The U.S. Government May Have Just Made It Much Easier to Hack Back Against Russia

Ash Carter at a podium in front of troops and employees.
Then–Secretary of Defense Ash Carter delivers remarks to an audience of U.S. Cyber Command troops and National Security Agency employees in Fort Meade, Maryland, on March 13, 2015. Chip Somodevilla/Getty Images

“U.S. military hackers have been given the go-ahead to gain access to Russian cyber systems as part of potential retaliation for any meddling in America’s elections,” according to a Center for Public Integrity report. The article continues that this authorized activity is in preparation for “an offensive cyber-attack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6.”

This more aggressive action would be in line with the reported new approach under a classified presidential directive, National Security Presidential Memorandum 13, or NSPM-13, that accompanied the September National Cyber Strategy and its corresponding Department of Defense Cyber Strategy. The unclassified summary of the DOD strategy states that DOD will “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” This statement is consistent with comments by U.S. Cyber Command’s commanding general about the need for “persistent presence” on the web to ensure the safety of U.S. interests. “Defending forward” and “persistent presence” are euphemisms for taking actions on computer systems that are not DOD, including systems outside the United States.

This policy triggers some interesting speculation as to how the United States views international law and cyber activities. It seems uncontested that international law prohibits one country from coercively intervening in the domestic affairs of another country. This prohibition of intervention has its roots in Article 2(7) of the United Nations Charter and has been well reflected in international courts and tribunals. In describing what actions might equate to a prohibited intervention, courts have talked in terms of coercive measures by one state in another state’s domaine réservé—those matters reserved in international law to the sole prerogative of states, matters such as the right to choose a political, economic, social, and cultural system, and to formulate and execute foreign policy. NATO’s Cooperative Cyber Defense Centre of Excellence recently gathered a group of international experts who produced the Tallinn 2.0 Manual on the international law of cyberspace. In the manual, the experts argue that “the matter most clearly within a State’s domaine réservé appears to be the choice of both the political system and its organization.”

If Russia intervened in the midterm elections such that their actions violated the domaine réservé of the United States, the U.S. government would not be prohibited from engaging in “countermeasures,” as that term is understood in international law. These responses could include otherwise unlawful cyber measures designed to bring Russia back into compliance with international law. Non-cyber countermeasures would also be appropriate as there is no requirement for the countermeasure to use the same medium as the initial violation. In all circumstances, countermeasures must be proportionate to the injury suffered and must not involve destruction that amounts to the use of force. It is unclear if NSPM-13 addresses the lawfulness of countermeasures, though it may indicate an increasing willingness to use them.

With respect to actions that do not intervene in the domaine réservé, the Center for Public Integrity article highlights at least two very interesting points concerning the U.S. posture. First, the article quotes unnamed government officials who clarify that a foreign government’s influence campaigns don’t trigger a “broader response” such as countermeasures. It is only “efforts to tamper with voting registration and recording votes” that rise to that level. I take this to mean that the current administration believes that Russia can engage in influence operations, but until it actually hacks into voting machines, it has not violated international law because it has not coercively intervened in the domaine réservé.

An alternate view might be that the administration views Russia’s actions as a violation of international law but chooses, as a matter of policy, neither to describe them as such nor to respond to them as such. This would be a dangerous approach as it sends the wrong message not only to Russia, but also to all the other countries who are looking at Russia’s actions and forming their own interpretations of the law based on the United States’ reactions.

Neither of these views, of course, means that Russian individuals have not violated U.S. domestic law. In fact, this year’s Justice Department indictments against Russians for interfering in the 2016 presidential campaign make clear that much of their 2016 influence campaign violated U.S. domestic law. But the international law point is important.

Following from the first point, the article also makes clear that NSPM-13 allows DOD to take actions on foreign computers that would ensure “the right access” in case that was needed. Whether nonconsensual actions by one state on the computers in another state’s territory is prohibited by international law as a violation of sovereignty has been a hotly debated topic among academics and governments. That DOD is apparently allowed to establish “access” on other nations’ computers is significant: It appears that the Trump administration takes the view that persistent presence on foreign computers is not a violation of international law. Such actions would likely be considered unfriendly but not unlawful under international law, and would certainly be short of a prohibited use of force at least until harmful malware is activated.

In addition to the implicit assertions that can be drawn from the reported description of NSPM-13 concerning the current state of international law, the order also provides interesting insights on national security law and process. By revoking an Obama administration framework for cybersecurity known as PPD-20, NSPM-13 establishes a more streamlined and DOD-friendly method of approving cyber actions. According to the Center for Public Integrity article, instead of the prior process, where almost unanimous intra-governmental approval was necessary before a specific cyber action could be taken, the new process is less cumbersome, allowing DOD and other government agencies to get prior approval of broad parameters, including some “left-and-right bounds,” and then take specific cyber actions without seeking additional approval as long as they remain within the pre-considered operation.

There is no doubt that, if true, this signals a significant change to the U.S. cyber policy and is a clear indication that cyber actions have now entered the mainstream of national security tools. For years, the “newness” of cyber capabilities meant that the ability to authorize their use remained at very high levels and was subject to extensive interagency dialogue before even simple tasks could be taken. This undoubtedly had the practical effect of limiting the number of cyber activities undertaken. By allowing DOD and other government agencies to function more autonomously within preapproved guidelines reflects a normalization of cyber capabilities that has been too long in coming. Perhaps the decades of cyber actions both by and against U.S. interests have now provided a sufficient “comfort level” that cyber operations can now be viewed more like using tanks or aircraft to accomplish a military mission, rather than like using a nuclear weapon.

Many cyber-capable countries seem to be moving in a similar direction. Germany, for example, recently divulged that it has authorized “hack backs” in certain circumstances. The adoption and implementation of NSPM-13 and its application to the midterm elections seems to be a strong change in U.S. policy, one that sends a message to adversaries about what are acceptable and unacceptable cyber activities.

More from Just Security:

Why the First Amendment Does Not Protect Trump Campaign Collusion With WikiLeaks and Russia

Accountability Fatigue: A Human Rights Law Problem for Armed Forces?