There’s a place for covert action, when we need to keep adversaries guessing about our capacities or our plans. There are even times when a president may feel justified in disregarding legal limitations or accepted international standards, as many presidents have done in special circumstances. At such times, it may seem proper to cover American actions beneath a cloak of secrecy—or at least a veil of deniability—so we don’t affirm an exceptional action as a formal precedent, apt to be invoked against us by others. There are always risks in such dodgy practices, and reasonable people may have reasonable disagreements about when and where they apply.
What a president really shouldn’t do is leak details of a secret operation that seems unlawful—if judged by standards that have been previously embraced in public by American officials—and then say nothing more. But officials in the Obama White House leaked a great deal of detail about a secret plan to disable the Iranian nuclear program through targeted cyber attacks. The White House did not deny the account published in the New York Times on June 1. It did not even say that the leaks were unauthorized and that there would be an investigation to punish the officials involved. It said nothing to explain or clarify the policy revealed in this way.
The White House seems to have regarded the story about the cyber program as a mere follow-on to previous reports in the same newspaper about the president’s immersion in decisions on proper targeting for drone strikes. But the cyber story is in a quite different category. It says much about the administration’s indifference to actual security policy that it has let all these policies be folded into the edifying narrative of the president’s personal focus on facing down our enemies.
One obvious difference is that there has never been any doubt that the United States was launching drone attacks on terrorists in Pakistan and Yemen. And because the policy was openly avowed, it has been subject to a fair amount of public debate. Questions about the legality of drone strikes have been raised by many critics, including legal analyst Philip Alston, former United Nations special rapporteur on extrajudicial executions.
But representatives of the administration, including State Department legal adviser Harold Koh, have defended the drone policy as proper under international law. They have characterized the drone strikes as acts of self-defense against ongoing terrorist plots, which carefully target actual jihadist combatants while seeking to minimize harm to civilians. Koh and others also claim the drone strikes are proper under U.S. law, in accord with Congress’s authorization after 9/11 to deploy force against the terror networks responsible for such attacks. There is controversy about whether these legal analyses are fully compelling. They do at least mark some legal lines to indicate when, where, and how the United States thinks it is justified to launch drone strikes.
We don’t know what the Obama administration thinks it can or can’t do in launching cyber attacks. And the questions aren’t mere brain teasers for legal scholars. In May 2011, the White House issued a formal paper on U.S. cyber strategy, which acknowledged—almost in passing—that the United States reserved the right to use “military force” to stop severe cyber attacks on American computer networks. Whether “military force” included cyber attacks—even in retaliation for such attacks—was left entirely unclear.
A few months later, Stewart Baker, former assistant secretary for policy in the Department of Homeland Security, warned that government lawyers have been “tying themselves in knots of legalese . . . to prevent the Pentagon from launching cyber attacks,” so the Defense Department has “adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations.” Last fall, the Republican majority in the House of Representatives added a provision to the 2012 Defense Authorization bill stipulating that the Defense Department did have authority to conduct “offensive operations in cyberspace”—a provision the Obama administration had not sought. The Senate agreed only after inserting a qualifying proviso that such “operations” must be “subject to the policy principles and legal regimes” applicable to other activities of the Defense Department, “including the law of armed conflict.”
We don’t know whether the Obama administration regards this proviso as applicable to its cyber attacks on the Iranian nuclear program. Perhaps it thinks the restriction does not cover the National Security Agency because it is arguably distinct from the Defense Department, though it has all sorts of very close operational ties to the Pentagon. Perhaps it thinks such restrictions can’t bind the commander in chief when he decides that national security requires him to disregard “the law of armed conflict”—though that is not a position articulated by Obama officials in public.
If the administration does accept the notion that “the law of armed conflict” applies to its cyber attacks on Iranian nuclear facilities, however, a lot of new questions arise. Most analysts assume that “the law of armed conflict” includes the jus ad bellum—the law governing resort to force. And most analysts view that law as governed by the U.N. Charter, limiting resort to force to actions authorized by the Security Council or in self-defense “if an armed attack occurs.” Do these categories apply here?
The Security Council has passed several resolutions imposing sanctions on Iran for failing to cooperate with international inspections (required under the Nuclear Non-Proliferation Treaty). Does the Obama administration think those resolutions justify resort to armed force to stop the Iranian nuclear program? Most analysts acknowledge that “self-defense” may justify a preemptive action when an “armed attack” is imminent. Does the Obama administration think the Iranian nuclear program is so inherently threatening that an attack on the program is justified as a preemptive measure, to forestall an impending Iranian nuclear strike?
These are questions the Obama administration might prefer not to answer for various reasons, some better than others. But it’s one thing to maintain a posture of ambiguity about measures not yet taken. It is something else entirely to acknowledge cyber attacks and refuse to say what they mean or why they were (in the American view) justified. Silence invites the view that the administration regards cyber attacks as quite different from “armed attack.” That might be a defensible view, even if Congress seems to have said otherwise. But that view has its own complications. The silence of the administration invites all sorts of awkward inferences—not least by other governments assessing their own options for cyber attacks.
One thing the New York Times report made clear was that President Obama was very concerned to avoid collateral damage to civilian objects when he approved cyber attacks on the Iranian nuclear program. That might comport with the president’s personal idea of what is required by jus in bello—that part of the law of armed conflict dealing with permissible tactics. But the Iranians claim that their entire nuclear program is dedicated to civilian purposes and is not, therefore, a military target. How does Obama think lines should be drawn between permissible and unlawful targets?
The reason this may matter a lot—and sooner than the White House seems to think—is that Iran has been developing its own capacity to launch cyber attacks. Suppose Iran retaliates by hitting nonmilitary targets in the United States. Do we say they can’t disable an electric power plant because it’s “civilian”—even if it also supplies power to a nearby military base or a defense contractor? Are we prepared to retaliate with force—actual bombing, with inevitable civilian casualties—for a cyber attack that imposes much economic dislocation here but does not actually cause direct loss of life?
It may be more prudent to retaliate for an Iranian cyber attack with a reprisal in kind by, for example, shutting down the Iranian power grid for a time, imposing considerable pain on civilian infrastructure but not causing direct loss of life. It might actually be more dangerous to launch cyber attacks on Iranian military infrastructure, threatening loss of command and control functions and emboldening some isolated Revolutionary Guards commander to think he should launch missiles before he loses even that degree of operational control. The administration has no public doctrine about what it thinks it can or can’t do in a crisis provoked by cyber attacks.
One risk from this policy void is that the Iranians will be emboldened to take more aggressive action, interpreting our silence as indecision or policy paralysis. It is hard to deter when you don’t make serious threats. The Iranians or their friends elsewhere may be further emboldened because, unlike cruise missile strikes or conventional bombing, a cyber attack may be hard to identify and trace to its source. Other governments might demand that we withhold retaliation until we had demonstrated the ground on which we attributed particular cyber attacks to the Iranian government. We might not want to share such intelligence or expose it to outside scrutiny. Enemies might count on ensuing hesitations, since we have not made clear how or when or on what grounds we would feel entitled to act.
Another risk is that, if U.S. policy seems reckless or impulsive, otherwise-friendly allies may lose confidence in U.S. policy and be less likely to cooperate in the future. The Stuxnet virus, supposed to be precisely targeted on the Iranian nuclear program, did cause collateral damage, requiring companies in Europe and elsewhere to invest in remedial measures. The Flame virus was insinuated into Iranian nuclear sites with a forged certificate identifying it as a Microsoft product. This damages the credibility of Microsoft and other firms that depend on users trusting their certification. If the U.S. government cannot reassure potential partners in its cyber intrigues, it may find it harder to recruit assistance in the future, even from American computer firms.
There was one other thing the leakers in the Obama White House wanted New York Times readers to know: Bush started it—with an earlier program to disable uranium enrichment operations in Iran. Obama officials might consider that the Bush administration, by neglecting to get full congressional approval for many aspects of its anti-terror program, made it easier for critics to pounce when things turned sour later. One consequence was that critics then mobilized political opposition, resulting in new restraints the White House did not favor.
If the Obama team is going to boast about the president’s cyber prowess, it really should try to do more to warn our enemies and reassure our friends—and perhaps inform Congress—what rules it thinks will apply to this new weapon. There are serious and still quite contentious policy issues in the emerging field of cyber strategy. A president preoccupied with personal preening makes it much harder to mobilize support for reasonable policies.
Jeremy Rabkin is professor of law at George Mason University. Ariel Rabkin is a postdoctoral researcher in computer science at Princeton University. They are the authors of an article on cyber threats and the law of armed conflict in the Hoover Institution’s series on “emerging threats.”