I received an interesting comment from an anonymous reader yesterday about my post on the introduction of HR 3039; well worth reading in its entirety. In passing a comment was made about the “need to be intentionally vague in order to avoid loopholes and military redtape”. Other than having a minor objection to the use of ‘military’ instead of ‘bureaucratic’ as a modifier of ‘red-tape’, I think Anonymous has an interesting point.
In my post I complained about the lack of definition of ‘malicious cyber-enabled activity’ as that definition was key to deciding what countries would/should be included on the list of State Sponsors of Cyberattacks. Lacking a legal definition the President would be given a great deal of leeway as to which countries should be placed on the list.
Anonymous points out that, given recent events, the bill was probably intended to target China and Iran. In fact a press release from the office of Rep. Brooks (R,AL - the bill’s author) specifically mentions reported attacks by China, Iran and North Korea as examples of recent attacks to which the US has not been able to respond.
Now, I am glad that the bill did not specifically mention those three countries (especially since I have not seen compelling evidence that the DPRK was behind the Sony Hack), but it is clear that Brooks (and a very large number of other people) would expect to see these three countries among the first countries placed upon the list.
If this was simply a sanctions bill I would agree that providing the President with a wide degree of latitude in designating countries for a place on the list is good policy. Placement on such a list could be used as a pretty large stick to encourage governments to take actions against cyber thieves working from within their boundaries and that type of stick should be wielded by the President.
But this bill specifically authorizes military action against countries on the list. Did you miss that? See §3(c)(2)(R); the last item on the list of ‘other actions’ that the President is authorized to take is “Ordering a cyber counterattack”. While this may not be a classic military action, there is no doubt that it will be the military that conducts the attack. Likewise, there is little doubt that the targeted country would consider it a military attack and would likely cry to the UN about an act of war perpetrated by the United States.
Now, I have no doubt that there could be cyberattacks that would justify retaliation in kind, or even an expansion of the retaliation to more readily recognizable military attacks. But to give the President blanket authorization to take retaliatory military attacks against countries that might allow bank scammers to operate with impunity seems to me to be a step too far.
If cyber retaliation is going to remain on the list of tools provided to the President (and I could certainly make a whole list of arguments to support that being included) Congress is going to have to do a better job of limiting where that can be employed without coming back for a specific authorization under Article 1, Section 8, Clause 11 of the Constitution (power to declare war). And that is where a definition of the term ‘malicious cyber-enabled activity’ needs to be included in this bill.
In fact, I think that the definition should be structured in such a way as to describe multiple levels of malicious activity that would be keyed to a specific variety of authorized responses. The ultimate level would include ‘any cyber activity that results in, or could reasonably be expected to result in:
∙ ‘The loss of life,
∙ ‘Interference in the operation of the US military aircraft, vessels or spacecraft; or
∙ ‘Interference in the material operation of any critical infrastructure activity.’
The bill should then go on to specify what sort of ‘counter cyberattack’ would be authorized; “A counter cyberattack is authorized to take immediate action to stop the current attack and prevent future attacks by the source of the original cyberattack”.
Again, legislation should probably be written in broad terms to allow for it to continue to fit changing circumstances. But, there are certain activities that should be constrained by law and the power to initiate an attack (even a cyberattack) on a foreign country should be one of those activities.