CYBER MAVEN: When and How Should the US Launch “Offensive” Cyberattacks?

By Ross Rustici – Warrior Maven Columnist and Senior Contributor –

Rustici Previously Served as a Technical Lead, Intrusion Analyst and East Asia Cyber Lead at the Department of Defense

“War is too important to be left to the politicians. They have neither the time nor inclination for strategic thought.”[1]

The New York Times reported that the U.S. Government has delegated authority to “take a far more aggressive approach to defending the nation against cyberattacks.” This is a policy change that will likely lead to outcomes worse than the problem it is attempting to solve. Increasing the authority of any Commander to take offensive extraterritorial action outside defined conflict zones erodes civilian oversight of the military and increases the likelihood of miscalculation and actions working at cross purposes across the federal government.

Along with the elevation of the U.S. Cyber Command, a new policy has permitted “nearly daily raids on foreign networks, seeking to disable cyberweapons before they can be unleashed.”

This report, if accurate, fundamentally alters standing precedent of the Standing Rules of Engagement for the U.S. Armed Forces. Leveraging the delegated authority to Combatant Commanders of the Inherent Right of Self-Defense regarding attacks both on the unit under their command and the nation itself, it is possible to make an argument that disrupting offensive cyber capabilities of our adversaries is within the normal authorities.

However, given the ephemeral nature of the Internet, the burden of proof required to show emanate attack, and the perception of the military conducting covert operations, all serve to undermine any advantage the operations would give the United States.

Fundamentally, this new policy is moving offensive cyber operations from the clandestine world of covert operations to one that, by all rights should be executed with the cyber equivalent of a U.S. flag painted on the side of the weapon. Non-repudiation and non-attribution are things to be avoided if a traditional military unit is conducting the activity.