lorem, ipsum
111
VII. Cyber Force Cyber Action Overall Severity of Implication Recommendations
Cyber Force
x Do not engage in cyber force unless the
following conditions are met: o Conforming to LOAC o Minor or no spillover effects (if overt) o Coordinated with allied partners and
legitimized through multi-national body o In concert with traditional military force
and as targeted as possible o Limit use of catastrophic cyber force to
situations of declared general warfare.
Description
As described in our ontology, cyber force includes cyber attacks with such
substantial physical effects that they rise to a level that ought to be considered a
“use of force” under international law. Although the general international norms
of use of force stem from the UN Charter Article 2(4), the actual bounds of
“force” are nebulous.120 This is true not only for cyber operations, but has also
been true for physical ones in which the concept of “I know it when I see it”121
has become predominant. In his 2002 paper “Information Warfare and
International Law on the Use of Force”, Jason Barkham suggests that the
definition of “force” must change in order to accommodate new technologies in
information warfare (IW).122 As of this writing, however, there have been no such
clarifying distinctions.
120 (Hoisington, 2009) 121 (Jacobellis v. Ohio, 1964) 122 Barkham argues that either the application of Article 2(4) must change or the international community must develop a new standard, possibly through treaties. See (Barkham, 2002)
112
For the purpose of this work, a precise definition of “use of force” is not
required, but only recognition of the criteria for determining what qualifies a use
of force. To avoid questions of means and target sets that make applying cyber
operations to the traditional definitions of “use of force” difficult, we have
focused on the effect of the an operation as the most appropriate metric to judge
if something is a “use of force.” If a cyber operation were to result in physical
injury or death such that conventional means of achieving the same ends would
be considered a “use of force,” then the cyber operation is “cyber force.”
Similarly, if the cyber capability can be employed in a manner that could be
reasonably perceived as intent to cause physical injury or death similar to effects
caused by traditional kinetic weapons, then this cyber operation is “cyber force”.
In this regard, therefore, we have limited this definition to cyber attacks with the
potential for direct lethal effects.
This description may seem to lack nuance, but our intention is to provide
clarity for policy-makers who may otherwise feel paralyzed by the technical
aspects of cyberspace or the difficulty in applying traditional military conceptual
frameworks to cyber operations. For this reason, it is our contention that the
main driver for policy-makers should not be the specific means of the
operation,123 but rather the effect that that operation produces.124 Also, it is
123 In “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities”, the National Academy of Sciences offers the example of blockade and sanctions to describe the way means, not effects, differentiates a use of force from an action which does not meet that criteria. It is an important distinction for consideration, but one that does not apply here. In our conceptualization, the appropriate analogy for cyber force is not with blockade or sanctions, but with conventional weapon type. (See, National Research Council, supra note 20) 124 An appropriate example would be the contention that lines of code in and of themselves are not weapons, and thus a destructive operation that solely relies on the use of code could not reach the threshold of “use of force”. This is an erroneous assertion. It is precisely the code in Joint Direct Attack Munitions (JDAM) that makes it effective, requiring the military to use less payload and resulting in smaller circular errors of probability (CEP). As a function of payload required to technology available (i.e. computer code), we can identify that the more technology
113
important to note that in discussing cyber force, we are focusing on the specific
execution of code that directly resulted in the effects constituting a use of force.
We do not broaden this definition to include supporting cyber operations (such
as cyber information collection) that may enable DoD’s use of cyber force.
In that regard, the following
analysis of cyber force requires the
policy-maker to conceptualize the
external cyber operation as
essentially equivalent to a conventional operation that has effects that would be
considered a use of force. From this vantage point, it will become obvious that
the majority of the considerations from our framework for cyber force
correspond to the same considerations for conventional uses of force.
Policy Analysis
Normative Considerations
Ethical
Ethical considerations for cyber force mirror those for conventional
operations that are considered use of force. Just war theory and particularly the
concepts of jus ad bellum and jus in bello apply. With regard to cyber force, as a
type of weapon, there should be no ethical distinction between the use of cyber
force and any other type of attack that results in effects commensurate with the
use of force.
available, the less payload is required for any given level of effect. Thus, it is arguable that cyber force represents the logical conclusion to a capability of zero payload required for the same effect, because of greater technology available.
114
Although the ethical considerations are the same, the ability to meet those
standards may be more difficult in cyber force. The requirements for distinction,
proportionality and attribution, as noted above, are problematic in cyberspace.
When considering the use of cyber force, policy-makers should emphasize the
possibility of collateral damage from unforeseen spillover due to network
connectivity. In 2003, it is reported the U.S. chose not to conduct cyber attacks on
Iraqi banks because of their connection connection to French financial networks.
It was feared an errant cyber weapon might disrupt ATM service in Europe.125
We recommend that policy-makers continue to bias toward prudence in order to
ensure the primacy of these ethical considerations.
This bias would have implications for the rare (though not inconceivable)
use of cyber force against American citizens residing outside the U.S. who had
become involved in terrorist plots against the U.S. The recent killing of U.S.
citizen Anwar Al-Awlaki in Yemen for his ties to Al Qaeda in the Arabian
Peninsula (AQAP) demonstrates this issue.126 Were the method for the killing
cyber force instead of a drone strike, the ethical (and in fact legal) issues remain
the same. Here the considerations of ethics, law and soft power overlap. Not only
does the U.S. hold strong convictions regarding the principle of “guilty until
proven innocent” as guaranteed by the constitution, but the effect of such force
on the attractiveness of the U.S. abroad also has consequences on American soft
power. This is not to pass judgment on the Al-Awlaki killing as an extension of
counterterrorism operations, but it is a relevant analogy for U.S. use of cyber
force. We believe that policy-makers should prioritize the ethical and legal
125 (Smith, 2003) 126 For a general overview of the legal debate regarding the Al-Awlaki killing see (Williams C. J., 2011)
115
dimensions in their decision making for the greater strategic and soft power
aims.
Domestic Law
The domestic legal considerations for cyber force are limited, because
cyber force is essentially an external operation directed at other nation states or
non-state actors. And because we have limited our definition of cyber force to the
proximal cause of the force, domestic law concerning the citizenry has little
applicability (aside from the issue raised above under ethical considerations).
Questions of privacy, surveillance or seizure are generally not relevant.
The issue of Title 10 and Title 50 authority, however, does apply here as a
consideration for the assets used to conduct the cyber force. Because resident
expertise resides within DoD, the CIA and the NSA, the context will most likely
dictate the best assets to execute the operation if policy-makers decide to use
cyber force. Here, domestic law overlaps with strategy. Policy-makers’ strategic
imperatives may dictate which domestic legal considerations exist, and these
considerations themselves may influence the strategy that policy-makers pursue.
International Law
The bulk of the normative considerations for the use of cyber force rests in
international law. This constellation of customary law, treaties and base law
encompass the Law of Armed Conflict (LOAC) and are particularly relevant to
cyber force. Despite this fact, LOAC remains the same for cyber force as it does
for the use of force in conventional methods. When considering any use of force
(cyber or otherwise) policy-makers will undoubtedly consider LOAC as well as
Article 3 of the Universal Declaration of Human Rights, which guarantees the
116
right to “life, liberty and security of person”.127 In this regard, cyber force is an
unambiguous case of the applicability of international law to external cyber
operations. For this reason, it requires no elaboration here.
Operational Considerations
Strategic
Operational considerations mark the beginning of separation between
cyber force and more conventional uses of force and strategic considerations
remain paramount in this aspect. The major distinction between these uses of
force is the fact that cyber force is unprecedented. Despite some speculation to
the contrary,128 there is no historical example of a nation-state or non-state actor
using cyber technology to produce effects equivalent to conventional use of
force. Even the Stuxnet virus, by our definition, would not be considered cyber
force, because the effect of intervening with centrifuge operations does not reach
the force threshold.
This fact is a critical strategic concern, because the first use of cyber force
may have greater strategic implications that extend beyond the scope of the
operation itself. Context here, though, is critical. Using cyber force as a force
multiplier of conventional weapons during declared hostilities and against a
well-defined adversary could be analogous to the use of stealth technology in
Panama or Gulf War I. It would simply serve as the first example of new defense
technology. Conversely, the covert use of cyber force or even the use of cyber
force during asymmetrical or low intensity conflict may prove less acceptable.
127 (See, United Nations, supra note 44) 128 As an example, a former Air Force secretary has claimed that the U.S. had created faulty code that the Soviets used in 1982 in a gas pipeline, which caused a massive explosion rivaled only by a nuclear detonation. See (Loney, 2004)
117
Especially with the rise in power of the traditionally powerless,129 policy-
makers must think beyond a realist, sovereign nation, international relations
model and anticipate the strategic consequences of using cyber force from an
individual level. Considering the democratizing power of the Internet and
cyberspace, we would anticipate that any use of cyber force, especially those not
used in conjunction with conventional forces in declared hostilities, would have
negative strategic implications. This could manifest itself simply as loss of
domestic support from the electorate, retaliation from hacktivist groups such as
Anonymous, and/or significant adverse response abroad.
From a theater strategy perspective, we believe that the authority to use
cyber force should, like all other forms of force, rest with the President of the
United States. In his essay “Ten Propositions Regarding Cyberspace Operations”,
Major General Williams argues that the Joint Forces Commander (JFC) should
have command and control over cyberspace within his domain similar to the
control he has of the terrestrial domain.130 Due to the unprecedented nature of
cyber force, delegating authority to the JFC for the use of cyber force would be a
mistake. While General Williams argues that operations in cyberspace are akin to
those in the terrestrial domain, the possibility of collateral damage outside of the
JFC’s area of responsibility (AOR) with cyber capabilities makes them
substantially different. Some limited cyber capabilities may be appropriate at the
JFC level, but not those that may have effects extending beyond their AOR. Had
CENTCOM chosen to use cyber attacks in Iraq in 2003 and its use had severed
banking communications in France, the political and strategic implications
129 For a thorough discussion on the rise of the traditionally powerless and the conditions that have precipitated this change in power dynamic, see (Kellerman, 2008). 130 (See, Williams B. T., supra note 32)
118
would be hard to overstate.131 This is a key example of theater strategy gravely
affecting national strategy.
This analysis does not necessarily suggest that the U.S. should adopt a
blanket no first use policy for cyber force. However compelling arguments may
be for a declared no first use policy for nuclear weapons,132 there is no such
imperative here. Unlike cyber force, nuclear weapons have very little gradation
of effect – it is always catastrophic. Use of a nuclear weapon escalates a conflict to
general war. Using cyber force may be possible in the context of limited war. It is
possible that a very targeted, well-contained first use of cyber force would be an
excellent policy choice normatively, operationally and consequentially. The
burden of proof, however, for such a claim, considering the strategic implications
noted above, would be exceptionally high.
Executional
Regarding cyber force, the primary Executional consideration will be the
potential loss of the vulnerability that enabled its use in the first place. As
mentioned in the framework discussion, cyber weapons are unlike conventional
weapons in that the use of a cyber weapon may mean that its capability for
future use vanishes. This fact is true for any external cyber operation, but it is
particularly relevant here, because the effects of cyber force reveal the nature of
the attack. The adversary would attempt to remedy the vulnerability and the
international computing community would almost certainly work to analyze and
decode the cyber force payload.133 Thus, policy-makers must weigh the
131 This is particularly true in light of the fact that France, and most of Western Europe, was already opposed to Operation Iraqi Freedom. 132 For instance, see (Gerson, 2010). 133 This was in fact exactly the result of the Stuxnet virus. Network security experts have thoroughly analyzed its code by leveraging bulletin boards and various resources on the Internet.
119
operational benefits of employing cyber force with the cost of losing the
capability. Does the operational situation merit the use of a particular cyber
force? Does using cyber force offer more valuable information to the adversary
about U.S. capability, such that its use would become an operational error?
As a secondary Executional concern, the cost of a cyber force must be
considered. While the use of cyber technology may be more cost-effective in
many aspects of external cyber operations, it is not clear that that is the case for
cyber force. The actual execution of code may be minimal, but the time required
to design, gather intelligence, monitor adversary networks, test capabilities, etc.
may be extremely costly. Cyber capabilities at the level of cyber force are not
ubiquitous, nor are they easily achieved. As will be demonstrated in the next
section, cyber force is not necessarily the quickest solution (regardless of the
speed of code execution). For this reason, it may not be the most efficient. This
work is not an exercise in defense budgeting, but the way in which DoD costs its
weaponry will affect the weapon’s attractiveness as a cost-effective solution.
Especially when considering the weapon on a cost per total use basis, cyber force
may not be the ideal solution.
Temporal
As alluded to in the previous section, cyber weaponry may not necessarily
work in milliseconds when analyzed in context. This is particularly true for cyber
force, because the capability often requires extensive planning and preparation.
If speed is a key component in determining the appropriate method of
employing force, cyber may not be the best option.
Though certain aspects of the code remain highly encrypted (and making attribution exceedingly difficult), its use in current form may now be very limited. For an overview of the history of decoding Stuxnet, (See, Zetter, supra note 8) For a technical analysis, see Symantec’s dossier (Falliere, Murchu, & Chien, 2011).
120
Consequential
Domestic
As mentioned in the domestic legal consideration section, cyber force is
predominantly internationally focused. The object of the operation should not be
a U.S. citizen or his property and certainly not one within the U.S. itself. For that
reason, domestic political consequences center mostly on interagency and inter-
branch issues.
The first incorporates the different interests among U.S. agencies, interests
(and vantage points) that may not seem complimentary. These differences self-
evidently originate from distinct missions and concepts of public value.
Regarding cyber force, DoD may find an imperative to act that DoS (for instance)
does not see. Yet any execution of cyber force by DoD will inevitably have
implications for other agencies and their missions. With the case of DoS, their
diplomatic endeavors may suffer. While we will examine the potential effect of
cyber force on U.S. international relations in a subsequent section, it is important
to note here that other agencies have a vested interest in any use of force,
particularly one that is relatively new and poorly understood. The federal
government has rightly endeavored to align the different agencies’ efforts for a
more holistic approach, and it is imperative for DoD to support these initiatives.
Because the use of force has damaging effects, the implications of such
operations for other agencies are even more pronounced. DoS seeks ensure the
safety of U.S. citizens who live abroad, whether for diplomatic, educational,
leisure or business reasons. They must have statements prepared for their host
nations and for diplomats in the U.S. who might request further insight into the
U.S. operation. Treasury may be concerned about the effect a destabilizing event
might have on U.S. economic outlook. Homeland Security may raise the threat
121
level domestically to protect against any immediate retaliation at home. The CIA
may be inclined to prioritize assets on intelligence collection at the locus of the
cyber operation in order to gauge the effectiveness of the operation or the local
response to it.
These are mundane examples of the competing interests among agencies.
What is critical here, however, is that cyber force as not simply a use of force,
but a new form of an armed attack, imposes uncertainty onto other agencies,
markets, and the public. To mitigate any potential destabilization of this
uncertainty, DoD must liaise with other agencies in preparation of the use of
cyber force. Here, domestic political overlaps with temporal considerations. This
may be a time-consuming process and one that may not suit operational
requirements. Were there to be adequate channels to facilitate such dialogue
and/or a unified concept of cyber force among the agencies, this might mitigate
the temporal dilemma. Regardless, the decision to use cyber force will inevitably
require coordination across agencies and Presidential authorization.
The second aspect of domestic political considerations that are particularly
germane to cyber force is the role of Congress and the interaction between the
legislative and executive branches. The issue of Title 10 vs. Title 50 authority will
determine oversight requirements for cyber operations,134 but the use of force
itself may be constrained constitutionally. The constitution rests the power to
declare and fund war with the legislature, though it places the responsibility of
foreign policy on the executive. The War Powers Resolution has attempted to
clarify that relationship, although virtually every president has claimed that the
legislation infringes on the executives authority.135 At issue here, therefore, is the
134 (Chesney, 2011) 135 (Library of Congress, 2011)
122
extent to which the executive branch may use cyber force without declared
hostilities. As using cyber force doesn’t require the deploying of military forces,
it may create a dilemma for congressional oversight. Ensuring proper
authorization and a real need to use force may require new legislation.
International
The NRC report rightly observes that U.S. cyber operations have the
potential to interfere with similar operations of our allied nations.136 When
considering the damaging effects of cyber force, the U.S. should liaise with allied
nations to discuss possible conflict with their cyber operations. There are myriad
ways in which U.S. cyber operations could affect those of our allies, but what is
critical here is the recognition that, particularly with cyber force, the U.S. should
deconflict with friendly nations operating on the systems the U.S. plans to
exploit.
Also, because cyberspace is a rapidly developing domain, there is great
potential for norm-setting. Psychologically, there are various reasons for
conforming to a particular conduct, and unanimity of action is one of the more
potent methods of strengthening conformity.137 Thus, it would benefit the U.S. to
support the conduct it would wish to become the norm. That is, if the U.S. has an
interest, as it likely does, in restricting the use of cyber force internationally, then
it should seek to adhere to this standard.
Soft Power
Over the past decade, hard power has dominated U.S. foreign policy often
to the detriment of U.S. influence and national security. To avoid such missteps
136 (See, National Research Council, supra note 20) 137 Over time, individuals internalize the norm, making it the most powerful determinant in conformity. For a brief overview, see (Williams R. , 1992)
123
in cyberspace, policy-makers should analyze the way the international
community will interpret American use of cyber force. While this may seem self-
evident, especially in light of the fact that we have often equated cyber force with
other uses of force, there are relevant distinctions for force executed through
cyberspace.
First, the history of cyberspace (and particularly the Internet) has
overwhelmingly been driven by non-military use. The inherent insecurity with
current global networks stems predominantly from the fact that the Internet was
originally designed for openness and flexibility.138 Security has always been a
secondary concern. For this reason, the overwhelming majority of users of
cyberspace place a premium on the nature of the Internet as an open,
empowering medium. Use of cyber force may alter foreign perception of the U.S.
as trying to militarize cyberspace. The Chinese have already asserted that, by
creating CYBERCOM, the U.S. has indeed done exactly that.139 An actual use of
cyber force might convince others that the Chinese argument has merit.
For that reason, cyber force, as the sole aspect of an operation, may be
counterproductive to U.S. interests if the destructive effect were large enough, if
there were significant collateral damage, or if the targets were non-state actors.
Drone strikes against Tehrik-i-Talibani (TTP) in the tribal areas of Pakistan are
contentious enough (and certainly have a cost in terms of U.S. soft power).
Targeting any insurgent or terrorist group through cyber means may prove even
more costly.
As described in the “Strategic” section above, cyber force as an aspect of a
coordinated (and legitimized) military operation may appear to the international
138 (Froehlich & Kent, 1998) 139 (Segal, 2011)
124
public as new U.S. military technology and not civilian technology co-opted by
the world’s remaining hegemon for military purposes. This is a critical
distinction, and the context of using cyber force may drive the way it is perceived
abroad and hence the way such an operation affects American soft power.
Systemic
Systemic implications for cyber force have the potential to be significant.
From one perspective, an actual, documented use of cyber force is a powerful
motivator for cyberspace. While current discussions of cybersecurity are often
technical, hypothetical and dramatic – many times to the point of seeming
alarmist – the image of a destroyed electrical power station could change the way
society perceives connectivity.
In a positive way, individuals may recognize the need for greater personal
involvement in promoting cybersecurity. Private industry and entrepreneurs
may identify for-profit services (above and beyond current offerings) that
emphasize securing networks. Administrators and non-governmental bodies
may have greater success in addressing systemic issues with the current
networking structures in cyberspace (such as IPv4, and border gateway protocol
(BGP) and domain name server (DNS) vulnerabilities). In much the same way
that the September 11th terrorist attacks changed the way Americans perceive
security, an actual act of cyber force may have the same impact.
Yet an act of cyber force may have a completely different effect. The
current nature of cyberspace is determined as much by norms and perceptions as
it is by the laws of code. Companies have been employing the technologies of
connectivity for great social surplus, whether through online banking, e-
commerce, or electric smart grids. How such companies may react should they
find themselves operating in a newly perceived “battlespace” is unknown.
125
Would the threat of cyber force limit businesses’ investment in network
connectivity? Perhaps the threat of being targeted may make transactions more
costly and force businesses to alter the way they operate in cyberspace. This has
not been the case for other, less destructive forms of cyber operations. But as
mentioned multiple times before, cyber force is unprecedented.
Though many of the other considerations in our framework are common
(and applicable) to other forms of military force, systemic considerations are
entirely new. Consequently, they are very hard to predict. But it is imperative for
policy-makers to recognize that in the developing medium of cyberspace,
significant actions have serious, literally paradigm-shifting, consequences.
Example Scenario
To synthesize the considerations detailed extensively above, consider the
following scenario:
In support of overseas contingency operations (OCO), the United States
intelligence community (IC) has successfully located a high value target (HVT) in a
major city in Ardia. Ardia is a country with which the U.S. has normalized relations, but
whose population has very low approval ratings of the U.S. The HVT assists in financing
a major terrorist organization, and is known to have funneled over $250M from donors
around the globe to various arms of the organization. Through SIGINT and HUMINT,
the IC believes they have located the HVT in a specific apartment complex where he has
amassed a series of computers to support international crime and his laundering
activities.
DoD is aware of a vulnerability in a particular personal computer that allows the
attacker to control the battery management microprocessor to make the battery explode.140
140 (Sutter, 2011)
126
IC believes that the HVT is using 3 of these computers in his “control room” and DoD
believes that they can exploit the vulnerability to engage the target. Because of the size of
the batteries, DoD estimates that there would be little to no fragmentation effects in
neighboring apartments, though the HVT would probably be eliminated.
Determining whether DoD should contact the cyber operation, we can
again use our framework. Though lethal targeting of a foreign national suspected
of supporting terrorist organizations may be ethically questionable, we can cede
this point based on precedent.141 Legally, the executive could justify such force
through the AUMF and the inherent right to self-defense (which it has done in
the past as well). The case under international law is more problematic, as the
executive would still have to ensure necessity, proportionality and distinction. In
fact, it is unknown whether the HVT is the sole user of the computers. He does
live with his wife and three children, though the IC claims that they are aware
when the HVT is alone in the apartment.
Operationally this cyber operation appears to support the overall strategic
goal of disrupting the terrorist organization. There are, however, very serious
questions about the relations between Ardia and the U.S. and whether targeting
an individual within its sovereign territory is best for the two countries’
relations. Also, America has a greater strategic objective of stability within the
region that may be harmed by the operation. Operationally, this exploit is well
known and its use does not necessarily prevent its future use, nor is it a more
significantly developed exploit. Temporally, cyber force would be a good option,
because the HVT has no set pattern of being in his apartment and a quick strike
would be required. Also, the exploit is currently available and waiting.
141 We have already raised the example of drone strikes on known or suspected insurgents or terrorists.
127
Though the strategic consideration for the operation is troubling,
consequential factors bring even greater uncertainty. The American people are
overwhelmingly in favor of such strikes, because they do not put troops in
harm’s way. There is also broad support within Congress for supporting
counterterrorism operations. Regarding soft power, however, this operation
becomes less appealing. Polls in Ardia and within the region show that targeted
killings of suspected terrorists have eroded American influence. It is becoming
increasingly more difficult for Ardian politicians to support American priorities,
even when they are in line with Ardian aims. Allied nations in the West have
condemned American use of targeted killings. If the cyber force were in fact to
harm one of the HVT’s family members instead of the HVT, this would have
profound implications for U.S. soft power abroad. It is also unknown how our
allies would react to killing through the suspected terrorist’s computers, vice
through purely military means. Currently, DoD is unaware of any other allied
operations concerning this particular HVT. DoD is leery to share this data as the
U.S. has been searching for this HVT for many years. This would also be the first
use of cyber force and the international implications are unclear. Lastly, the effect
of using cyber force on the nature of the Internet is unknown. It is possible that
this type of operation is limited enough in scope to have minimal effect.
In such a situation, our recommendation would be to refrain from using
cyber force for primarily ethical and consequential reasons. First, we believe that
the use of force in cyberspace, as a new and unique medium, requires biasing
toward prudence. Without a clear ability to determine distinction, the U.S. would
fail to uphold the LOAC. This in turn may have serious implications for U.S.
strategy in the region as well as for U.S. relations with Western allies.
128
Policy Recommendations
1) Use of cyber force must conform to all laws governing the use of force. In
particular cyber force must conform to the LOAC, especially regarding
proportionality and distinction, and the UN Charter. If these factors
cannot be assured, cyber force is not the correct weapon.
2) If overt, cyber force should be limited in scope with assurance that any
operation has minor if any spillover effects.
3) Cyber force should be coordinated with our allied partners and perhaps
legitimized through a multi-national body (NATO at least, U.N. if possible
or required).
4) Cyber force should be in concert with traditional military force and as
targeted as possible.
5) Catastrophic (i.e. expansive and destructive) use of cyber force should
only be considered for retaliatory measures or in conjunction with
prolonged, declared, large-scale hostilities.
6) The President should set a declaratory policy that clearly defines what
constitutes a use of force and relate this to cyber force. We recommend the
following effects based statement, “Any action in cyberspace which
directly place at risk the life of U.S. citizens constitutes an armed attack
against the U.S, and will be responded to at a time, place, and manner of
our choosing in accordance with domestic and international law.”