Retailiating in Cyberspace
By Jeremy Rabkin
Friday, May 10th, 2013 @ 11:43AM
* Jeremy Rabkin, Professor at George Mason University School of Law. These are his transcribed remarks from ACD/EWI’s briefing, “CyberThreats & The Economy”, April, 9, 2013
Attorney General Mukasey said at the beginning of the panel that the Obama Administration is basically down to threatening retaliation. That the Obama Administration is threatening retaliation is our only response. I have to say “if only.” [laughter]
And then just now, Steve Chabinsky said, “Forget about retaliation. Forget about retribution.” Wait, no. Those are good. I don’t want to forget about them. I don’t mean to disagree with proposals from anyone on the panel. But I do want to broaden the range of options on the table.
Two years ago the then vice chairman of the Joint Chiefs of Staff, General Cartwright, was testifying before Congress on this issue, he said, “Well, if it’s OK to attack me and I’m not going to do anything other than improve my defenses every time you do attack, it’s very difficult to come up with a deterrent strategy.” Right.
So then after that, people made a fuss. I think probably Congressman Rogers was one of them. In the 2012 Defense Authorization Act, the House put in this line: “Congress affirms that the Department of Defense has the capability and upon direction by the President, may conduct offensive operations in cyberspace to defend our nation, allies and interests.” That was really good.
And then the Senate said, “Wait. No, we can’t just say that. We’ve got to add, ‘Subject to the legal regimes the Defense Department follows for kinetic capabilities, including the law of armed conflict.'” So now we’re having this debate about the law of armed conflict. What does it allow?
Most of the time when people say “the law of armed conflict” they are thinking, “Oh, the Geneva Conventions. Oh, what the Red Cross says.” Pretty much the Red Cross view of the law of armed conflict is this: it’s how Switzerland would have fought the Second World War–if it had actually been fighting.
Or they mean that utopian fantasy from the aftermath of the Vietnam War, Additional Protocol I to the Geneva Conventions. That basically codifies the restraints that the Third World wanted to impose on the armed forces of the West: if you must fight, don’t hurt anyone. That gave us what’s now seen as the most fundamental principle in the law of armed conflict –I’m not making this up–the “principle of distinction,” which is when you do engage in armed conflict, you must only target “military objectives.” You must do nothing to hurt civilians or “civilian objects,” otherwise known as “stuff.”
I won’t give a long presentation on the history of war. Let me just remind you that the history is different from this theory. Actually, unlike Switzerland, we in the United States were fighting in the Second World War as also the First World War. And we didn’t actually fight those wars by Red Cross rules. It’s in the First World War that we launched this phrase, “economic warfare.” The Allies implemented that by trying to stop anything from going in or out of German ports or neutral ports where, if cargoes were landed, things could by shipped by land to Germany. We did not think, “Well, this blockade will only hurt the German military.” We very well understood the blockade was squeezing the German economy. We knew it would affect German civilians. We did that deliberately.
The term “economic warfare” arose in the First World War, because that sort of comprehensive blockade was more ambitious than blockades in previous wars. But striking at the enemy’s trade was not a new idea. In fact, you see the earlier idea in the United States Constitution. It’s totally forgotten now. It ought to be remembered.
There’s a provision in Article I, Section 8: Congress has the power to declare war, but then it also mentions “and to grant letters of marque and reprisal.” They list that as something separate. You don’t need to be at war. You can grant letters of marque and reprisal separate from a declaration of war. Why letters of marque and reprisal? Because the Framers already had experience with this tactic.
It really hurts your enemies if you hit their commerce. And if you don’t have the wherewithal to actually fight his army or even his navy, you just authorize private ship owners to go out and attack the commerce of your enemy.
Who were the private ship owners they authorized to do this? Well, some of them were people just engaged in commerce with their own ships, who could mount guns on these merchant ships and turn them to attacking enemy merchant ships. Others had more immediate experience. They had previously been pirates. But the point is we gave them a license and said, “Go to it, attack the enemy’s ocean commerce and you will hurt them.” The reason why the Framers had this very tactic in mind when they drafted the Constitution is that the colonists had embraced this tactic during the American Revolution.
We didn’t have a navy. We still wanted to hit back at Britain. John Paul Jones, hero of the navy, was basically raiding British commerce. He was mostly not fighting British warships. He was mostly attacking British commerce, which is a way of saying to the British, “Do you really want to continue this?”
Now, let me just add a few quick things and I’ll be done. I am not saying everyone ought to be allowed to hit anything and everything. I’m saying we should think more imaginatively about what targets are reasonable to strike. We certainly don’t want to risk killing a lot of people. But there’s no good reason why we shouldn’t use cyber attack to damage a lot of property, especially in retaliation for enemies who have already done that to us. It is insane to allow the Swiss to tell us how we fight our wars, and it’s doubly insane to have the Swiss tell us how to fight cyber conflict, which mostly won’t rise to the level of war and is something Switzerland knows even less about than actual armed conflict.
At present, though, there are a whole lot of people writing about rules of cyber conflict and many of them are not Swiss. It was mentioned earlier that Estonia freaked out when they had a series of cyber attacks a few years ago. They complained to NATO and NATO leaders said, “Well, we can’t retaliate but we’ve got to do something to show concern.” So they cranked up a study. There’s a NATO “center of excellence” in Tallinn. They recruited NATO experts on the law of war. They’re all lawyers. Some of them are very serious people. I don’t mean to denigrate them, but they do what lawyers do, which is think up objections to doing anything. So they have produced a 200…
Steven Chabinsky: I object to that! [laughter]
They have produced a 200 page manual, the Tallinn Manual, and it takes basically the Red Cross view, which is, “Oh, yeah. Cyber weapons. Yes, of course. But don’t hurt anyone. Well, don’t hurt any civilians. Don’t hurt any civilian’s stuff, either. You shouldn’t be viewing cyber attacks as anything that attacks commerce.” This, I think, really makes no sense.
I want to mention two things. One, we still have the idea that in a real war, we would use the navy to impose blockades. That is in the U.S. Navy Commander’s Handbook. We don’t even now follow the Red Cross view of the law of war when it comes to planning naval actions in war. Is cyber more like naval war – where we disrupt the enemy’s trade and communication, without exempting commerce just because it’s owned by civilians? Or is cyber conflict more like a land war, where we send tanks into enemy territory and then say to enemy civilians, “Stay out of our way and we’ll stay out of yours”? I say it’s more like naval war, so what is permissible in naval war should be applicable to cyber conflict.
And the second thing I say is we all should learn from history. Letters of marque and reprisal didn’t even start in the American Revolution. The practice started centuries earlier, when medieval kings said to merchants, “Oh, foreign raiders took your stuff? Sorry. But our barons aren’t equipped to get it back for you. And we don’t have a real navy, either. So you have permission to attack the foreigners and get your stuff back yourself. And by the way, if you can’t find the actual person who took it, take it from someone else of the same country, and then they’ll get the idea not to allow their people to do this.” What a great tactic that is! [laughter]
We should be thinking about that. Not anyone attacking at random, but people who come to the government and say, “I have some idea who this is.” We should have some procedure to authorize counterattacks. At the very least, to authorize counter-hacking which would otherwise be illegal, such as hacking to find out and detect exactly who launched attacks on our systems and why were they doing it. Stewart Baker’s account of hacking-back–that was all fabulous. But I’m relieved those people haven’t been noticed by federal prosecutors, because what they did is now illegal, I believe.
So we ought to have a way to authorize these things and say, “You’re authorized to do this kind of thing under these limits and good luck to you. If you enrich yourself, that’s fine, because people need incentives to fight and fight hard.” This is why letters of marque are provided for in the Constitution. And that provision worked really worked well when it was used – in the quasi-war with France in the 1790s and in the War of 1812 against Britain.
Finally, I want to mention this last fact, a fun fact. The National Security Agency is supposed to be responsible for our cyber strategy. The head of NSA is also Commander of Cyber Command. I don’t know what they’re doing exactly. But I know that Symantec, a private computer security firm, has an annual budget that’s about the same as the NSA’s. And Symantec is just one company out there. There are a lot of others thinking about cyber defense. Microsoft, which has been somewhat active in this field, has annual revenues that are ten times the annual budget of NSA. So there are vastly more resources, not just in the private sector, but in the private cyber security sector.
We do rely on private security elsewhere. There are now more private security guards, actual hired human beings with guns and such, than there are public police in all jurisdictions in the United States. We should find ways to encourage many more cyber security activists to get involved–probing, checking, investigating cyber attacks. And then authorize some in some circumstances to engage in retaliation. Or at least help the government to find targets.
I agree with my predecessors on this panel–we can’t rely on government to do all this by itself. My main point is, we didn’t start out thinking we could put all our trust in government, even in serious conflicts with foreign powers. We should remember that–because we seem to be facing serious conflicts in cyber space now.
For a fuller exposition of Professor Rabkin’s views, see “To Confront Cyber Threats, We Must Rethink the Law of Armed Conflict” by Jeremy A. Rabkin and Ariel Rabkin. Hoover Institution’s Defining Ideas Journal, January 24, 2013.