There’s a place for covert action, when we need to keep adversaries guessing about our capacities or our plans. There are even times when a president may feel justified in disregarding legal limitations or accepted international standards, as many presidents have done in special circumstances. At such times, it may seem proper to cover American actions beneath a cloak of secrecy—or at least a veil of deniability—so we don’t affirm an exceptional action as a formal precedent, apt to be invoked against us by others. There are always risks in such dodgy practices, and reasonable people may have reasonable disagreements about when and where they apply.
What a president really shouldn’t do is leak details of a secret operation that seems unlawful—if judged by standards that have been previously embraced in public by American officials—and then say nothing more. But officials in the Obama White House leaked a great deal of detail about a secret plan to disable the Iranian nuclear program through targeted cyber attacks. The White House did not deny the account published in the New York Times on June 1. It did not even say that the leaks were unauthorized and that there would be an investigation to punish the officials involved. It said nothing to explain or clarify the policy revealed in this way.
The White House seems to have regarded the story about the cyber program as a mere follow-on to previous reports in the same newspaper about the president’s immersion in decisions on proper targeting for drone strikes. But the cyber story is in a quite different category. It says much about the administration’s indifference to actual security policy that it has let all these policies be folded into the edifying narrative of the president’s personal focus on facing down our enemies.
One obvious difference is that there has never been any doubt that the United States was launching drone attacks on terrorists in Pakistan and Yemen. And because the policy was openly avowed, it has been subject to a fair amount of public debate. Questions about the legality of drone strikes have been raised by many critics, including legal analyst Philip Alston, former United Nations special rapporteur on extrajudicial executions.
But representatives of the administration, including State Department legal adviser Harold Koh, have defended the drone policy as proper under international law. They have characterized the drone strikes as acts of self-defense against ongoing terrorist plots, which carefully target actual jihadist combatants while seeking to minimize harm to civilians. Koh and others also claim the drone strikes are proper under U.S. law, in accord with Congress’s authorization after 9/11 to deploy force against the terror networks responsible for such attacks. There is controversy about whether these legal analyses are fully compelling. They do at least mark some legal lines to indicate when, where, and how the United States thinks it is justified to launch drone strikes.
We don’t know what the Obama administration thinks it can or can’t do in launching cyber attacks. And the questions aren’t mere brain teasers for legal scholars. In May 2011, the White House issued a formal paper on U.S. cyber strategy, which acknowledged—almost in passing—that the United States reserved the right to use “military force” to stop severe cyber attacks on American computer networks. Whether “military force” included cyber attacks—even in retaliation for such attacks—was left entirely unclear.
A few months later, Stewart Baker, former assistant secretary for policy in the Department of Homeland Security, warned that government lawyers have been “tying themselves in knots of legalese . . . to prevent the Pentagon from launching cyber attacks,” so the Defense Department has “adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations.” Last fall, the Republican majority in the House of Representatives added a provision to the 2012 Defense Authorization bill stipulating that the Defense Department did have authority to conduct “offensive operations in cyberspace”—a provision the Obama administration had not sought. The Senate agreed only after inserting a qualifying proviso that such “operations” must be “subject to the policy principles and legal regimes” applicable to other activities of the Defense Department, “including the law of armed conflict.”