What Is the Role of Lawyers in Cyberwarfare?
Posted May 1, 2012 4:00 AM CST
By Stewart A. Baker and Charles J. Dunlap Jr.
Washington, D.C., attorney Stewart A. Baker and Charles J. Dunlap Jr., a former deputy judge advocate general of the U.S. Air Force, debate whether the U.S. should learn the practicalities of winning a cyberwar—and then ask lawyers for their input—or, instead, set the legal ground rules before conducting cyberwarfare in Patriots Debate: Contemporary Issues in National Security Law. The book is sponsored by the American Bar Association’s Standing Committee on Law and National Security, which invited both writers to address the legal approach to cyberwar.
STEWART BAKER’S POSITION
Lawyers don’t win wars.
But can they lose a war? We’re likely to find out, and soon. Lawyers across the government have raised so many showstopping legal questions about cyberwar that they’ve left our military unable to fight, or even plan for, a war in cyberspace.
No one seriously denies that cyberwar is coming. Russia may have pioneered cyberattacks in its conflicts with Georgia and Estonia, but cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran’s Natanz enrichment plant, proving that computer network attacks can be more effective than 500-pound bombs. In war, weapons that work get used again.
Unfortunately, it turns out that cyberweapons may work best against civilians. The necessities of modern life—pipelines, power grids, refineries, sewer and water lines—all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be even easier to sabotage than the notoriously porous computer networks that support our financial and telecommunications infrastructure.
No one has good defenses against such attacks. The hackers will get through.
Even very sophisticated network defenders—RSA, HBGary, even the Department of Defense’s classified systems—have failed to keep attackers out. Once they’re in, attackers have stolen the networks’ most precious secrets. But they could just as easily bring the network down, possibly causing severe physical damage, as in the case of Stuxnet.
So as things now stand, a serious cyberattack could leave civilians without power, without gasoline, without banks or telecommunications or water—perhaps for weeks or months. If the crisis drags on, deaths will multiply: first in hospitals and nursing homes, then in cities and on the road as civil order breaks down. It will be a nightmare. And especially for the United States, which has trusted more of its infrastructure to digital systems than most other countries.
We’ve been in this spot before. As Brig. Gen. Billy Mitchell predicted, airpower allowed a devastating and unprecedented strike on our ships in Pearl Harbor. We responded with an outpouring of new technologies, new weapons and new strategies.
Today the threat of new cyberweapons is just as real, but we have responded with an outpouring—not of technology or strategy but of law review articles, legal opinions and legal restrictions. Military lawyers are tying themselves in knots trying to articulate when a cyberattack can be classed as an armed attack that permits the use of force in response. State Department and National Security Council lawyers are implementing an international cyberwar strategy that relies on international law “norms” to restrict cyberwar. CIA lawyers are invoking the strict laws that govern covert action to prevent the Pentagon from launching cyberattacks. Justice Department lawyers are telling our military that it violates the law of war to do what every cybercriminal has learned to do—cover their tracks by routing attacks through computers located in other countries. And the Air Force recently surrendered to its own lawyers, allowing them to order that all cyberweapons be reviewed for “legality under [the law of armed conflict], domestic law and international law” before cyberwar capabilities are even acquired. (And that’s just the lawyers’ first bite at the apple; the directive requires yet another legal review before the weapons are used.)
The result is predictable, and depressing. Top Defense Department officials recently adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations. Apparently, they’re still waiting for all these lawyers to agree on what kind of offensive operations the military is allowed to mount.
I have no doubt that the lawyers think they’re doing the right thing. Cyberwar will be terrible. If the law of war can stave off the worst civilian harms, they’d argue, surely we should embrace it.
There’s just one problem: That’s exactly what we tried when airpower transformed war.
And we failed.
In the first half of the 20th century, the airplane did for war fighters what information technology has done in the last quarter-century. Like cyberattacks, airpower was first used to gather intelligence and not to fight. Perhaps for this reason, there was never a taboo about using either airpower or cyberweapons. By the time officials realized just how ugly these weapons could be, the cat was already out of the bag.
By the 1930s, though, everyone saw that aerial bombing would reduce cities to rubble in the next war. We have trouble today imagining how unprecedented and terrible airpower must have seemed at that time. Just a few years earlier, the hellish slaughter where armies met in the trenches of World War I had destroyed the Victorian world; now airpower promised to bring that hellish slaughter to the home front.
Former Prime Minister Stanley Baldwin summed up Britain’s strategic position in 1932 with a candor no American leader has dared to match in talking about cyberwar: “I think it is well also for the man in the street to realize that there is no power on earth that can protect him from being bombed, whatever people may tell him. The bomber will always get through. ... The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”
The British may have been realists about air war, but Americans still hoped to head off the nightmare. The American tool of choice was international law. (Some things never change.) When war broke out on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of airpower and expressing his view that “ruthless bombing from the air of civilians in unfortified centers of population … has sickened the hearts of every civilized man and woman, and has profoundly shocked the conscience of humanity. ... I am therefore addressing this urgent appeal to every government which may be engaged in hostilities publicly to affirm its determination that its armed forces shall in no event, and under no circumstances, undertake the bombardment from the air of civilian populations or of unfortified cities.”
Roosevelt had a pretty good legal case. The Hague Conventions on the Law of War, adopted just two years after the Wright Brothers’ first flight, declared that in bombardments “all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes.” The League of Nations had recently declared that, in air war, “the intentional bombing of civilian populations is illegal.”
But FDR didn’t rely just on law. He asked for a public pledge that would bind all sides. Remarkably, he got it. The horror of aerial bombardment ran so deep in that era that England, France, Germany and Poland all agreed—before nightfall on the same day.
What’s more, they tried to honor their pledges. In a June 1940 order for Luftwaffe operations against Britain, Hermann Göring “stressed that every effort should be made to avoid unnecessary loss of life amongst the civilian population.”
It began to look like a great victory for the international law of war. All sides had stared into the pit of horrors that civilian bombing would open up. And all had stepped back.
It was exactly what the lawyers and diplomats now dealing with cyberwar hope to achieve.
But as we know, that’s not how this story ends. On the night of Aug. 24, a Luftwaffe air group made a fateful navigational error. Aiming for oil terminals along the Thames, they miscalculated, instead dropping their bombs in the civilian heart of the city of London.
It was a mistake. But that’s not how Churchill saw it. He insisted on immediate retaliation. The next night, British bombers hit targets in Berlin for the first time. The military effect was negligible, but the political impact was profound. Göring had promised that the Luftwaffe would never allow a successful attack on Berlin. The Nazi regime was humiliated, the German people enraged. Ten days later, Hitler told a wildly cheering crowd that he had ordered the bombing of London: “Since they attack our cities, we will extirpate theirs.”
The Blitz was on.
In the end, London survived. But the extirpation of enemy cities became a permanent part of both sides’ strategy. No longer an illegal horror to be avoided at all costs, the destruction of enemy cities became deliberate policy. Later in the war, British strategists would launch aerial attacks with the avowed aim of causing “the destruction of German cities, the killing of German workers, … the disruption of civilized life throughout Germany … the creation of a refugee problem on an unprecedented scale, and the breakdown of morale both at home and at the battle fronts.”
The Hague Conventions, the League of Nations resolution, even the explicit pledges given to President Roosevelt—all these “norms” for the use of airpower had been swept away by the logic of the technology and the predictable psychology of war.
So, why do today’s lawyers think that their limits on cyberwar will fare better than FDR’s limits on air war?
It beats me. If anything, they have a much harder task. Roosevelt could count on a shared European horror at the aerial destruction of cities. He used that to extract an explicit and reciprocal understanding from both sides as the war was beginning. We have no such understanding, indeed no such shared horror. Quite the contrary, for some of our potential adversaries, cyberweapons are uniquely asymmetric—a horror for us, another day in the field for them. It doesn’t take a high-tech infrastructure to maintain an army that is ready in a pinch to live on grass.
What’s more, cheating is easy and strategically profitable. American compliance will be enforced by all those lawyers. Our adversaries can ignore the rules and say—hell, they are saying—“We’re not carrying out cyberattacks. We’re victims too. Maybe you’re the attacker. Or maybe it’s Anonymous. Where’s your proof?”
Even if all sides were genuinely committed to limiting cyberwar, as all sides were in 1939, we’ve seen that the logic of airpower eventually drove all sides to the horror they had originally recoiled from. Each side felt that it had observed the limits longer than the other. Each had lawyerly justifications for what it did, and neither understood or gave credence to the other’s justifications. In that climate, all it took was a single error to break the legal limits irreparably.
And error was inevitable. Bombs dropped by desperate pilots under fire go astray. But so do cyberweapons. Stuxnet infected thousands of networks as it searched blindly for Natanz. The infections lasted far longer than intended. Should we expect fewer errors from code drafted in the heat of battle and flung at hazard toward the enemy?
Of course not. But the lesson for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.
No one can welcome this conclusion, at least not in the United States. We have advantages in traditional war that we lack in cyberwar. We are not used to the idea that launching even small wars on distant continents may cause death and suffering here at home. That is what drives the lawyers. They hope to maintain the old world. But they’re driving down a dead end.
If we want to defend against the horrors of cyberwar, we need first to face them with the candor of a Stanley Baldwin. Then we need to charge our military strategists, not our lawyers, with constructing a cyberwar strategy for the world we live in, not the world we’d like to live in.
That strategy needs both an offense and a defense. The offense must be powerful enough to deter every adversary with something to lose in cyberspace, and so it must include a way to identify our attacker with certainty. The defense too must be realistic, making successful cyberattacks more difficult and less effective because we have built resilience and redundancy into our infrastructure.
Once we have a strategy for winning a cyberwar, we can ask the lawyers for their thoughts. We can’t do it the other way ’round.
In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. For 150 years, having the largest and most modern navy was all that was needed to project British power around the globe. Like the American lawyers who now oversee defense and intelligence, British admirals preferred to believe that the world had not changed. It took Japanese planes 10 minutes to put an end to their fantasy, to the Prince of Wales and to hundreds of brave sailors’ lives.
We should not wait for our own Prince of Wales moment.
CHARLES DUNLAP’S COUNTERPROPOSAL
Lawlessness cannot win America’s 21st century wars, but it can surely lose them.
Military professionals keenly understand this verity to include especially those responsible for conducting cyberoperations. Oddly, some civilians think otherwise.
Stewart Baker, a highly respected former official of both the Department of Homeland Security and the National Security Agency, and now a member of the prestigious Washington law firm of Steptoe & Johnson, has written a lively polemic about America’s presumed cyberwoes. In it he claims that in their insistence upon adherence to domestic and international law, lawyers—and especially military lawyers—are hobbling America’s cyberwar strategy.
According to Mr. Baker, lawyers “have raised so many showstopping legal questions about cyberwar that they’ve left the military unable to fight, or even plan for, a war in cyberspace.”
Really? If that is so, why is it that military commanders—the ones actually responsible for cyberwar fighting and planning—do not see it that way? Why are uniformed leaders expressing satisfaction with a legal framework for cyberwar, even with respect to the sensitive matter of offensive cyberwar that Mr. Baker seems to think the U.S. has forgone due to the machinations of lawyers?
Consider this: In November, Reuters reported that the commander of the U.S. Strategic Command (the parent organization of U.S. Cyber Command) acknowledged that the “U.S. military now has a legal framework to cover offensive operations in cyberspace.” The officer, Air Force Gen. Robert Kehler, said unequivocally that he did “not believe that we need new explicit authorities to conduct offensive operations of any kind” and added—definitively—that he did “not think there is any issue about authority to conduct operations.”
Furthermore, the 2011 Department of Defense Cyberspace Policy Report makes it clear that war fighters are ready to wage offensive cyberwar, and will do so in compliance with the existing law of armed conflict. Specifically, the DOD says it “has the capability to conduct offensive operations in cyberspace to defend our nation, allies and interests. If directed by the president, DOD will conduct offensive cyberoperations in a manner consistent with the policy principles and legal regimes that the department follows for kinetic capabilities, including the law of armed conflict.” (Italics added.)
Nevertheless, Mr. Baker argues that the cyber “offense must be powerful enough to deter every adversary with something to lose in cyberspace” and implies that America cannot do that unless it jettisons efforts to observe the law. Curiously, he offers little evidence of any insufficiency in U.S. cyberoffensive potential.
In truth, who is to say that existing U.S. offensive cybercapabilities, notwithstanding that they follow the law, are not more powerful than those of any potential adversary?
More precisely, what adversary would assume the U.S. is deficient in this regard? What adversaries do know is that the U.S. military is the most powerful in the world, even though it always seeks to follow the law. Why would an adversary think that U.S. cyberweaponry is not as devastating as those the American military operates in every other domain?
Mr. Baker seems uncomfortable with ambiguity about U.S. cybercapabilities. In a way, that is understandable given the dearth of information about them, but from a military perspective, making the enemy wonder about what fate might befall him were he to launch a cyberstrike is a good thing. To those in the armed forces, ambiguity—especially in the cyberrealm—has real deterrence value.
Moreover, uniformed professionals typically do not analyze one military capability in isolation from others. This is why, for example, the DOD Cyberspace Policy Report makes it clear that in the event of a cyberattack, the “response options may include using cyber-,and/or kinetic capabilities.” (Italics added.)
In other words, America’s cyberdeterrence does not depend upon any particular cybercapability, but includes the fearsome kinetic weaponry of the U.S. armed forces. What adversary today wants to take on America’s vast arsenal of diverse military capabilities?
As the DOD report makes clear, U.S. cyberwarriors are ready to wage war within the existing limits of the law of armed conflict. Mr. Baker nonetheless indicates that in his view doing so will attempt to “impose limits on cyberwar” and is, therefore, “doomed.” Consequently, he implies that there should not be any limits on the way the U.S. wages cyberwar.
This raises an important question: Should America wage war—cyber or otherwise—without legal “limits”?
Military commanders have seen the no-legal-limits movie before and they do not like it. In the aftermath of 9/11, civilian lawyers moved in exactly that direction. Former Attorney General Alberto Gonzales, for example, rejected parts of the Geneva Conventions as “quaint.” He then aligned himself with other civilian government lawyers who seemed to believe that the president’s war-making power knew virtually no limits. The most egregious example of this mindset was their endorsement of interrogation techniques now widely labeled as torture.
The results of the no-legal-limits approach were disastrous. The ill-conceived civilian-sourced interrogation, detention and military tribunal policies, implemented over the persistent objections of America’s military lawyers, caused an international uproar that profoundly injured critical relations with indispensable allies. Even more damaging, they put the armed forces on the road to Abu Ghraib, a catastrophic explosion of criminality that produced what military leaders like then-U.S. Commander in Iraq Lt. Gen. Ricardo Sanchez labeled as a “clear defeat.”
Infused with illegalities, Abu Ghraib became the greatest reversal America has suffered since 9/11. In fact, in purely military terms, it continues to hobble counterterrorism efforts. Gen. David Petraeus observed that “Abu Ghraib and other situations like that are nonbiodegradable. They don't go away.” Petraeus told the New York Times, “The enemy continues to beat you with them like a stick.” In short, military commanders want to adhere to the law because they have hard experience with the consequences of failing to do so.
Why, then, are Mr. Baker and others so troubled? Actually, there are legitimate concerns about America’s cybercapabilities, but the attack on the issues is misdirected. Indeed, if Mr. Baker substitutes the word policymaker for lawyer and the word policy for law he might be closer to the truth in terms of today’s cyberwar challenges. To those with intimate knowledge of the intricacies of cyberwar, it is not the law, per se, that represents the most daunting issue; to them, it is policy.
For example, retired Air Force Gen. Michael Hayden, the former head of the National Security Agency and later director of the CIA, told Congress in October 2011 that America’s cyberdefenses were being undermined because cyberinformation was “horribly overclassified.” That issue is not sourced in lawyers but in policymakers who could solve the classification problem virtually overnight if they wanted.
That same month, Gen. Keith B. Alexander, commander of U.S. Cyber Command and current NSA director, said that rules of engagement were being developed that would “help to define conditions in which the military can go on the offensive against cyberthreats and what specific actions it can take.” Gen. Alexander readily acknowledges the applicability of the law of armed conflict, but suggests that challenges exist in discerning the facts and circumstances to apply to the law.
This gets to the “act of war” question Mr. Baker complains about. The law does provide a framework; it is up to decision-makers to discern the facts to apply to that framework. Hard to do? Absolutely. But frankly, such “fog of war” issues are not much different from those military commanders routinely confront in the other domains of conflict where difficult decisions frequently must be made on imperfect information.
The ability (or inability) to determine facts is not a legal issue but a technical problem for the specialists to solve. So if there is a difficulty in that regard, the complaint ought to be directed at cyberscientists or even policy strategists, but not the lawyers. Sure, the law requires an ability to determine the source of an attack before launching a military response, but so do good sense and effective military strategy.
The same can be said for the legal requirement to assess the impact on civilians and civilian objects before launching a cyberattack. This is information that decision-makers would want for political and policy reasons wholly independent of any legal requirements. As the great strategist Carl von Clausewitz observed, “War is the continuation of policy by other means.” Again, if the ability to make the calculations that political leaders and policymakers require as much as lawyers is inadequate, that is a technical, not a legal, issue.
When—and if—the facts and circumstances are determined, weighing them is what policymakers and military commanders “do.” Lawyers may help them, but ultimately it is the decision-makers’ call, not the lawyers’. Any reluctance of decision-makers to make difficult fact determinations—if such reluctance does exist—is not, in any event, a deficiency of law, but of leadership.
Of course, such decisions are never exclusively about legal matters. Policymakers and commanders rightly take into account a variety of factors beyond the law. In actual practice, it appears that such considerations often are more limiting than the law.
For example, the Washington Post reported that U.S. cyberweapons “had been considered to disrupt Gadhafi’s air defenses” early in NATO’s U.N.-sanctioned operations aimed at protecting Libyan civilians. However, the effort “was aborted,” the Post said, “when it became clear that there was not enough time for a cyberattack to work.” Conventional weapons, it was said, were “faster, and more potent,” a pure military rationale.
None of this reflects even the slightest suggestion that lawyers or the law frustrated the execution of a cyberoperation in Libya.
No doubt there was discussion about cyberreporting obligations under the War Powers Resolution, but presidents have almost never seen that as a bar to military actions, so it can hardly be said to be something unique to cyberoperations or something that operated to actually block a cyberattack, per se. Rather, it is but one of the many political considerations applicable to military actions generally, cyber or otherwise.
To be clear: The primary concern about the potential use of cyberweaponry against Libya was not anything generated by lawyers, as Mr. Baker might put it, but rather by “administration officials and even some military officers,” who, the New York Times says, “balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own.” Along this line, the Times quoted James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, as opining that the U.S. does not want to be the “ones who break the glass on this new kind of warfare.”
Again, the legitimacy of these concerns aside, they illustrate—regardless—that while there may be unresolved policy questions inhibiting cyberoperations, that is altogether different from the legal problems of Mr. Baker’s imaginings.
The threat of cyberwar is certainly an extremely serious one, but surely not a greater peril than nuclear war. Yet at least insofar as the U.S. military is concerned, nuclear operations can be made amenable to the law. In other words, if our survival does not require abandoning the rule of law with respect to nuclear weapons, there is certainly no reason to do so in the cyberrealm.
Does Mr. Baker nevertheless believe that the U.S. is so vulnerable to catastrophic cyberattack that the nation must reject any legal limits in its cyberresponse?
If, indeed, the U.S. was as vulnerable to catastrophic attack as Mr. Baker would have us believe, al-Qaida or some extremist group certainly would have launched one by now. In point of fact, although cybercrime may be extensive, militarily significant cyberattacks apparently are not as easy to conduct as Mr. Baker seems to think. In reporting the rejection of cyberweaponry as a means of dismantling Libyan air defenses, the New York Times noted that: “While popular fiction and films depict cyberattacks as easy to mount—only a few computer keystrokes needed—in reality it takes significant digital snooping to identify potential entry points and susceptible nodes in a linked network of communications systems, radars and missiles like that operated by the Libyan government, and then to write and insert the proper poisonous codes.”
Obviously, if cyberweaponry is technically difficult for the world’s foremost military to use even against a Third World power like Libya, one may reasonably infer that it is markedly more difficult to use against a sophisticated First World power, even for a peer or near-peer of that power.
Rejection of legal limits carries other, real-world consequences that are not in the U.S.’s cyberinterests. An effective response to cyberthreats is not an autarkic enterprise; it requires the cooperation of international allies. Mr. Baker’s ‘damn the law and lawyers’ approach would cripple our relations with the law-abiding nations whose cooperation we must have in order to address cyberthreats.
We need to keep in mind that the vast majority of adverse cyberincidents are criminal matters, and the resolution of them frequently necessitates the involvement of foreign police and judicial authorities who, by definition, require partners who are themselves committed to faithfulness to the rule of law.
The importance of legal legitimacy cannot be overstated. As outlined above, few in uniform who have experienced the vicissitudes of war since 9/11 would underestimate the deleterious impact on coalition support that the mere perception of American lawlessness can have.
In any event, the American people insist upon legality. Michael Reisman and Chris T. Antoniou noted in 1994 that the public support that democracies need to wage war “can erode or even reverse itself rapidly, no matter how worthy the political objective, if people believe that the war is being conducted in an unfair, inhumane or iniquitous way.”
In truth, as important as the moral perspective may be, the practical advantages of adherence to the rule of law have a power all their own—as history plainly shows.
Nazi Germany’s and Imperial Japan’s gruesome violations of the law of war, for example, hardly proved advantageous to them. More recently, Saddam Hussein, who embraced war without “limits,” was pulled from a subterranean spider hole—dirty, defeated and soon to be dead. Moammar Gadhafi’s illicit threats to wage war upon his own civilian population in the spring of 2011 brought the military power of the international community down upon him to the point where he ended his days groveling in a sewer pipe.
Military leaders know that adherence to the law is a pragmatic essential to prevailing in 21st century conflicts. It might be attractive to some to capitalize on the unpopularity of lawyers, to demonize them and even the law itself, but military commanders understand that war today has changed. They know that law has permeated war much as it has every other human activity, and they realize the perils of ignoring its power and influence. Whether anyone likes it or not, war has become, as Gen. James Jones, then the commander of NATO forces, observed in 2003, “very legalist and very complex.”
And lawyers? “Now,” Jones said, “you need a lawyer or dozen.” To which one might today add: if you want to win.
Gen. Dunlap’s essay has two broad themes.
First, he argues that a lawyers-first approach to cyberwar won’t really handicap our military. I agree with some of what he says. The United States does have formidable offensive cyberweapons, and we should benefit from ambiguity about how we will respond if attacked.
But on other fronts, he’s almost certainly wrong, as when he suggests that America’s military strength will deter cyberattacks, or that cyberweapons aren’t that big a deal since we didn’t use them against Libya. We didn’t use such weapons against Libya in part because we didn’t have enough time to map Libya’s infrastructure and in part because we didn’t want to encourage the routine military use of cyberweapons. But neither of those considerations is likely to deter our adversaries, who have been mapping the U.S. infrastructure for years and who will no doubt launch their attacks anonymously and deniably. What good will all our offensive weapons do us then? At worst, we’ll be reduced to raging helplessly, unsure of whom to attack. At best, we’ll be started on a path taken by the bombers in World War II—a cycle of escalating attacks and counterattacks that will quickly destroy the notion that there are legal limits on civilian targeting.
Gen. Dunlap’s second theme is plainly heartfelt but equally mistaken. To him, taking lawyers out of cyberwar strategy will lead to “lawless war,” and he pulls out all the stops to condemn it, invoking Abu Ghraib, Adolf Hitler, Imperial Japan and, um, Alberto Gonzales.
If you’re wondering how the former attorney general got on that list, I suspect it’s because Gen. Dunlap is still fighting the last war. The last turf war, to be precise. The years after 9/11 saw bitter conflict between military judge advocates general and civilian leaders like Gonzales. They fought over military tribunals, Guantanamo and interrogation.
The military lawyers mostly won. But the cost of that victory was high. It did surprising damage to civilian control of the military (it’s hard, for example, to read Gen. Dunlap’s essay without getting the impression that “civilian lawyer” is some new kind of epithet). And it led military and national security lawyers to draw the wrong lessons from the post-9/11 wars. In the future, they concluded, no war should be planned or fought without a lawyer at every commander’s elbow.
Really? Let’s assume, despite substantial contrary evidence, that when we fight in places like Libya or Iraq or Afghanistan we can deprive our adversaries of propaganda victories so long as our military does nothing without a lawyer’s approval. Even if that’s true, why would we expect the same approach to work for a war in cyberspace?
At its worst, cyberwar could reduce large parts of the United States to the condition of post-Katrina New Orleans, maybe for weeks or months. Responding to propaganda attacks isn’t likely to be high on our to-do list. Indeed, we have not planned for a war with such dire domestic consequences since the 1950s, when atomic weapons, long-range bombers and intercontinental missiles transformed our military strategy.
For the first time since the 1950s, we must recognize something no lawyer likes to admit—that law has only a limited role in fighting wars where national survival is on the line. That’s the lesson from FDR’s failed effort to outlaw air attacks on civilian targets. Or, really, from dozens of other episodes. In 1936, submarine stealth attacks on merchant ships were violations of the law of war—a rule that was swept away in the first hours of World War II. In World War I, much the same fate befell a solemn international condemnation of poison gas weapons.
We knew this lesson once. At Nuremberg, we declined to charge German submarine and air commanders who had attacked civilian targets, recognizing that the illusory law of the ’30s had been nullified on the battlefield.
Our first nuclear strategy was grounded in that hard-won experience. We didn’t give the JAG Corps a veto over nuclear weapons or strategy. We didn’t station lawyers in the silos to decide when the missiles could be launched. And I am confident there’s no legal memo in the Pentagon’s files from that era saying, “We think it’s perfectly proportional and lawful to respond to a conventional Soviet tank advance in Germany by launching a massive nuclear attack over the airspace of unwilling neutral nations, incinerating millions of Russian civilians and covering the world in radioactive fallout.”
We came up with that admittedly ugly nuclear strategy not because the lawyers liked it—how could they?—but because it was the only way to save Europe from a Soviet invasion. Oh, and because it worked.
That’s the kind of realism the government will need as it plans for the challenge of cyberwar.
It is not yet a kind of realism that is easy to find, even in the Pentagon.
My friend Stewart Baker’s vociferous response to my critique of his polemic is an exquisite example of something cleverly strategized to play well in the gilded salons of certain Washington glitterati, but not so much in the stark command posts of those tasked with real responsibility for America’s cybersecurity.
By bashing military lawyers (and others) who have stood up—and who will continue to stand up—for the rule of law, Mr. Baker seems to think he will amass converts to his strange belief that lawlessness wins wars.
Don’t drink the Kool-Aid. People with concrete experience in actual conflicts know well what happens these days to those who think that the law doesn’t matter. They end up not just as battlefield losers but also with a hangman’s noose around their neck (Saddam) or bullets in their forehead (bin Laden) or cowering in a sewer pipe (Gadhafi).
Mr. Baker clings to his dogma that the only way to deter cyberattacks is to threaten innocent people with some kind of cyberdamnation. Moral considerations aside, the 21st century is replete with examples that prove too many of our most dangerous adversaries are rather indifferent to the fate of civilians, including their own people.
Does anyone think that those disposed to set off bombs in markets crowded with children would be deterred by a threat to cybernetically shut down hospital incubators somewhere? Cruelly enough, such adversaries just don’t care that much about dead babies. It really is that simple.
What military experience shows, however, is that what might actually work is to hold at risk the perpetrators themselves and, often, the means by which they execute their attacks. That Mr. Baker so rejects this proven—and fully lawful—military approach is genuinely puzzling.
Perhaps it is helpful if we separate Mr. Baker’s obsessive abhorrence of the legal profession generally from hostility toward the law itself. My argument is this: Whatever one might think of lawyers—military or civilian—from a military perspective, adherence to the law itself is not just intrinsic to an honorable and decent people; it is also a practical, hard-nosed necessity for success in contemporary military operations.
Why? Again, the answer is uncomplicated (and one that Mr. Baker was wholly unable to counter in his response): Among other things, a damn-the-law strategy would deprive the U.S. of the international cooperation that countering a cyberthreat (especially) absolutely requires. Few serious observers of the post-9/11 world dispute this axiom.
Another problem with his theory arises from Mr. Baker’s apparent misreading of the ethic of those in uniform who would be called upon to execute the kind of cyberattack against noncombatants that so enthralls him.
Members of the armed forces take their oath to support and defend the Constitution very seriously. They do not enlist to conduct plainly unlawful operations against the helpless, however ideologically popular doing so might be in various quarters.
Consequently, it is absurd to think that those in the military would, in any event, knowingly embrace the sort of illicit stratagem he proposes. Wearing the uniform does not transform Americans into automatons indifferent to the rule of law, as some evidently assume is the case.
What is more is that it is obvious that the American people would back their military’s ethic, and not Mr. Baker’s philosophy. Professors Michael Riesman and Chris T. Antoniou point out in their 1994 book, The Laws of War: “In modern popular democracies, even a limited armed conflict requires a substantial base of public support. That support can erode or even reverse itself rapidly, no matter how worthy the political objective, if people believe that the war is being conducted in an unfair, inhumane or iniquitous way.”
Mr. Baker’s theory is further unraveled by the military reality that those adversaries who are deterrable at all—typically nation-states—are just as (or more) likely to be deterred by the unambiguous certainties of the U.S.’s amply demonstrated noncyber military might as by anything that might be done in the cyberrealm that is still littered with uncertainties and ambiguities.
In trying to counter this indisputable truth, Mr. Baker’s logic crumbles. For example, he alleges that adversaries can attack us anonymously and leave us “reduced to raging helplessly, unsure of whom to attack.”
If adversaries really can do that, how does threatening innocents with unrestricted cyberwar change the calculation? Indeed, if we can be rendered truly helpless by a cyber-first-strike by an enemy confident in his ability to remain anonymous, how would threats—of any kind—deter him?
Oddly, Mr. Baker does not stick with his reduced-to-helplessness estimate. He later concedes that “at its worst, cyberwar could reduce large parts of the United States to the condition of post-Katrina New Orleans.”
The fact is that even if Mr. Baker’s very doubtful worst-case scenario came to pass, and even if it also happened that “large parts” of the American military were similarly humbled, the U.S. arsenal is so vast and formidable that the remaining portion would still compose a terrifying force well able to devastate any nation on the planet.
Military planners around the globe keenly appreciate this truth, even if others do not.
Finally, Mr. Baker seeks to analogize his “lawless” concept of cyberdeterrence with nuclear deterrence because, it seems, he assumes that our nuclear forces operate outside the law. That is incorrect, and I invite his attention to my 1997 article, “Taming Shiva: Applying International Law to Nuclear Operations,” where I explain the legal review process in which I personally participated.
No doubt some armchair Rambos will find Mr. Baker’s forget-the-law theory alluring, but from a military perspective there is no question that the adherence to the rule of law is not just the right thing to do; it is also the smart, pragmatic and war-winning formula.
Stewart A. Baker is a partner at Steptoe & Johnson in Washington, D.C., and former assistant secretary for policy and technology at the Department of Homeland Security. Charles J. Dunlap Jr. is a retired major general and former deputy judge advocate general of the U.S. Air Force who teaches at Duke University School of Law.
The ABA Journal’s Patriots Debate series has been publishing advance versions of the essays that will appear in the committee’s book, which is expected to be published this spring. Full versions of the essays will appear in the forthcoming book.