Rules For Cyberwarfare Still Unclear, Even As U.S. Engages In It

Apr 20, 2016
Originally published on April 22, 2016 7:31 pm

When Defense Secretary Ashton Carter landed in Iraq for a surprise visit this week, he came armed with this news: More than 200 additional U.S. troops are headed to that country. They'll join the fight to retake the Iraqi city of Mosul from the Islamic State.

As that battle unfolds on the ground, a parallel war against ISIS is unfolding in cyberspace.

U.S. officials have confirmed to NPR that over the past year, the cyber campaign has taken off. They describe an escalation in operations, from using cybertools to geolocate a particular ISIS leader to hacking into and then conducting surveillance on a particular computer.

The activity occurs even as the rules for cyberwarfare remain a work in progress. Among the outstanding questions: Who's in charge when the U.S. wages cyberwar?

"The chain of command is clear on paper," says Susan Hennessey, who served as a lawyer at the National Security Agency until November 2015. "It's much more difficult to understand in practice."

Hennessey, now a national security fellow at the Brookings Institution, describes an "invisible war of lawyers" within senior government ranks. She says their debates range from questions over who has authority to approve a proposed operation to the distinction between a cyber operation and electronic warfare, such as jamming enemy radar.

"You'd see Defense Department attorneys, you'd see attorneys on the National Security Council staff, you might see attorneys on the State Department staff or other parts of executive agencies saying, 'Wait a minute! I don't think that is electronic warfare,' " she says. "So you're going to see a lot of individuals really all working to define this space."

Asked whether the U.S. is still figuring out the rules for cyberwarfare, even as it engages in it, Hennessey replies, "I think that's certainly true."

An alternative view comes from Michael Sulmeyer, who until last year served as director of plans and operations for cyber policy at the Defense Department. He believes the cyber chain of command is fairly straightforward.

But he says other key questions are in play, such as how to weigh the risk of collateral damage. For example, do you target a cellular network that ISIS leaders are using to communicate, if doctors at a local hospital are using it, too? Sulmeyer says it's also worth considering whether established military standards for self-defense apply in the cyber arena.

"If you're a tactical unit, deployed out front and forward, what happens if you start taking incoming fire?" he asks. "When can you fire back? How that plays out in cyberspace is something that I don't think has been very publicly discussed."

Sulmeyer is now the Belfer Center's Cyber Security Project director at Harvard's John F. Kennedy School of Government. From his perch there, he is studying and writing about what cyber rules of engagement should look like in the future.

Sulmeyer notes that the Pentagon now officially recognizes cyberspace as the fifth domain of warfare, after land, sea, air and space. That — combined with the urgency of the campaign against ISIS — is prompting military planners to think creatively, he says, about both how to govern and how to weaponize the cyber battlefield.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

KELLY MCEVERS, HOST:

From the Pentagon this week came word that more than 200 additional U.S. troops are headed to Iraq. They'll join the upcoming fight to take back the city of Mosul from the Islamic State. And as that battle unfolds on the ground, a parallel war against ISIS is unfolding online. NPR's Mary Louise Kelly reports the U.S. is stepping up cyber attacks against ISIS even as the rules for cyber warfare are still being written.

MARY LOUISE KELLY, BYLINE: Let's start with one day last spring. Ash Carter had driven out to the headquarters of U.S. Cyber Command. It was his first troop event in the U.S. as the new secretary of defense. Wearing a dark suit, red tie, American flag pin on his lapel, Carter faced a sea of men and women in uniform and admitted it's a challenge figuring out where their cyber skill sets fit in the traditional armed services.

(SOUNDBITE OF ARCHIVED RECORDING)

ASH CARTER: They are trying to figure out how to welcome this new breed of warrior to their ranks. What's the right way to do that? How do you fit in?

KELLY: This new breed of warrior, Carter went on, will be expected to fight just as hard as their colleagues on the conventional battlefield.

(SOUNDBITE OF ARCHIVED RECORDING)

CARTER: We regard you as on the front lines in the same way that last week I was in Afghanistan, and we have people on the front lines there.

KELLY: In the 13 months since Carter gave that speech, the cyber campaign against ISIS has taken off. U.S. officials describe to us an escalation in activities, from using cyber to geo-locate a particular ISIS leader to hacking into and then surveilling a particular computer. That is despite big, outstanding questions about how cyber operations should work, including who's in charge.

SUSAN HENNESSEY: The chain of command is clear on paper. It's much more difficult to understand in practice.

KELLY: That's Susan Hennessey, who, until a few months ago, was a lawyer at the Nation Security Agency. She describes, quote, "an invisible war of lawyers arguing over what counts as a cyber operation." And when does it become electronic warfare like jamming an enemy radar?

HENNESSEY: So you'd see defense department attorneys. You'd see attorneys on the National Security Council staff. You might see attorneys on the State Department staff or other parts of executive agencies saying, wait a minute; I don't think that is electronic warfare. And so you're going to see a lot of individuals really all working to define this space and understanding who's in charge based on a given activity.

KELLY: Is it fair to say that we're still figuring out the rules for cyber warfare even as the U.S. engages in it?

HENNESSEY: I think that's certainly true.

KELLY: Here's an alternate view. Michael Sulmeyer served until last year as director of plans and operations for cyber policy at the Pentagon. He believes the cyber chain of command is fairly straightforward, but he says other key questions are in play, such as how to weigh the risk of collateral damage. For example, do you target a cellular network that ISIS leaders are using to communicate if doctors at a local hospital are using it, too? And Sulmeyer says, consider this. Do established military standards for self-defense supply?

MICHAEL SULMEYER: If you're a tactical unit deployed out front and forward, what happens if you start taking incoming fire? When can you fire back? How that plays out in cyberspace is something that I don't think has been very publicly discussed.

KELLY: Sulmeyer, now at Harvard's Belfer Center, is in the midst of writing about what cyber rules of engagement should look like in the future. The Pentagon now officially recognizes cyberspace as the fifth domain of warfare after land, sea, air and space. Sulmeyer says that along with the urgency of the campaign against ISIS is prompting military planners to think creatively both about how to govern and how to weaponize the cyber battlefield. Mary Louise Kelly, NPR News, Washington. Transcript provided by NPR, Copyright NPR.