Legal Regimes Governing Cyberactivity and Cyberwarfare

Session 12 of the Congressional Study Group

A FireEye information analyst works in front of a screen showing a near real-time map tracking cyber threats at the FireEye office in Milpitas, California, December 29, 2014. FireEye is the security firm hired by Sony to investigate last month's cyberattack against Sony Pictures. Picture taken December 29.     REUTERS/Beck Diefenbach (UNITED STATES - Tags: BUSINESS SCIENCE TECHNOLOGY CRIME LAW)
Editor's note:

The following is a summary of the 12th session of the Congressional Study Group on Foreign Relations and National Security, a program for congressional staff focused on critically engaging the legal and policy factors that define the role that Congress plays in various aspects of U.S. foreign relations and national security policy.

On April 2, 2021, the Congressional Study Group on Foreign Relations and National Security convened over Zoom to discuss international and domestic legal regimes governing cyberactivity and cyberwarfare. With the recent SolarWinds and Microsoft Exchange hacks, questions of cybersecurity are on the front pages and foremost in many policymakers’ minds. This session focused on the regulatory regime governing how the United States can engage in cyber activity, both offensive and defensive—with a focus on emerging U.S. strategies, including “Defend Forward”—and the unique questions this activity presents to Congress in its oversight and legislative roles.

Two law professors—each a leading policy maker in the field—joined the session to provide their perspectives on the subject: Robert Chesney of the University of Texas at Austin School of Law and Kristen Eichensehr of the University of Virginia School of Law.

Prior to the session, these outside experts and the study group organizers recommended several pieces of background reading, including:

Chesney opened the discussion with an overview of two of the “wrong” lessons to take away from the SolarWinds hack. First, he argued that SolarWinds did not represent the crossing of an undefined “redline” which must be punished and deterred—still less that it represented an actual act of war. Rather, the attack is more analogous to traditional espionage, which the US cannot successfully deter given the low-cost, high-reward nature of such operations. Second, he pushed back on the notion that SolarWinds suggests U.S. Cyber Command’s Defend Forward strategy is a failure. No cybersecurity strategy could possibly prevent all threats. The U.S. government should still concentrate its resources on cyber-defense.

Chesney then discussed two of the “right” lessons. Although lamenting the lack of integration within federal civilian agencies monitoring cyberattacks overall, he applauded the Cybersecurity and Infrastructure Security Agency (“CISA”)’s efforts to boost centralized coordination. He also endorsed the Congress’s recent grant of $650 million and authority for CISA to hunt for cyberthreats within agency networks without their permission or knowledge. However, he noted that CISA needs more resources to do its job properly. Second, Chesney highlighted the need for greater government integration with civilian critical infrastructure—in particular around accident reporting requirements. He again urged greater congressional funding and authority for CISA.

Eichensehr then reviewed how to understand the SolarWinds and Microsoft Exchange hacks as matters of international law. She described a hierarchy of international law violations of descending seriousness—armed attack, use of force, and violations of the prohibition on intervention. Given the lack of casualties, use of coercion, or serious interference in government functioning, none occurred with the recent hacks There is an emerging debate, though, over whether a fourth tier exists, one which would prohibit violations of sovereignty as an international law rule, and thus would encompass these hacks. While traditionally countries, including the United States, have viewed sovereignty as a mere principle, a series of nations have moved toward a position that serious cyber intrusions are international law violations. If the attack violated international law, the US can respond to the intrusions with counter-measures, not solely public condemnation, indictments, and sanctions. But, on the other hand, the US risks being labeled hypocritical, given American cyber activity abroad.

Eichensehr then discussed how weighing U.S. defensive interests with the need for offensive flexibility fits into larger US efforts to define international norms around cyber intrusions. She stressed the importance of finding a line between legal and illegal activity and cited a possibility Ann Neuberger—Biden’s Deputy National Security Advisor for Cyber and Emerging Technology—enunciated where an intrusion is so substantial as to increase the potential for major disruption. Such a definition would likely implicate the Microsoft Exchange hack, if not SolarWinds. The question of which official would be in charge of defining remains unanswered.

Chesney emphasized the importance of the United States starting to take more formal positions in international fora. He also discussed the emerging domestic law statutory framework governing cyber activity. One key question concerns the statutory authority for cyber actors to move into sectors beyond military-controlled domains. Another concerns the executive branch’s long-held view that boots-on-the-ground is required for the legal definition of “war”; what happens as cyberwarfare renders this definition anachronistic? Chesney also noted how recent NDAAs have shifted the precise obligations for U.S. Cyber Command to report to the Armed Services Committees following Sensitive Military Cyber Operations. These issues are connected with the sovereignty question: If sovereignty is a rule, does that mean that U.S. Cyber Command cannot conduct operations that would cross that line?

Eichensehr concluded the first part of the session by reiterating the importance of defining clear legal positions on cyberwarfare and to urge Congress enact new statutory requirements for the government to engage in attribution—naming the perpetrators of cyberattacks. Ideally, the executive branch would be required to at least report to Congress annually on every foreign government attack on the US government.

The session concluded with open discussion and a series of questions and answers. Responding, Chesney and Eichensehr discussed issues around private-entity reporting for cyber intrusions, including comparisons with other public-private partnership arrangements in the European Union and China, issues around the new Cyber Director position as well as the possibility of a new cyber bureau at the U.S. Department of State, the importance of resourcing CISA, and how to judge U.S. cyber capabilities both qualitatively and quantitatively.

Visit the Congressional Study Group on Foreign Relations and National Security landing page to access notes and information on other sessions.