[This is Fred, and we’re back again, a little earlier than expected. Last time we discussed Cyber War and potential U.S. countermeasures against cyberattacks. Terrorism was the subtext of the piece; it concluded with a hypothetical terror attack on a U.S. nuclear plant; and suggested that physical retaliation might be justified. At some point cyber wars could lead to shooting wars. That part, we think, is valid. But our tacit assumption that terrorists would cause many or most cyber conflicts was simplistic at best.

Here’s the situation as we now see it. There are dangerous hackers – those who have the knowledge and cyber resources necessary to mount cyberattacks of “significant consequence[1]” – and there are the people who want to do that kind of thing. No doubt terrorists want to attack us through cyberspace, but they seem to lack that capability. Instead they’ve pretty much confined their activities to blowing up buildings, attacking night clubs, bombing public squares and things of that sort.

A picture, it’s said, can be worth a thousand words, so I’m going to lay a couple of simple diagrams on you. If terrorists aren’t capable of mounting cyberattacks, then the situation is as depicted in Figure 1. The universe of dangerous hackers would not include any terrorists. But if terrorists later acquire those capabilities, then the situation is different: It looks a lot like Figure 2. There is some overlap between the two groups.

 

Sorry, Figure 1 and Figure 2 haven’t reproduced at this site. Use your imagination or, if you want a copy of this post as it’s supposed to be, feel to request a pdf of the draft. Do that by leaving a comment at this site.

 

The point is that if we search for terrorists to find dangerous hackers, we may not find any [hackers, that is] or perhaps only a few. No doubt there are dangerous hackers everywhere, but generally they don’t seem to hang out with terrorists. Instead they work for or with state actors [Russia, China, North Korea, Israel, us and so forth]; organized crime, especially in the identity theft or ransomware rackets; private clubs or associations; and software or network services companies.

My point, of course, is that if we’re really concerned about dangerous hackers, we shouldn’t fixate on terrorism. We should look for the hackers who can do substantial harm, and then develop appropriate countermeasures. For my part, I wouldn’t rule out kinetic solutions, to counter cyber aggression.[2] A solution is “kinetic” when we actually blow something up.

Anyway, that’s my opinion, and only mine. This is a very large subject, so I checked with Larry to see if he turned up anything new. He said yes, in that recently the White House[3]  gave us more insight into how and why bureaucrats unleash drones on terrorists. The process is impressive and looks as though it could be adapted to include dangerous hackers. The question is, should it?

It all sounds a bit speculative to me but, on the other hand, I’ll take speculation over nothing, which is all that I currently have. So let’s hear from Larry.]

All right, we’ll begin with a quick review of terrorism and cyberwar.

DoD and Cyberattacks

Last time we said that DoD leads the U.S. in preparing for a cyberwar. “In concert with other agencies,” it says, “[DoD] is responsible for defending the U.S. homeland and U.S. interests from attack, including attacks that may occur in cyberspace.”[4] DoD has “capabilities for cyber operations and is integrating those capabilities into the full array of tools that the United States government uses to defend U.S. national interests, including diplomatic, informational, military, economic, financial and law enforcement tools.”[5]

A cyberattack has to have “significant consequences” [presumably bad] for the U.S. before DoD would get involved. What are they? Well, “… significant consequences may include loss of life, significant damage to property, serious adverse foreign policy consequences, or serious economic impact on the United States.”[6] Those are just examples; they’re not an exclusive list of what might be considered.[7]The decider of what’s “significant” will be a civilian, either the President or the Secretary of Defense,[8] and he or she will decide on a case-by-case basis.[9] Of course, whenever the President is involved, the “national security team”[10] must be consulted.

Presidential Policy Guidance

And this brings us to today’s new information. We all know that the President, any President, gets to decide lots of stuff, much of it controversial and very involved; and probably most of us have a rough idea of how he does it. Basically the parties interested in a particular thing [bureaucrats, stakeholders, etc.] or a subset of them get together and write a memo; he reads it, or somebody in his office reads it; and then he or someone in his office responds.

Some matters, however, are so delicate that they require special handling. Drone strikes against terrorists seem to qualify in this regard, so much so that in May of 2013 President Obama issued a special policy stating how and by whom they would be considered before any reached him for approval. That document, aka “Presidential Policy Guidance,” is called Procedures for Approving Direct Action against Terrorists Located Outside of the United States and Areas of Active Hostilities.[11]

The Administration regarded this policy as very sensitive; the whole document was marked “TOP SECRET/ NOFORN” when first issued; but eventually the American Civil Liberties Union pried it out of the Government in a lawsuit under the Freedom of Information Act.[12] We, of course, are citing you to the declassified version, which has some redactions.

In the Cross Hairs

So what terrorists are covered by the policy? Not the ones who live in this country. Once we know about them the Administration can send someone from DOJ, or DHS or even the local police around to arrest them. Drone strikes would not be required. Or, anyway, I don’t think they’d be required. Perhaps we’ll talk about that another time.

How about terrorists on an active battlefield? Well, those guys are pretty much subject to the tender mercies of DoD. As we all know, or should know, DoD fights battles under what’s popularly known as the Law of War.[13] The PPG doesn’t cover those situations, either. It’s focused instead on the terrorists who slink around the world, outside of the zones of combat, and plot actively to endanger U.S. persons or interests. That’s my conclusion.

The PPG speaks generally of high value terrorists [HVTs][14] but doesn’t expressly define who they might be; but apparently our security establishment knows them when it sees them. A person gains HVT status by being nominated for it (i) by a security agency (ii) that has authority to take direct action against the nominee. “In particular, whether any proposed target would be a lawful target for direct action is a determination that will be made in the first instance by the nominating department’s or agency’s counsel (with appropriate legal review …) based on the legal authorities of the nominating department or agency and other applicable law.”[15] Also direct action is not limited simply to previously identified HVTs. Other targets may be added if necessary.[16]

When to Strike

HVTs are considered legitimate targets, but they’re not always struck. Direct action should be taken against them only when there is “near certainty” that the individual targeted is, in fact, the HVT, and “located at the place where the action will occur.”[17] Also “[a]bsent extraordinary circumstances, direct action will be taken only if there is near certainty that the action can be taken without injuring or killing non-combatants.”[18] That last requirement, for “near certainty,” I believe was added in 2013.

Add Dangerous Hackers?

So, can we solve the problem of dangerous hackers simply by adding them to the legitimate targets listed in the President’s special guidance on terrorists? I think not. Currently most terrorists are not hackers, and most hackers are not terrorists. There’s very little commonality – or similarity – between the two populations.

We’re at war with terrorists. If a terrorist is also a dangerous hacker, presumably he will be detected because of his [or her] terrorist associations, ideology, etc. That’s if our security people are as good as they say they are. There’s no need to throw a bunch of non-terrorist hackers into a list of potential targets.

But there is a need to identify the truly dangerous hackers out there, just to know their capabilities, who they work for, and whether, and by whom, they might be used against us. We should track them for the same reason we track all the military capabilities of potential enemies; not because we’re currently at war with them, but because we might be at some future date. My guess is, that’s a job for DoD.

[I agree. If I were on staff in the White House, I think I would want to leave the hacker problem up to DoD, and make sure that they had the resources to do a good job. I might request a periodic report, a cyber threat assessment as it were, but I wouldn’t expect to authorize any drone strikes any time soon. I hope.

If I were in the White House

[1] See DoD, The Department of Defense Cyber Strategy (April, 2015) at p. 3, available at http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy  Henceforth this document will be cited as Cyber Strategy at __.

[2] Neither would DoD. See Cyber Strategy at p. 11: “The United States will continue to respond to cyberattacks against U.S. interests at a time, in a manner, and at a place of our choosing, using appropriate instruments of U.S. power and in accordance with applicable law.”

[3] See Presidential Policy Guidance, Procedures for Approving Direct Action against Terrorist Targets Located Outside the United States and Areas of Active Hostilities (May 22, 2013), available from the American Civil Liberties Union at https://www.aclu.org/foia-document/presidential-policy-guidance?redirect=node/58033 .  Henceforth the document will be cited as PPG Direct Action (2013) at __.

[4] See Cyber Strategy at p. 2.

[5] Id.

[6] Id.

[7] Id. DoD has written this very carefully, to avoid foreclosing Presidential discretion. This is only natural. After all, under our Constitution the President is Commander-in-Chief, and outranks anyone in DoD. See U.S. Constitution, Article II, Sec. 2: “The President shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States, when called into the actual Service of the United States …” The Constitution is available from many sources; our favorite is the National Archives, at http://www.archives.gov/exhibits/charters/constitution_transcript.html  Look around that site and you can find all of the Amendments, as well.

[8] See Cyber Strategy at p. 5: “If directed by the President or the Secretary of Defense, the U.S. military may conduct cyber operations to counter an imminent or ongoing attack against the U.S. homeland or U.S. interests in cyberspace.”

[9] Id.

[10] Id. See also Cyber Strategy at p. 6: “Any decision to conduct cyber operations outside of DoD networks is made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict.”

[11] See PPG Direct Action (2013), cited at n. 5.

[12] See ACLU, Kaufman, Details Abound in Drone ‘Playbook’ – Except for the Ones That Really Matter Most (August 8, 2016), available at https://www.aclu.org/blog/speak-freely/details-abound-drone-playbook-except-ones-really-matter-most  See also Fox News, US discloses more conditions for lethal drone strikes (August 6, 2016), available at  http://www.foxnews.com/politics/2016/08/06/us-discloses-more-conditions-for-lethal-drone-strikes.html .

[13] See, e.g., DoD, Law of War Manual (June 2015), available at http://www.defense.gov/Portals/1/Documents/pubs/Law-of-War-Manual-June-2015.pdf

[14] See PPG Direct Action (2013) at p. 1: “Absent extraordinary circumstances, direct action against an identified high-value terrorist (HVT) will be taken only when there is near certainty that the individual being targeted is in fact the lawful target and located at the place where the action will occur.”

[15] Id.

[16] See PPG Direct Action (2013) at §1.D, p. 4; and §4, p. 15-16.

[17] See PPG Direct Action (2013) at p. 1.

[18] Id.

Advertisements