A formal, three-year legal and policy review of US cyberweapons that concluded last fall has effectively cleared their use alongside other weapons systems in the US arsenal, a stamp of approval that propels the fledgling US Cyber Command toward a fully operational role within the nation's military structure, cyberwar experts say.
Cyberweapons have been available to the US military since at least the first Gulf War against Iraq, but when, how, and under what conditions they could or should be deployed has been subject to vigorous debate among military and civilian policymakers.
Now it appears cyberweapons and cyberwarfare have nudged up alongside other legally approved military theaters and techniques, including space warfare and electronic war as well as the use of drones, sabotage, and special operations. In particular, cyberweapons were approved in the review for "preemptive" attacks if authorized by the president and if an imminent attack on the US warranted it, the New York Times reports.
While most details of the legal authorizations aren't known, the Times quoted anonymous sources as saying that the new policies "govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code – even if there is no declared war."
"The fact that DOD has moved to the point where it felt required to [conduct the policy review] is a step toward normalization and operationalization of cyberweapons," says Dan Kuehl, a professor of intelligence studies at Mercyhurst University and formerly at National Defense University. "If you've got a new bomb or a tank or a weapons system, there's a requirement to do a legal review of its usage – under the Law of Armed Conflict. With DOD having done that for cyber, it's a significant step toward normalization of cyber as a weapon we can actually use militarily."
Word that legal hurdles have been largely surmounted for cyberweapons comes amid a backdrop of daily reports of cyberespionage attacks on US businesses, government agencies, and the Pentagon – not to mention numerous recent statements of concern by the nation's military officials.
In a speech last fall, Secretary of Defense Leon Panetta warned of the potential for a "cyber 9/11" and urged tougher laws that would help protect US critical infrastructure like the power grid and water systems. Other current and former senior administration and Pentagon officials have echoed that concern – and say that the legal review is long past due.
"This legal review of cyberweapons has been far too slow, too lawyer-and-State Department-ridden," says Stewart Baker, a former assistant secretary at the Department of Homeland Securityand now a partner at Steptoe & Johnson, a Washington law firm. "What we've needed is a faster process that allows us to actually come up with a strategy for actually winning a cyberconflict. But this is clearly a step in the right direction. It's clear that cyberweapons are going to be used. If so, then we need to be better at using them than our adversaries."
Defending the nation from cyberattack was a priority reflected in the formal establishment of US Cyber Command in 2009. But whether cyberweapons truly fit into and complied with international legal norms and structures such as the International Law of Armed Conflict, which sets humanitarian norms during war – has been a question mark.
Debate over US cyberweapons policy for DOD was in full swing in early 2009. As in the past, when critical military policy questions were at stake, the Pentagon threw the problem over to the Defense Science Boardand the Defense Policy Board to analyze and develop a cyberwar-fighting policy structure, cyberexperts told the Monitor.
"If we have the capability of using something that will disrupt, degrade, or deny an enemy at less than lethal force, we have an ethical conundrum," says Sam Liles, a professor of cyberforensics at Purdue University. "Should we use this – if cyber gives us that capability? Perhaps we're morally and ethically required to use it. On the other hand, if that weapon can be turned around and used against us, perhaps we shouldn't use it. That's what the policy discussion has been about."
Such a policy debate was made more urgent by the furor surrounding Stuxnet, the world's first publicly known cyberweapon, which was utilized by the US to sabotage Iran's nuclear fuel-refining facilities. It also accelerated debate about the wisdom of releasing such weapons, especially since they can be reverse-engineered and used against the US.
By last fall, the process had reached a series of conclusions after a lengthy internal debate. The result: DOD had a first cut, an organized structure that includes rules for engagement and a decisionmaking process for using cyberweapons, says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington.