“U.S. military hackers have been given the go-ahead to gain access to Russian cyber systems as part of potential retaliation for any meddling in America’s elections,” according to a Center for Public Integrity report.  The article continues that this authorized activity is in preparation for “an offensive cyber attack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6.”

This more aggressive action would be in line with the reported new approach under a classified presidential directive, National Security Presidential Memorandum 13 (NSPM-13), that accompanied the September 2018 National Cyber Strategy and its corresponding Department of Defense (DoD) Cyber Strategy.  The unclassified summary of the DoD Strategy states that DoD will “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”  This statement is consistent with the Commander of Cyber Command’s discussion about the need for “persistent presence” on the web to ensure the safety of U.S. interests.  “Defending forward” and “persistent presence” are euphemisms for taking actions on computer systems that are not DoD, including systems outside the United States.

This policy triggers some interesting speculation as to how the United States views international law and cyber activities.  It seems uncontested that international law prohibits one country from coercively intervening in the domestic affairs of another country.  This prohibition of intervention has its roots in article 2(7) of the United Nations Charter and has been well reflected in international courts and tribunals.  In describing what actions might equate to a prohibited intervention, courts have talked in terms of coercive measures by one state in another state’s domaine réservé – those matters reserved in international law to the sole prerogative of states, matters such as the right to choose a political, economic, social, and cultural system, and to formulate and execute foreign policy. As noted in the Tallinn 2.0 Manual, “the matter most clearly within a State’s domaine réservé appears to be the choice of both the political system and its organization.”

If Russia intervened in the midterm elections such that their actions violated the domaine réservé of the United States, the U.S. government would not be prohibited from engaging in “countermeasures,” as that term is understood in international law.  These self-help responses to Russian intervention could include  cyber measures that would otherwise be unlawful but are designed to bring Russia back into compliance with international law.  Non-cyber countermeasures would also be appropriate as there is no requirement for the countermeasure to use the same medium as the initial violation. In all circumstances, countermeasures must be proportionate to the injury suffered and must not involve destruction that amounts to the use of force. It is unclear if NSPM-13 addresses the lawfulness of countermeasures, though it may indicate an increasing willingness to use them.

With respect to actions that do not intervene in the domaine réservé, the Center for Public Integrity article highlights at least two very interesting points concerning the U.S. posture.  First, the article quotes unnamed government officials who clarify that foreign government’s influence campaigns don’t trigger a “broader response” such as countermeasures. It is only “efforts to tamper with voting registration and recording votes” that rise to that level.  I take this to mean, in the current Administration, the action that triggers countermeasures (and, by definition, the action that equates to an international law violation) is actually trying to change votes, not trying to influence votes.  Russia can engage in influence operations, but until they actually hack into voting machines, they have not violated international law because they have not coercively intervened in the domaine réservé.

An alternate view might be that the administration does view Russia’s actions as a violation of international law, but chooses, as a matter of policy, neither to describe them as such nor to respond to them as such.  In my view, this would be a dangerous approach as it sends the wrong message not only to Russia, but also to all the other countries who are looking at Russia’s action and gauging their own cyber interpretations of the law based on the reactions of the United States.

Neither of these views, of course, mean that Russian individuals have not violated U.S. domestic law.  In fact, the Department of Justice indictments make clear that much of the 2016 influence campaign by various Russians did violate U.S. domestic law.  But the international law point is important.

Following from the first point, the article also makes clear that NSPM-13 allows DoD to take actions on foreign computers that would ensure “the right access” in case that was needed.   Whether non-consensual actions by one state on the computers in another state’s territory is prohibited by international law as a violation of sovereignty has been a hotly debated topic among academics and governments.  The apparent allowance of DoD to establish “access” on the computers of other nations is significant: it appears that the current Administration takes the view that persistent presence on foreign computers is not a violation of international law.  Such actions would likely be considered unfriendly, but not unlawful, and would certainly be short of a prohibited use of force at least until harmful malware is activated.

In addition to the implicit assertions that can be drawn from the reported description of NSPM-13 concerning the current state of international law, the order also provides interesting insights on national security law and process.  By revoking PPD-20, NSPM-13 establishes a more streamlined and DoD friendly method of approving cyber actions.  According to the Center for Public Integrity article, instead of the prior process where almost unanimous intra-governmental approval was necessary before a specific cyber action could be taken, the new process is less cumbersome, allowing DoD and other government agencies to get prior approval of broad parameters, including some “left-and-right bounds,” and then take specific cyber actions without seeking additional approval as long as they remain within the pre-considered operation.

There is no doubt that, if true, this signals a significant change to the U.S. cyber policy and is a clear indication that cyber actions have now entered the mainstream of national security tools.  For years, the “newness” of cyber capabilities have caused the level of authorization to remain at very high levels and subject to extensive interagency dialogue before even simple cyber tasks could be taken.  These procedural requirements undoubtedly had the practical effect of limiting the number of cyber activities undertaken.  By allowing DoD and other government agencies to function more autonomously within pre-approved guidelines reflects a normalization of cyber capabilities that has been too long in coming.  Perhaps the decades of cyber actions both by and against U.S. interests have now provided a sufficient “comfort level” with the ability to scope cyber activities with respect to distinction and proportionality such that it can now be viewed more like using tanks or aircraft to accomplish a military mission, rather than a nuclear weapon.

Many cyber capable countries seem to be trending in a similar direction.  Germany, for example, recently divulged that it has authorized “hack backs” in certain circumstances.  The adoption and implementation of NSPM-13 and its application to the mid-term elections seems to be a strong statement of change in U.S. policy.  The move to allow more aggressive cyber activities sends a message to adversaries about what are acceptable and unacceptable cyber activities.  It is also one more piece of evidence in a search to determine state practice on the use of cyber tools under international law.

Image: BeeBright/Getty Images