Regulating International Cyberwarfare
by Alex Kang
This past weekend, U.S. intelligence agencies released a report asserting that the Russian government hacked into email servers belonging to the Democratic National Committee, in what the Office of the Director of National Intelligence called a “campaign to influence the election.”
The cyberattacks on an American target marked what some commentators called an “unprecedented” intrusion into the American political system, underscoring the threat of cyberwarfare and its effects. Daniel Abebe, Professor of Law at the University of Chicago Law School explores how these kinds of state-to-state exchanges could be regulated—how the United States government might choose to curtail, or expand, the President’s authority to engage in cyberwarfare—in light of cyberwarfare’s nascent, but increasingly important status within the international community.
In his forthcoming paper, Abebe argues that in determining the appropriate level of control for cyberwarfare—a new type of conflict that could challenge existing norms of conventional warfare—policymakers must consider not only internal institutional constraints, such as the U.S. Constitution, but also the direct relationship these internal constraints have with external constraints created by the competing interests and cyber capabilities of other countries.
Doing otherwise, Abebe states, might create a regulatory regime for cyberwarfare akin to that of conventional warfare, leaving the President overconstrained and unable to achieve foreign policy goals. Alternatively, the President could be given authority unwarranted by the international political climate, and thus create a regulatory regime that is underconstrained and without sufficient oversight.
Currently, Abebe writes, the Constitution and international law narrow the extent of the President’s conventional warmaking authority and limit its use to a few specific circumstances.
Abebe describes the existing legal framework in the United States surrounding conventional warfare as one in which Congress is assigned most foreign affairs authority. Moreover, although the President is generally considered the leading actor in military operations congressional authorization is required for the United States to officially go to war. International law similarly restricts the use of force abroad: the United Nations Charter only provides a narrow exception for the use of military force for self-defense in the event of an “armed attack,” and the core principles of international humanitarian law require the application of concepts like military necessity, which ensures that attacks are on military targets and do not cause excessive harm to civilians.
According to Abebe, the question, then, is whether cyberwarfare is “sufficiently distinct from conventional military operations” to “justify revision of the existing legal framework governing the president’s power in this arena.”
Abebe argues that this question sits at the heart of current cyber-regulation debate only captures one dimension of a much larger discussion. Under the current paradigm, he contends, the spectrum of opinion can range from the claim that cyberwar is no different from traditional war and requires no additional regulation, to the claim that cyberwar is more destructive, dynamic, and secretive than conventional warfare, consequently requiring more regulatory oversight. But this discussion centers only on the way that cyberwarfare fits into existing domestic constitutional and statutory frameworks. It focuses on issues relating to congressional oversight of the President and ignores other pragmatic considerations—international factors that might limit the United States, such as the cyberwarfare capacity of potential adversaries, or the foreign strategic interests of each actor.
Policymakers must strike a regulatory balance, Abebe states, providing the President with sufficient flexibility to address national security issues and ensuring that Congress has meaningful oversight. Abebe uses two “stylized” scenarios to illustrate a model that could tell Congress when and how optimally to constrain the President’s authority to conduct cyberwarfare.
In the first scenario, the United States is the world’s predominant cyber-superpower—it possesses the most advanced offensive and defensive cyberwarfare capabilities, and is consequently well-placed to achieve its foreign policy goals. Abebe argues that, since potential adversaries like Russia or China are unable to compete with the United States, constraints on the President from international politics are weak, and the government should strengthen domestic constraints by increasing congressional oversight or creating statutory restraints to prevent misconduct.
In the second scenario, the United States is one of several equally-matched cyberpowers. Abebe posits that, in this case, a domestic regulatory regime that places fewer restrictions on Presidential authority would be appropriate because the external constraints from international politics are much stronger.
Although Abebe states that policy prescriptions are outside the scope of his paper, he notes that—looking only at the estimated cyberwarfare capacities and strategic interests of the United States, China, and Russia—the international environment is likely closer to that of the second scenario. Russia and China are not only in competition with the United States in cyberspace, but Admiral Michael Rogers, Director of the National Security Agency and the United States Cyber Command, reportedly claimed that tensions in recent months resemble tensions at the beginning of the Cold War. Abebe suggests that these countries “are aggressively pursuing cyberpower dominance.” Moreover, the United States has a vested strategic interest in using cyberwarfare tools to deter the use of military force by its adversaries and to defend its economic assets from digital attack. Together, these circumstances arguably signal a strengthening of external constraints on the President’s authority to pursue cyber foreign policy goals of the United States.
Consequently, Abebe argues, “it appears that the United States’ interest is in maximizing its cybercapacity and ensuring flexibility to engage in offensive and defensive cyberoperations whenever necessary.”
Abebe presented his paper at the University of Chicago Law School Symposium, “National Security: The Impact of Technology on the Separation of Powers,” and the paper will appear in the University of Chicago Law Review.