Up Front

Quick Thoughts on the U.S. Government’s Refusal to Use Cyberattacks in Libya

Jack L. Goldsmith

Eric Schmitt and Thom Shanker of the New York Times report that the Obama administration considered using offensive cyberweapons in the war in Libya, but in the end did not use them. Schmitt and Shanker give several reasons why the U.S. government declined to use the weapons, some of which make more sense to me than others.

A cyberattack would have implicated the War Powers Resolution (WPR). The story suggests that the government considered using cyberweapons to disable Libyan air-defense missiles and radars, but then switched to kinetic attacks to achieve the same ends because it worried that the cyberweapons would have amounted to “hostilities” that triggered the WPR. But if the kinetic and cyber attacks would have achieved the same effect on Libyan air defenses (which is what the story suggests), it is hard to see why the cyber attack and not the kinetic attack would have constituted “hostilities” under the WPR. Indeed, on the administration’s narrow theory of “hostilities” under the WPR, the likelihood of an attack being deemed “hostilities” rises with the likelihood that a U.S. soldier will receive hostile fire or injury. But as the story noted, the likelihood of risk to U.S. soldiers was higher with the kinetic than with the cyber attack, so it is not clear why a cyber attack would raise heightened concerns under the WPR. The description of the legal concerns is unclear in other respects as well. The story suggests that the government worried about whether a “purely cyber-based attack” would have implicated the WPR; this might suggest that the legal issue was presented at a time when the choice was between a cyber attack or no attack at all, and not as a choice between a cyber and a kinetic attack. The story also notes that government lawyers were “unable to resolve whether the president had the power to proceed with such [a cyber] attack without informing Congress.” But of course the administration did inform Congress about the kinetic attacks, so it is not clear what the concern is here. Perhaps the administration did not want to reveal publicly that it used cyberweapons, though of course the administration has, and could once again, file a classified annex to a WPR report. All in all, the discussion of the legal issues in the story is very unclear.

The attackmight set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own.” This assumption appears to have motivated U.S. government officials. It is a prudent assumption, but it might have been misplaced. It is not obvious that our use of these weapons would have encouraged others (it is not like the Chinese or the Russians need encouragement in this context), or that our failure to use these weapons would have a constraining normative impact on these or other nations. Sure, if we use the cyberweapons here, Russia or China or other nations might invoke that fact as a justification or excuse when they use cyberweapons later; but this invocation might be (and indeed probably would be) pretextual, for they might have used the weapons in any event. Moreover, a Libyan cyber operation would not have been the event that shattered a taboo on the use of offensive cyber weapons. That was done already with Stuxnet, with Israel’s reported cyber take-down of Syrian air defenses during its attack on Dayr az-Zawr, with reported western uses of cyberweapons against al Qaeda websites, with U.S. hacks (reported by Schmitt and Shanker two months ago) of “the cellphones of terrorist leaders using computer code, to lure them into an ambush or spread the word that fellow cell members were embezzling money or plotting against their comrades,” and with Russia’s use of denial of service attacks in its conflict with Georgia—among other events. A concern related to the precedent-setting effect of using cyberweapons in Libya is the possible effect—not mentioned in the story—of accelerating an already vibrant arms race in offensive cyber weapons.

Cyberweapons “might not have been ready for use in time.”  This sounds plausible. As the story suggests, deploying cyberweapons in this context—while at the same time minimizing collateral network effects—often demands extraordinary knowledge of the systems to be attacked and their vulnerabilities. It sounds like the weapons were not ready to go in this context because of inadequate intelligence.

Use of the cyberweapons might have revealed our capabilities. “Some officials also expressed concern about revealing American technological capabilities to potential enemies for what seemed like a relatively minor security threat to the United States.” This too strikes me as very plausible, although it does make one wonder why U.S. government officials are talking about the capabilities of these weapons to the NYT. Which leads to a final word on secrecy. The story notes that “half-dozen officials interviewed for this article, spoke on the condition of anonymity or were not authorized to speak publicly about the classified cyberplanning” (emphasis added). Yet more corrosive manipulation of the secrecy system.