lorem, ipsum

profileAjaybaby40
Belk_Noyes.pdf

111

VII. Cyber Force Cyber Action Overall Severity of Implication Recommendations

Cyber Force

x Do not engage in cyber force unless the

following conditions are met: o Conforming to LOAC o Minor or no spillover effects (if overt) o Coordinated with allied partners and

legitimized through multi-national body o In concert with traditional military force

and as targeted as possible o Limit use of catastrophic cyber force to

situations of declared general warfare.

Description

As described in our ontology, cyber force includes cyber attacks with such

substantial physical effects that they rise to a level that ought to be considered a

“use of force” under international law. Although the general international norms

of use of force stem from the UN Charter Article 2(4), the actual bounds of

“force” are nebulous.120 This is true not only for cyber operations, but has also

been true for physical ones in which the concept of “I know it when I see it”121

has become predominant. In his 2002 paper “Information Warfare and

International Law on the Use of Force”, Jason Barkham suggests that the

definition of “force” must change in order to accommodate new technologies in

information warfare (IW).122 As of this writing, however, there have been no such

clarifying distinctions.

120 (Hoisington, 2009) 121 (Jacobellis v. Ohio, 1964) 122 Barkham argues that either the application of Article 2(4) must change or the international community must develop a new standard, possibly through treaties. See (Barkham, 2002)

112

For the purpose of this work, a precise definition of “use of force” is not

required, but only recognition of the criteria for determining what qualifies a use

of force. To avoid questions of means and target sets that make applying cyber

operations to the traditional definitions of “use of force” difficult, we have

focused on the effect of the an operation as the most appropriate metric to judge

if something is a “use of force.” If a cyber operation were to result in physical

injury or death such that conventional means of achieving the same ends would

be considered a “use of force,” then the cyber operation is “cyber force.”

Similarly, if the cyber capability can be employed in a manner that could be

reasonably perceived as intent to cause physical injury or death similar to effects

caused by traditional kinetic weapons, then this cyber operation is “cyber force”.

In this regard, therefore, we have limited this definition to cyber attacks with the

potential for direct lethal effects.

This description may seem to lack nuance, but our intention is to provide

clarity for policy-makers who may otherwise feel paralyzed by the technical

aspects of cyberspace or the difficulty in applying traditional military conceptual

frameworks to cyber operations. For this reason, it is our contention that the

main driver for policy-makers should not be the specific means of the

operation,123 but rather the effect that that operation produces.124 Also, it is

123 In “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities”, the National Academy of Sciences offers the example of blockade and sanctions to describe the way means, not effects, differentiates a use of force from an action which does not meet that criteria. It is an important distinction for consideration, but one that does not apply here. In our conceptualization, the appropriate analogy for cyber force is not with blockade or sanctions, but with conventional weapon type. (See, National Research Council, supra note 20) 124 An appropriate example would be the contention that lines of code in and of themselves are not weapons, and thus a destructive operation that solely relies on the use of code could not reach the threshold of “use of force”. This is an erroneous assertion. It is precisely the code in Joint Direct Attack Munitions (JDAM) that makes it effective, requiring the military to use less payload and resulting in smaller circular errors of probability (CEP). As a function of payload required to technology available (i.e. computer code), we can identify that the more technology

113

important to note that in discussing cyber force, we are focusing on the specific

execution of code that directly resulted in the effects constituting a use of force.

We do not broaden this definition to include supporting cyber operations (such

as cyber information collection) that may enable DoD’s use of cyber force.

In that regard, the following

analysis of cyber force requires the

policy-maker to conceptualize the

external cyber operation as

essentially equivalent to a conventional operation that has effects that would be

considered a use of force. From this vantage point, it will become obvious that

the majority of the considerations from our framework for cyber force

correspond to the same considerations for conventional uses of force.

Policy Analysis

Normative Considerations

Ethical

Ethical considerations for cyber force mirror those for conventional

operations that are considered use of force. Just war theory and particularly the

concepts of jus ad bellum and jus in bello apply. With regard to cyber force, as a

type of weapon, there should be no ethical distinction between the use of cyber

force and any other type of attack that results in effects commensurate with the

use of force.

available, the less payload is required for any given level of effect. Thus, it is arguable that cyber force represents the logical conclusion to a capability of zero payload required for the same effect, because of greater technology available.

114

Although the ethical considerations are the same, the ability to meet those

standards may be more difficult in cyber force. The requirements for distinction,

proportionality and attribution, as noted above, are problematic in cyberspace.

When considering the use of cyber force, policy-makers should emphasize the

possibility of collateral damage from unforeseen spillover due to network

connectivity. In 2003, it is reported the U.S. chose not to conduct cyber attacks on

Iraqi banks because of their connection connection to French financial networks.

It was feared an errant cyber weapon might disrupt ATM service in Europe.125

We recommend that policy-makers continue to bias toward prudence in order to

ensure the primacy of these ethical considerations.

This bias would have implications for the rare (though not inconceivable)

use of cyber force against American citizens residing outside the U.S. who had

become involved in terrorist plots against the U.S. The recent killing of U.S.

citizen Anwar Al-Awlaki in Yemen for his ties to Al Qaeda in the Arabian

Peninsula (AQAP) demonstrates this issue.126 Were the method for the killing

cyber force instead of a drone strike, the ethical (and in fact legal) issues remain

the same. Here the considerations of ethics, law and soft power overlap. Not only

does the U.S. hold strong convictions regarding the principle of “guilty until

proven innocent” as guaranteed by the constitution, but the effect of such force

on the attractiveness of the U.S. abroad also has consequences on American soft

power. This is not to pass judgment on the Al-Awlaki killing as an extension of

counterterrorism operations, but it is a relevant analogy for U.S. use of cyber

force. We believe that policy-makers should prioritize the ethical and legal

125 (Smith, 2003) 126 For a general overview of the legal debate regarding the Al-Awlaki killing see (Williams C. J., 2011)

115

dimensions in their decision making for the greater strategic and soft power

aims.

Domestic Law

The domestic legal considerations for cyber force are limited, because

cyber force is essentially an external operation directed at other nation states or

non-state actors. And because we have limited our definition of cyber force to the

proximal cause of the force, domestic law concerning the citizenry has little

applicability (aside from the issue raised above under ethical considerations).

Questions of privacy, surveillance or seizure are generally not relevant.

The issue of Title 10 and Title 50 authority, however, does apply here as a

consideration for the assets used to conduct the cyber force. Because resident

expertise resides within DoD, the CIA and the NSA, the context will most likely

dictate the best assets to execute the operation if policy-makers decide to use

cyber force. Here, domestic law overlaps with strategy. Policy-makers’ strategic

imperatives may dictate which domestic legal considerations exist, and these

considerations themselves may influence the strategy that policy-makers pursue.

International Law

The bulk of the normative considerations for the use of cyber force rests in

international law. This constellation of customary law, treaties and base law

encompass the Law of Armed Conflict (LOAC) and are particularly relevant to

cyber force. Despite this fact, LOAC remains the same for cyber force as it does

for the use of force in conventional methods. When considering any use of force

(cyber or otherwise) policy-makers will undoubtedly consider LOAC as well as

Article 3 of the Universal Declaration of Human Rights, which guarantees the

116

right to “life, liberty and security of person”.127 In this regard, cyber force is an

unambiguous case of the applicability of international law to external cyber

operations. For this reason, it requires no elaboration here.

Operational Considerations

Strategic

Operational considerations mark the beginning of separation between

cyber force and more conventional uses of force and strategic considerations

remain paramount in this aspect. The major distinction between these uses of

force is the fact that cyber force is unprecedented. Despite some speculation to

the contrary,128 there is no historical example of a nation-state or non-state actor

using cyber technology to produce effects equivalent to conventional use of

force. Even the Stuxnet virus, by our definition, would not be considered cyber

force, because the effect of intervening with centrifuge operations does not reach

the force threshold.

This fact is a critical strategic concern, because the first use of cyber force

may have greater strategic implications that extend beyond the scope of the

operation itself. Context here, though, is critical. Using cyber force as a force

multiplier of conventional weapons during declared hostilities and against a

well-defined adversary could be analogous to the use of stealth technology in

Panama or Gulf War I. It would simply serve as the first example of new defense

technology. Conversely, the covert use of cyber force or even the use of cyber

force during asymmetrical or low intensity conflict may prove less acceptable.

127 (See, United Nations, supra note 44) 128 As an example, a former Air Force secretary has claimed that the U.S. had created faulty code that the Soviets used in 1982 in a gas pipeline, which caused a massive explosion rivaled only by a nuclear detonation. See (Loney, 2004)

117

Especially with the rise in power of the traditionally powerless,129 policy-

makers must think beyond a realist, sovereign nation, international relations

model and anticipate the strategic consequences of using cyber force from an

individual level. Considering the democratizing power of the Internet and

cyberspace, we would anticipate that any use of cyber force, especially those not

used in conjunction with conventional forces in declared hostilities, would have

negative strategic implications. This could manifest itself simply as loss of

domestic support from the electorate, retaliation from hacktivist groups such as

Anonymous, and/or significant adverse response abroad.

From a theater strategy perspective, we believe that the authority to use

cyber force should, like all other forms of force, rest with the President of the

United States. In his essay “Ten Propositions Regarding Cyberspace Operations”,

Major General Williams argues that the Joint Forces Commander (JFC) should

have command and control over cyberspace within his domain similar to the

control he has of the terrestrial domain.130 Due to the unprecedented nature of

cyber force, delegating authority to the JFC for the use of cyber force would be a

mistake. While General Williams argues that operations in cyberspace are akin to

those in the terrestrial domain, the possibility of collateral damage outside of the

JFC’s area of responsibility (AOR) with cyber capabilities makes them

substantially different. Some limited cyber capabilities may be appropriate at the

JFC level, but not those that may have effects extending beyond their AOR. Had

CENTCOM chosen to use cyber attacks in Iraq in 2003 and its use had severed

banking communications in France, the political and strategic implications

129 For a thorough discussion on the rise of the traditionally powerless and the conditions that have precipitated this change in power dynamic, see (Kellerman, 2008). 130 (See, Williams B. T., supra note 32)

118

would be hard to overstate.131 This is a key example of theater strategy gravely

affecting national strategy.

This analysis does not necessarily suggest that the U.S. should adopt a

blanket no first use policy for cyber force. However compelling arguments may

be for a declared no first use policy for nuclear weapons,132 there is no such

imperative here. Unlike cyber force, nuclear weapons have very little gradation

of effect – it is always catastrophic. Use of a nuclear weapon escalates a conflict to

general war. Using cyber force may be possible in the context of limited war. It is

possible that a very targeted, well-contained first use of cyber force would be an

excellent policy choice normatively, operationally and consequentially. The

burden of proof, however, for such a claim, considering the strategic implications

noted above, would be exceptionally high.

Executional

Regarding cyber force, the primary Executional consideration will be the

potential loss of the vulnerability that enabled its use in the first place. As

mentioned in the framework discussion, cyber weapons are unlike conventional

weapons in that the use of a cyber weapon may mean that its capability for

future use vanishes. This fact is true for any external cyber operation, but it is

particularly relevant here, because the effects of cyber force reveal the nature of

the attack. The adversary would attempt to remedy the vulnerability and the

international computing community would almost certainly work to analyze and

decode the cyber force payload.133 Thus, policy-makers must weigh the

131 This is particularly true in light of the fact that France, and most of Western Europe, was already opposed to Operation Iraqi Freedom. 132 For instance, see (Gerson, 2010). 133 This was in fact exactly the result of the Stuxnet virus. Network security experts have thoroughly analyzed its code by leveraging bulletin boards and various resources on the Internet.

119

operational benefits of employing cyber force with the cost of losing the

capability. Does the operational situation merit the use of a particular cyber

force? Does using cyber force offer more valuable information to the adversary

about U.S. capability, such that its use would become an operational error?

As a secondary Executional concern, the cost of a cyber force must be

considered. While the use of cyber technology may be more cost-effective in

many aspects of external cyber operations, it is not clear that that is the case for

cyber force. The actual execution of code may be minimal, but the time required

to design, gather intelligence, monitor adversary networks, test capabilities, etc.

may be extremely costly. Cyber capabilities at the level of cyber force are not

ubiquitous, nor are they easily achieved. As will be demonstrated in the next

section, cyber force is not necessarily the quickest solution (regardless of the

speed of code execution). For this reason, it may not be the most efficient. This

work is not an exercise in defense budgeting, but the way in which DoD costs its

weaponry will affect the weapon’s attractiveness as a cost-effective solution.

Especially when considering the weapon on a cost per total use basis, cyber force

may not be the ideal solution.

Temporal

As alluded to in the previous section, cyber weaponry may not necessarily

work in milliseconds when analyzed in context. This is particularly true for cyber

force, because the capability often requires extensive planning and preparation.

If speed is a key component in determining the appropriate method of

employing force, cyber may not be the best option.

Though certain aspects of the code remain highly encrypted (and making attribution exceedingly difficult), its use in current form may now be very limited. For an overview of the history of decoding Stuxnet, (See, Zetter, supra note 8) For a technical analysis, see Symantec’s dossier (Falliere, Murchu, & Chien, 2011).

120

Consequential

Domestic

As mentioned in the domestic legal consideration section, cyber force is

predominantly internationally focused. The object of the operation should not be

a U.S. citizen or his property and certainly not one within the U.S. itself. For that

reason, domestic political consequences center mostly on interagency and inter-

branch issues.

The first incorporates the different interests among U.S. agencies, interests

(and vantage points) that may not seem complimentary. These differences self-

evidently originate from distinct missions and concepts of public value.

Regarding cyber force, DoD may find an imperative to act that DoS (for instance)

does not see. Yet any execution of cyber force by DoD will inevitably have

implications for other agencies and their missions. With the case of DoS, their

diplomatic endeavors may suffer. While we will examine the potential effect of

cyber force on U.S. international relations in a subsequent section, it is important

to note here that other agencies have a vested interest in any use of force,

particularly one that is relatively new and poorly understood. The federal

government has rightly endeavored to align the different agencies’ efforts for a

more holistic approach, and it is imperative for DoD to support these initiatives.

Because the use of force has damaging effects, the implications of such

operations for other agencies are even more pronounced. DoS seeks ensure the

safety of U.S. citizens who live abroad, whether for diplomatic, educational,

leisure or business reasons. They must have statements prepared for their host

nations and for diplomats in the U.S. who might request further insight into the

U.S. operation. Treasury may be concerned about the effect a destabilizing event

might have on U.S. economic outlook. Homeland Security may raise the threat

121

level domestically to protect against any immediate retaliation at home. The CIA

may be inclined to prioritize assets on intelligence collection at the locus of the

cyber operation in order to gauge the effectiveness of the operation or the local

response to it.

These are mundane examples of the competing interests among agencies.

What is critical here, however, is that cyber force as not simply a use of force,

but a new form of an armed attack, imposes uncertainty onto other agencies,

markets, and the public. To mitigate any potential destabilization of this

uncertainty, DoD must liaise with other agencies in preparation of the use of

cyber force. Here, domestic political overlaps with temporal considerations. This

may be a time-consuming process and one that may not suit operational

requirements. Were there to be adequate channels to facilitate such dialogue

and/or a unified concept of cyber force among the agencies, this might mitigate

the temporal dilemma. Regardless, the decision to use cyber force will inevitably

require coordination across agencies and Presidential authorization.

The second aspect of domestic political considerations that are particularly

germane to cyber force is the role of Congress and the interaction between the

legislative and executive branches. The issue of Title 10 vs. Title 50 authority will

determine oversight requirements for cyber operations,134 but the use of force

itself may be constrained constitutionally. The constitution rests the power to

declare and fund war with the legislature, though it places the responsibility of

foreign policy on the executive. The War Powers Resolution has attempted to

clarify that relationship, although virtually every president has claimed that the

legislation infringes on the executives authority.135 At issue here, therefore, is the

134 (Chesney, 2011) 135 (Library of Congress, 2011)

122

extent to which the executive branch may use cyber force without declared

hostilities. As using cyber force doesn’t require the deploying of military forces,

it may create a dilemma for congressional oversight. Ensuring proper

authorization and a real need to use force may require new legislation.

International

The NRC report rightly observes that U.S. cyber operations have the

potential to interfere with similar operations of our allied nations.136 When

considering the damaging effects of cyber force, the U.S. should liaise with allied

nations to discuss possible conflict with their cyber operations. There are myriad

ways in which U.S. cyber operations could affect those of our allies, but what is

critical here is the recognition that, particularly with cyber force, the U.S. should

deconflict with friendly nations operating on the systems the U.S. plans to

exploit.

Also, because cyberspace is a rapidly developing domain, there is great

potential for norm-setting. Psychologically, there are various reasons for

conforming to a particular conduct, and unanimity of action is one of the more

potent methods of strengthening conformity.137 Thus, it would benefit the U.S. to

support the conduct it would wish to become the norm. That is, if the U.S. has an

interest, as it likely does, in restricting the use of cyber force internationally, then

it should seek to adhere to this standard.

Soft Power

Over the past decade, hard power has dominated U.S. foreign policy often

to the detriment of U.S. influence and national security. To avoid such missteps

136 (See, National Research Council, supra note 20) 137 Over time, individuals internalize the norm, making it the most powerful determinant in conformity. For a brief overview, see (Williams R. , 1992)

123

in cyberspace, policy-makers should analyze the way the international

community will interpret American use of cyber force. While this may seem self-

evident, especially in light of the fact that we have often equated cyber force with

other uses of force, there are relevant distinctions for force executed through

cyberspace.

First, the history of cyberspace (and particularly the Internet) has

overwhelmingly been driven by non-military use. The inherent insecurity with

current global networks stems predominantly from the fact that the Internet was

originally designed for openness and flexibility.138 Security has always been a

secondary concern. For this reason, the overwhelming majority of users of

cyberspace place a premium on the nature of the Internet as an open,

empowering medium. Use of cyber force may alter foreign perception of the U.S.

as trying to militarize cyberspace. The Chinese have already asserted that, by

creating CYBERCOM, the U.S. has indeed done exactly that.139 An actual use of

cyber force might convince others that the Chinese argument has merit.

For that reason, cyber force, as the sole aspect of an operation, may be

counterproductive to U.S. interests if the destructive effect were large enough, if

there were significant collateral damage, or if the targets were non-state actors.

Drone strikes against Tehrik-i-Talibani (TTP) in the tribal areas of Pakistan are

contentious enough (and certainly have a cost in terms of U.S. soft power).

Targeting any insurgent or terrorist group through cyber means may prove even

more costly.

As described in the “Strategic” section above, cyber force as an aspect of a

coordinated (and legitimized) military operation may appear to the international

138 (Froehlich & Kent, 1998) 139 (Segal, 2011)

124

public as new U.S. military technology and not civilian technology co-opted by

the world’s remaining hegemon for military purposes. This is a critical

distinction, and the context of using cyber force may drive the way it is perceived

abroad and hence the way such an operation affects American soft power.

Systemic

Systemic implications for cyber force have the potential to be significant.

From one perspective, an actual, documented use of cyber force is a powerful

motivator for cyberspace. While current discussions of cybersecurity are often

technical, hypothetical and dramatic – many times to the point of seeming

alarmist – the image of a destroyed electrical power station could change the way

society perceives connectivity.

In a positive way, individuals may recognize the need for greater personal

involvement in promoting cybersecurity. Private industry and entrepreneurs

may identify for-profit services (above and beyond current offerings) that

emphasize securing networks. Administrators and non-governmental bodies

may have greater success in addressing systemic issues with the current

networking structures in cyberspace (such as IPv4, and border gateway protocol

(BGP) and domain name server (DNS) vulnerabilities). In much the same way

that the September 11th terrorist attacks changed the way Americans perceive

security, an actual act of cyber force may have the same impact.

Yet an act of cyber force may have a completely different effect. The

current nature of cyberspace is determined as much by norms and perceptions as

it is by the laws of code. Companies have been employing the technologies of

connectivity for great social surplus, whether through online banking, e-

commerce, or electric smart grids. How such companies may react should they

find themselves operating in a newly perceived “battlespace” is unknown.

125

Would the threat of cyber force limit businesses’ investment in network

connectivity? Perhaps the threat of being targeted may make transactions more

costly and force businesses to alter the way they operate in cyberspace. This has

not been the case for other, less destructive forms of cyber operations. But as

mentioned multiple times before, cyber force is unprecedented.

Though many of the other considerations in our framework are common

(and applicable) to other forms of military force, systemic considerations are

entirely new. Consequently, they are very hard to predict. But it is imperative for

policy-makers to recognize that in the developing medium of cyberspace,

significant actions have serious, literally paradigm-shifting, consequences.

Example Scenario

To synthesize the considerations detailed extensively above, consider the

following scenario:

In support of overseas contingency operations (OCO), the United States

intelligence community (IC) has successfully located a high value target (HVT) in a

major city in Ardia. Ardia is a country with which the U.S. has normalized relations, but

whose population has very low approval ratings of the U.S. The HVT assists in financing

a major terrorist organization, and is known to have funneled over $250M from donors

around the globe to various arms of the organization. Through SIGINT and HUMINT,

the IC believes they have located the HVT in a specific apartment complex where he has

amassed a series of computers to support international crime and his laundering

activities.

DoD is aware of a vulnerability in a particular personal computer that allows the

attacker to control the battery management microprocessor to make the battery explode.140

140 (Sutter, 2011)

126

IC believes that the HVT is using 3 of these computers in his “control room” and DoD

believes that they can exploit the vulnerability to engage the target. Because of the size of

the batteries, DoD estimates that there would be little to no fragmentation effects in

neighboring apartments, though the HVT would probably be eliminated.

Determining whether DoD should contact the cyber operation, we can

again use our framework. Though lethal targeting of a foreign national suspected

of supporting terrorist organizations may be ethically questionable, we can cede

this point based on precedent.141 Legally, the executive could justify such force

through the AUMF and the inherent right to self-defense (which it has done in

the past as well). The case under international law is more problematic, as the

executive would still have to ensure necessity, proportionality and distinction. In

fact, it is unknown whether the HVT is the sole user of the computers. He does

live with his wife and three children, though the IC claims that they are aware

when the HVT is alone in the apartment.

Operationally this cyber operation appears to support the overall strategic

goal of disrupting the terrorist organization. There are, however, very serious

questions about the relations between Ardia and the U.S. and whether targeting

an individual within its sovereign territory is best for the two countries’

relations. Also, America has a greater strategic objective of stability within the

region that may be harmed by the operation. Operationally, this exploit is well

known and its use does not necessarily prevent its future use, nor is it a more

significantly developed exploit. Temporally, cyber force would be a good option,

because the HVT has no set pattern of being in his apartment and a quick strike

would be required. Also, the exploit is currently available and waiting.

141 We have already raised the example of drone strikes on known or suspected insurgents or terrorists.

127

Though the strategic consideration for the operation is troubling,

consequential factors bring even greater uncertainty. The American people are

overwhelmingly in favor of such strikes, because they do not put troops in

harm’s way. There is also broad support within Congress for supporting

counterterrorism operations. Regarding soft power, however, this operation

becomes less appealing. Polls in Ardia and within the region show that targeted

killings of suspected terrorists have eroded American influence. It is becoming

increasingly more difficult for Ardian politicians to support American priorities,

even when they are in line with Ardian aims. Allied nations in the West have

condemned American use of targeted killings. If the cyber force were in fact to

harm one of the HVT’s family members instead of the HVT, this would have

profound implications for U.S. soft power abroad. It is also unknown how our

allies would react to killing through the suspected terrorist’s computers, vice

through purely military means. Currently, DoD is unaware of any other allied

operations concerning this particular HVT. DoD is leery to share this data as the

U.S. has been searching for this HVT for many years. This would also be the first

use of cyber force and the international implications are unclear. Lastly, the effect

of using cyber force on the nature of the Internet is unknown. It is possible that

this type of operation is limited enough in scope to have minimal effect.

In such a situation, our recommendation would be to refrain from using

cyber force for primarily ethical and consequential reasons. First, we believe that

the use of force in cyberspace, as a new and unique medium, requires biasing

toward prudence. Without a clear ability to determine distinction, the U.S. would

fail to uphold the LOAC. This in turn may have serious implications for U.S.

strategy in the region as well as for U.S. relations with Western allies.

128

Policy Recommendations

1) Use of cyber force must conform to all laws governing the use of force. In

particular cyber force must conform to the LOAC, especially regarding

proportionality and distinction, and the UN Charter. If these factors

cannot be assured, cyber force is not the correct weapon.

2) If overt, cyber force should be limited in scope with assurance that any

operation has minor if any spillover effects.

3) Cyber force should be coordinated with our allied partners and perhaps

legitimized through a multi-national body (NATO at least, U.N. if possible

or required).

4) Cyber force should be in concert with traditional military force and as

targeted as possible.

5) Catastrophic (i.e. expansive and destructive) use of cyber force should

only be considered for retaliatory measures or in conjunction with

prolonged, declared, large-scale hostilities.

6) The President should set a declaratory policy that clearly defines what

constitutes a use of force and relate this to cyber force. We recommend the

following effects based statement, “Any action in cyberspace which

directly place at risk the life of U.S. citizens constitutes an armed attack

against the U.S, and will be responded to at a time, place, and manner of

our choosing in accordance with domestic and international law.”