AMERICAN.COM

The press (and the White House) has been obsessed by the detention provision in the recently agreed upon FY2012 Defense Authorization bill, but one of the items that slipped under the radar is language authorizing the American military to engage in offensive operations in cyberspace. Under Sec. 954,

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests.

The act—which still requires the signature of the president to become law—then stipulates that the use of this capability is conditioned on compliance with:

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.

In the accompanying conference report, the members state that the authorizing language is needed because:

in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged.

And, because of a “lack of clarity as to what constitutes traditional military activities in relation to cyber operations,” members argue there is the additional need to bound cyber warfare’s use to existing guidelines governing the traditional use of kinetic force.

But why is Congress now “affirming” that the president and the military have the authority to engage in these activities? Did the president and/or the Pentagon need to be told—or reassured—that it was okay to take actions to defend the country in response to some cyber threat? Or, is the worry that the president and the Pentagon are planning to do so and Congress wants to ensure that this new warfare capability is conducted under existing guidelines for conventional warfare and the legal stipulations of the War Powers act? But, if the latter, what does it mean in practice for cyber warfare to be covered by a law that was intended to govern real men and women being put in real harm’s way? Or, more broadly, how are cyber warfare’s unique capabilities to be governed by policies governing conventional military weapons and operations? For example, current guidelines and international law put a very high bar against attacking strictly civilian targets in a conflict. But one could imagine that, for deterrent purposes, a counteroffensive cyber capability targeting a strictly civilian but commercially important computer system of another country would be far more preferable than going after an enemy’s military command and control network if we were not actually engaged yet in a conventional military conflict.

Suffice it to say that the Act’s language, while attempting to give greater clarity to what the military may or may not do in the area of cyber warfare, seems to  raise as many questions at it attempts to address. But given the nascent state of debate over cyber warfare today, that’s not all to be bad.