Rules For Cyberwarfare Still Unclear, Even As U.S. Engages In It

Enlarge this image toggle caption Saul Loeb/AFP/Getty Images Saul Loeb/AFP/Getty Images

When Defense Secretary Ashton Carter landed in Iraq for a surprise visit this week, he came armed with this news: More than 200 additional U.S. troops are headed to that country. They'll join the fight to retake the Iraqi city of Mosul from the Islamic State.

As that battle unfolds on the ground, a parallel war against ISIS is unfolding in cyberspace.

U.S. officials have confirmed to NPR that over the past year, the cyber campaign has taken off. They describe an escalation in operations, from using cybertools to geolocate a particular ISIS leader to hacking into and then conducting surveillance on a particular computer.

The activity occurs even as the rules for cyberwarfare remain a work in progress. Among the outstanding questions: Who's in charge when the U.S. wages cyberwar?

"The chain of command is clear on paper," says Susan Hennessey, who served as a lawyer at the National Security Agency until November 2015. "It's much more difficult to understand in practice."

Hennessey, now a national security fellow at the Brookings Institution, describes an "invisible war of lawyers" within senior government ranks. She says their debates range from questions over who has authority to approve a proposed operation to the distinction between a cyber operation and electronic warfare, such as jamming enemy radar.

"You'd see Defense Department attorneys, you'd see attorneys on the National Security Council staff, you might see attorneys on the State Department staff or other parts of executive agencies saying, 'Wait a minute! I don't think that is electronic warfare,' " she says. "So you're going to see a lot of individuals really all working to define this space."

Asked whether the U.S. is still figuring out the rules for cyberwarfare, even as it engages in it, Hennessey replies, "I think that's certainly true."

An alternative view comes from Michael Sulmeyer, who until last year served as director of plans and operations for cyber policy at the Defense Department. He believes the cyber chain of command is fairly straightforward.

But he says other key questions are in play, such as how to weigh the risk of collateral damage. For example, do you target a cellular network that ISIS leaders are using to communicate, if doctors at a local hospital are using it, too? Sulmeyer says it's also worth considering whether established military standards for self-defense apply in the cyber arena.

"If you're a tactical unit, deployed out front and forward, what happens if you start taking incoming fire?" he asks. "When can you fire back? How that plays out in cyberspace is something that I don't think has been very publicly discussed."

Sulmeyer is now the Belfer Center's Cyber Security Project director at Harvard's John F. Kennedy School of Government. From his perch there, he is studying and writing about what cyber rules of engagement should look like in the future.

Sulmeyer notes that the Pentagon now officially recognizes cyberspace as the fifth domain of warfare, after land, sea, air and space. That — combined with the urgency of the campaign against ISIS — is prompting military planners to think creatively, he says, about both how to govern and how to weaponize the cyber battlefield.