On the Offensive: Implications of Trump’s New Cyber Strategy
This article was originally published on the Brown Political Review website, October 9, 2018
Vice President Mike Pence created much ado in August when he revealed “Space Force,” — a proposed sixth branch of the US military. Discretely and nearly simultaneously, however, President Trump began to unravel an Obama-era policy, making it easier for the military to launch cyberattacks. Under Obama’s Presidential Policy Directive 20 (PPD-20), interagency approval was required before cyberweapons could be deployed. U.S. Cyber Command is now relatively free to launch and respond to cyberattacks, without oversight from the State Department, Commerce Department, or intelligence agencies.
Because cyberwarfare is not governed by traditional laws of war and is not regulated under any comprehensive international substructure, the administration’s move toward a more offensively-positioned Cyber Command raises fears of escalation, especially because it is unclear what rules, if any, are replacing PPD-20. The lack of both national accountability mechanisms and a digital equivalent of the Geneva Conventions is becoming increasingly ominous, as the United States continues to face attacks by foreign governments, terrorists, and hackers.
Cyber Command was established in 2008 as a sub-unified command under the US Military. Under President Obama’s Presidential Policy Directive on US Cyber Incident Coordination, Cyber Command was dependent on other federal agencies. PPD-20 clarified and codified the government’s response to cyberattacks, created mechanisms for a coordinated federal response to significant incidents, and outlined a three-tiered reactionary framework. PPD-20 required that Cyber Command receive several levels of inter-agency approval before launching an offensive attack.
The integrated approval process required to launch offensive cyber actions is epitomized by the 2010 launch of Stuxnet, an American-Israeli virus that infected Iran’s nuclear facilities in Nataz. Stuxnet was personally authorized by the US President. Prior to its launch, there was a multi-tiered approval process that more closely resembled the procedure of nuclear weapon authorization than traditional offensive maneuvers.
In 2017, however, at the recommendation of James Mattis, the Secretary of Defense, Trump elevated Cyber Command to a Unified Combatant Command. This move, innocent as it might seem, allows the Command to operate under a broad, continuous mission. Broadly, Cyber Command is tasked with executing plans and operations related to cyberspace, a fluid and increasingly contested arena — now with increasing independence.
Trump’s latest move granting Cyber Command relative autonomy is particularly alarming given Cyber Command’s April 2018 report, which solidified their intent to “expand the military options available to national leaders and operational commanders.”
Along with Trump’s August repeal of PPD-20, it isn’t difficult to imagine a more offensively-minded military: a scary prospect given the lack of national accountability and international law to govern cyberwarfare.
There is not currently international legislation governing cyber action. In June 2017, after 13 years of negotiating, UN cyberwarfare talks fell apart. One of the main issues that came to light during this attempt to establish cyber law was at what point a cyberattack becomes significant enough to warrant a response. Because cyberwarfare is inherently clandestine, and seemingly independent hackers may be acting on behalf of their governments, it is difficult to determine who is responsible for attacks, and therefore difficult to leverage appropriate responses. Countries opposed to implementing Article 51 of the UN Charter — the right to self-defense against attacks — to cyberspace, such as China, Russia, and Cuba, argue that the application of self-defense would militarize and provide justification for cyberattacks. The United States and other European countries, by contrast, want to incorporate existing international laws, including the right to self-defense, into cyber-governance — in order to justify responses to hostile cyber action.
The lack of a global framework governing cyberspace allows actors to act with relative impunity. Given the lack of regulation in cyberspace, some argue that it is imperative that US Cyber Command is able to take action to protect US security interests. Russia and China, compared to the US, are operating under completely different standards of accountability and transparency. The 2017 World Press Freedom Index ranked the US at number 4, while Russia and China were 148 and 176, respectively. These adversaries are relatively unencumbered by bureaucratic regulation and public perception, given the lack of transparency surrounding their offensive cyber action.
Proponents of increasing Cyber Command’s capacities argue that by removing some of the bureaucratic red tape required to launch cyberattacks, Cyber Command will be better positioned to protect US national security interests against international adversaries. PPD-20, however, did not regulate defensive cyber-action, only cyberattacks. The repeal of this policy directive therefore suggests that Cyber Command is moving into a more offensive position.
While proponents of the increased military power argue that the repeal of PPD-20 will allow for speedier operations, the lack of federal government coordination poses many risks. Because Cyber Command now has the power to launch attacks independently from other US agencies, prospective cyberattacks could interfere with other agencies’ operations.
An ongoing issue with the United States’ cyberspace operations is its lack of coordination. The Department of Homeland Security, the Department of Justice, and the Department of Defense, in addition to each branch of the military, have independent cyber units. Each department has a unique framework with which to respond and counter cyberattacks. Cyber Command’s recently acquired autonomy increases the likelihood that disjointed actions will interfere with each other and potentially harm ongoing operations.
President Trump’s unpredictable, rash, and inflammatory tendencies have put the world on edge throughout his term, especially as he seeks to expand military power. With his careless rhetoric and his shocking behavior dominating news cycles, subtle changes to US policy go unnoticed and under reported. Trump’s quiet repeal of Obama’s PPD-20 reveals his tendency toward a more offensively positioned Cyber Command, one that is unfettered by either federal or international regulation. Cyber Command’s actions ought to be subject to inter-agency approval and coordination, in order to protect US operations and prevent the development of irreversible norms that violate state sovereignty and incite retaliatory action by other governments.