On April 2, 2021, the Congressional Study Group on Foreign Relations and National Security met on Zoom to discuss international and domestic legal regimes governing cyber activity and cyber warfare. With the recent SolarWinds and Microsoft Exchange hacks, cybersecurity issues are front and center in the minds of many decision makers. This session focused on the regulatory regime governing how the United States can engage in cyber activities, both offensive and defensive – with a focus on emerging US strategies, including “Defend Forward — and the unique questions this activity poses for Congress in its oversight and legislative roles.
Two law professors, each a leading policy maker in the field, joined the session to offer their perspective on the topic: Robert Chesney of the University of Texas at Austin Law School and Kristen Eichensehr of the University of Virginia Law School.
Prior to the session, these outside experts and study group organizers recommended several background readings, including:
- Robert Chesney, “NDAA National Cyberspace Director: Rationale, Authority, and Persistent Questions,” Straight (December 7, 2020);
- Robert Chesney, “The National Legal Framework for US Military Cyber Operations”, Hoover Institution Aegis Paper Series No. 2003 (2020);
- Kristen Eichensehr, “The Attribution of Cyberattacks as Empowerment and Constraint”, Straight (January 15, 2021); and
- Kristen Eichensehr, “Strategic Silence” and State-Sponsored Hacking: The US Government and SolarWinds, just security (December 18, 2020).
Chesney opened the discussion with an overview of two of the “bad” lessons to be learned from the SolarWinds hack. First, he argued that SolarWinds did not represent the crossing of an indefinite “red line” that should be punished and deterred, much less that it represented an actual act of war. Rather, the attack is more analogous to traditional espionage, which the United States cannot successfully deter given the low-cost and high-reward nature of such operations. Second, he pushed back against the idea that SolarWinds is suggesting that US Cyber Command’s Defend Forward strategy is a failure. No cybersecurity strategy could prevent all threats. The US government should still focus its resources on cyber defense.
Chesney then discussed two of the “good” lessons. While lamenting the lack of integration among federal civilian agencies monitoring cyberattacks in general, he applauded the efforts of the Cybersecurity and Infrastructure Security Agency (“CISA”) to strengthen centralized coordination. He also endorsed the recent $650 million grant from Congress and authorization for CISA to hunt cyber threats within agency networks without their permission or knowledge. However, he noted that CISA needs more resources to do its job properly. Second, Chesney highlighted the need for greater government integration with civilian critical infrastructure, particularly with respect to accident reporting requirements. He again called for increased congressional funding and authority for the CISA.
Eichensehr then considered how to understand the SolarWinds and Microsoft Exchange hacks as matters of international law. She described a hierarchy of violations of international law of decreasing gravity – armed attack, use of force and violations of the ban on intervention. Given the lack of casualties, use of coercion, or serious interference in the workings of government, none have occurred with the recent hacks. , And so would like to encompass these hacks. While traditionally countries, including the United States, have viewed sovereignty as a simple principle, a range of nations have moved to a position that serious cyber intrusions are violations of international law. If the attack violated international law, the United States can respond to the intrusions with countermeasures, not just public condemnation, indictments, and sanctions. But, on the other hand, the US risks being branded a hypocrite, given US cyber activity abroad.
Eichensehr went on to explain how the balancing of US defensive interests with the need for offensive flexibility fits into broader US efforts to set international standards regarding cyber intrusions. She underscored the importance of finding a line between legal and illegal activity and cited a possibility that Ann Neuberger, Biden’s deputy national security adviser for cyber and emerging technologies, laid out when an intrusion is so important that it increases the potential for major disruption. Such a definition would likely involve hacking Microsoft Exchange, if not SolarWinds. The question of which official would be responsible for defining remains unanswered.
Chesney stressed the importance of the United States beginning to take more formal positions in international forums. He also referred to the new legislative framework of national law governing cyber activity. A key question concerns the statutory authority of cyber actors to move into sectors beyond areas controlled by the military. Another concerns the long-standing executive view that boots on the ground are necessary for the legal definition of “war”; what happens when cyberwar makes this definition anachronistic? Chesney also noted how recent NDAAs have changed the specific obligations of US Cyber Command to report to Armed Services Committees following sensitive military cyber operations. These issues are linked to the question of sovereignty: if sovereignty is a rule, does that mean US Cyber Command cannot conduct operations that would cross that line?
Eichensehr concluded the first part of the session by reiterating the importance of defining clear legal positions on cyber warfare and urging Congress to enact new statutory requirements for the government to engage in attribution – naming perpetrators cyber attacks. Ideally, the executive branch would be required to report at least annually to Congress on every foreign government attack on the US government.
The session ended with an open discussion and a series of questions and answers. In response, Chesney and Eichensehr discussed issues with private entities reporting cyber intrusions, including comparisons with other public-private partnership agreements in the European Union and China, issues with the new position of Cyber Director as well as the possibility of a new cyber office at the US State Department, the importance of resourcing CISA, and how to assess US cyber capabilities both qualitatively and quantitatively.
Visit the Congressional Study Group on Foreign Relations and National Security home page to access notes and information on other sessions.