4S7-5NFG] [hereinafter Hearing<\/em>]; U.S. Cyber Command, Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command (2018) https:\/\/www.
\ncybercom.mil\/Portals\/56\/Documents\/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010 [https:\/\/perma.cc\/7866-EHZY].<\/p>\n
\nDocuments\/pubs\/2018-National-Defense-Strategy-Summary.pdf [https:\/\/perma.cc\/
\nR5KF-EXG7].<\/p>\n
\nmilitary.com\/dodbuzz\/2018\/05\/25\/us-coalition-forces-used-cyberattacks-hunt-down-isis-command-posts.html?utm_source=Mike%27s+Daily+Blast&utm_campaign=
\n8d4307f510-EMAIL_CAMPAIGN_2018_04_27_COPY_02&utm_medium=email&
\nutm_term=0_beae3dbeb1-8d4307f510-51475081) [https:\/\/perma.cc\/7Z8G-J6YU].<\/p>\n