Management, compliance & auditing

U.S. Cyber Policy – Course and Legal Aspects

Dimitar Kostadinov
August 28, 2013 by
Dimitar Kostadinov

Image courtesy of Gualberto107 /


Cyber policy is an important issue that many would qualify as pending. Even leading nations struggle to get a good grip on the political and legal implications that emerged after the inception of the great Internet globalization. With respect to the cyberspace, the U.S. government, like every other government, aspires after own agenda. This article reviews some of the U.S. key stands when it comes to determining an advantageous cyber policy. In addition, it includes also a summary of the recently revealed Presidential Policy Directive-20.

U.S. position on International Law as a Framework for Regulating Cyberspace

Many non-lawyers time and again are being captivated by the possibility that cyber weapons operate in a legal void, and international law as a whole does not apply to cyberspace. Nevertheless, that's not exactly the case, according to experts in the field (Roston, 2012).

As a basic rule, U.S. administration supports as well the abidance of cyber space medium to the letter of international law, a fact affirmed, for instance, a study conducted by the National Research Council and a statement made by the President Obama back in May 2011 (International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World). The subtle moment however, is that this international law should be interpreted in a broad way that would untie the hands of U.S. government toward nearly unfettered authorisation of resort to force in the sense of the U.N. Charter (Article 51) (O'Connell, 2012).

On the compliance matter, the State Department Legal Advisor Harold Koh announces:

Because compliance with international law frees us to do more, and do more legitimately, in cyberspace, in a way that more fully promotes our national interests. Compliance with international law in cyberspace is part and parcel of our broader "smart power" approach to international law as part of U.S. foreign policy. (Koh, 2012)

Despite similar reassurances of a national course conforming strictly to all international provisions, criticism is not lacking. Many deem that the government merely cite international law in guise, pointing out that violations occurred a number of times before — e.g., the continuing affairs conducted in the Guantanamo Bay detention camp situated at U.S. naval base in Cuba, and the rumour afloat that USA and Israel are to be blamed for the Stuxnet release (O'Connell, 2012).

Policy of Deterrence:

"…the only thing we have to fear is...fear itself" Franklin D. Roosevelt

U.S. declaratory postures in relation to cyber attacks affecting its interest put strategic opponents and rogue actors on notice. This is policy known as deterrence (Waxman, 2013).

Deterrence of adversaries is an old and proven doctrine (e.g., Nuclear Deterrence). Hence, it is no wonder that deterrence is a cornerstone of the U.S. military strategy. Nonetheless, given the existence of attribution problem, many experts doubt that this proven policy would work in 'murky' environment, i.e., cyberspace (National Research Council of The National Academies, 2009).

An integral part of the doctrine in its purest form relies on equivocal and indirect actions and statements that infer readiness to unleash the full military capacity that a nation possesses. Then, to protect its assets, the United States may count either on the big stick (the equivocal response) or the legal recourse as a viable option for settling peacefully certain international conflicts (Muir, Jr., 2011).

Hypothetically speaking, at least one prong of the U.S. security strategy goes to build on classic military defense model, which invariably includes the deterrence model. Pursuant to this strategy, in the event of cyber attacks, the United States has reciprocation as a first response and military power as a second (Waxman, 2011).

Below you can see a layout of the feasible policy alternatives at hand in international conflicts, such as those that may eventually be provoked by cyber attacks.

For what is worth, the USA will continue to place its legal and political bets on its unmatched military advantage to deter cyber attacks, and at the same time to supplement that deterrence paradigm with offensive, defensive, and preemptive cyber capabilities on its own. Under these circumstances and also the pursuit of different combination of strategic opportunities and risks, finding a common ground with other major powers on that topic will be highly unlikely (Waxman, 2013).

However, the consultant on cyber issues Jeffrey Carr is sceptical that major powers such as China or Russia would mount a direct cyber attack against the United States: "It's not in their interest to hurt the country that is feeding them money (Hersh, 2010, par. 60)." And even if the things somehow escalate at a given point in future, it does not mean that the Americans should start to bite their nails trembling with fear. As one former N.S.A. operative hints, "Our offensive cyber capabilities are far more advanced (Hersh, 2010, par. 47)." Yet similar to the nuclear arsenal during the Cold War times, the U.S. cyber weapons "must be pretargeted and ready to launch (Schneier, 2013, par. 12)."

U.S. position Use of Force

As Lieutenant General Keith Alexander asserted once, "there is no international consensus on a precise definition of a use of force, in or out of cyberspace (Waxman, 2013, p. 112)." Moreover, the states themselves and their primal institutions under mandate should determine the threshold of a use of force. With respect to the USA, the President is authorized to make such an assessment. According to Harold Koh (2012), a proper assessment should account for and evaluate several factors:

  • The context
  • The perpetrator (recognizing the attribution problem)
  • The target and location
  • Effects and intent
  • Other possible issues
  • He also concludes that "cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force (Koh, 2012, Answer 3)." Consequently, by indirection this quote reaffirms that the US government generally follows the consequence-based approach.

    U.S. position Self-defense

    As far back as 2010, the Secretary of State Hillary Clinton made declaration concerning cyber security and U.S. readiness to respond to threats in the IT security ambit: "States, terrorists, and those who would act as their proxies must know that that the United States will protect our networks… (Clinton, 2010, par. 32)."

    More recently, the Department of Defense issued a report to Congress, where the self-defense subject in the event of a cyber attack is broached:

    When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. (Department of Defense, 2011, p. 2)

    Apparently, the U.S. strategy concerning cyber attacks will not be confined to a specific self-defense instrument. Quite the contrary, in fact, the United States government will not consider itself obliged to respond to a cyber attack in-kind even if this type of course seems prima facie to be the most natural or obvious. Therefore, feasible options in this regard might be diplomacy, law enforcement actions, cyber or conventional attacks (National Research Council of The National Academies, 2009).

    By following and generally accepting the U.S. legal interpretation of Article 51 of the UN Charter with respect to cyber attacks, the national security agencies of Japan in planning their defense posture demonstrated solidarity with its strategic partner—a situations that perfectly illustrates the narrow linkage between strategic international affairs and legal development (Waxman, 2013).

    U.S. Joint International Initiatives

    Without explicitly referring to an armed response, the United States and Australia declared that their bilateral defense treaty extends to cyberspace. Yet the foreign relations with other countries are not so smooth. For instance, in diplomatic groupings China has opposed the idea that a cyber attack can trigger the right of self-defense within the meaning of Article 51 of the UN Charter. Instead, both China and Russia propose new forms of international legal regulation — an international agreement that will fill the gaps in the existing international law as concerns cyber weapons (Waxman, 2013).

    This time it comes the turn of the U.S. government to answer in the negative. One possible explanation for that line of strategy is:

    This may relate to US plans to use the Internet for offensive purposes as it is believed to have done regarding the Stuxnet worm. US officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions as the true US position. (O'Connell, 2012, p. 206)

    To counterbalance that quote, which more or less insinuates an aggressive agenda adopted by the U.S. government, here comes another citation that may shed some light on the leading motive for the lack of more decisive co-operation between the greatest world powers:

    Instead of naively cooperating with these actors, such as Russia, the U.S. should internationally name and shame the offenders. Additionally, the U.S. should create diplomatic and legal penalties for those companies and foreign officials who use stolen information or intellectual property. (Simson, 2013, par. 6)

    Although the leitmotif we search is not directly mentioned in the passage above, we could draw the conclusion that the U.S. government may be reluctant to co-operate with nations that may behave in ostensibly friendly manner, and at the same time backstabbing them by conducting continuous cyber exploitation, which, in turn, may inflict significant damage on the American economy.

    The Asymmetry in Cyber Warfare: A Major Hold-back for International Cyber Treaty

    Below are enumerated some of the major points of why an international resolution that deals with cyber attacks and weapons is difficult to be concluded:

    • Advanced Western societies, as the USA, are vulnerable to cyber attacks
    • Advanced Western societies have peerless military superiority
    • Cyber warfare is inexpensive
    • Cyberspace is a medium where the identity is easily disguised
    • The so created asymmetrical position is the most significant impediment to multilateral treaty

    (Muir, Jr., 2011)

    The cyber warfare asymmetry between disparate societies expressed in formula:

    Note: The Military Superiority of the Developed Societies is diminished by their great dependency on information infrastructure ('Vulnerability' index). Conversely, both Inexpensiveness and Anonymity (a.k.a. Attribution Problem) factors allow Developing Societies unprecedented cyber armament. The so created Situation of Asymmetry does not favour a global treaty conclusion on cyber warfare and IT security.

    Presidential Policy Directive-20 (PPD-20)

    In November 2012, the President Barak Obama signed off on Presidential Policy Directive whose contents have been kept confidential up until recently, when The Guardian newspaper managed to obtain a copy.

    Apparently, this set of documents is among the materials disclosed by the ex-NSA contractor Edward Snowden, who not long ago declared publicly his opposition to the large-scale electronic monitoring allegedly conducted by the U.S. administration, more specifically the intelligence agencies (The Guardian, 2013). As a result of his pubic campaign, Snowden had to flee and make a plea for asylum in Russia.

    The PPD-20's purpose is "to put in place tools and a framework to enable government to make decisions" on certain actions conducted on cyberspace (The Guardian, 2013, par. 5).

    Moreover, that document distinguishes between two major cyber actions at disposal of the U.S. cyber decision-makers—Defensive and Offensive Cyber Effects Operations.

    DCEO (Defensive Cyber Effects Operations)

    That part of the document contains a policy regime regulating the recourse to actions in counter attack to deleterious foreign cyber acts arousing an imminent threat to the U.S. national interests or an ongoing attack that provokes the use of self-defence as provided in international law. Without a concrete Presidential permission, DCEO are intended to cause effects only outside the U.S. territory. According to PPD-20, DCEO is to be used only when "network defense or law enforcement measures are insufficient or cannot be put in place in time to mitigate a threat (McAllister, 2013, par. 9)."

    Furthermore, the directive envisages the creation of Emergency Cyber Action procedure, which will be acted upon cyber attacks that represent an imminent threat to U.S. government and the citizens under its shelter, thus preventing significant damage with lasting consequences on the critical national infrastructure or military missions (Gertz, 2013). As the title alludes, the timeframe importance has a key significance. These acts also are not intended to result in "severe consequences".

    OCEO (Offensive Cyber Effects Operations)

    There's this view residing in the hacker communities that if a cyber attacker has unlimited attempts to overcome a passive defensive system soon or later this will inevitably happen. Therefore, offensive response may sometimes be the more reasonable approach (Shackelford, 2009).

    The main purpose of OCEO is "to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging (PPD-20, p. 9)."

    This group also includes cyber actions that intend to affect adversaries that are located outside United States and its government networks. Under the common view, a response associated with offensive movement is to be triggered where defensive measures are inexpedient as overall.

    Nevertheless, the U.S. government announced that courses of action such as mitigating threats, prioritizing network defense, and law enforcement measures have priority (The Guardian, 2013).

    DCEO and OCEO – Targeting Considerations

    As a generally accepted rule, cyber attack targeting specific location may generate unintended consequences at another site, thus impairing even the national interests of the state aggressor. Moreover, in cases where the U.S. cyber tasks may produce effects in foreign territory, it is advisable for the U.S .government to seek consent from the relevant countries (McAllister, 2013).

    In conclusion, the described operations must be conducted in concordance with the U.S. Constitution and international laws and treaties to which the country 'has pledged allegiance' (McAllister, 2013).


    The emergence of the Internet imposes reconsideration of old policies and doctrines since they may not work effectively in this new world. With that in mind, the United States must implement corrections in its cyber policy where is necessary and come up with a new resolution of pressing concerns in the realm of information security. The tricky part is that these changes should not only be properly done, they should be timely executed as well. If not, the country risks losing its upper hand as concerns technological advancement and retreat from positions gained and preserved for decades through combination of successful leadership, strategic alliances and power politics.

    Reference List

    Clinton, H. (2010). Remarks on Internet Freedom. Retrieved on 17/08/2013 from

    DeLuca. C. D. (2013). The Need for International Laws of War to Include Cyber Attacks Involving State and Non-State Actors. Retrieved on 02/07/2013 from

    Department of Defense, (2011). Department of Defense Cyberspace Policy Report. Retrieved on 17/08/2013 from

    Hersh, S. (2010). The Online Threat. Should we be worried about a cyber war? Retrieved on 17/08/2013 from

    Gertz, B. (2013). Cyber War Details Revealed. Retrieved on 17/08/2013 from

    Koh, H. (2012). International Law in Cyberspace. Retrieved on 17/08/2013from

    McAllister, N. (2013). Leaked Obama brief reveals US cyber defense, offense policy. Retrieved on 17/08/2013 from

    Muir Jr., L. (2011). The Case Against an International Cyber Warfare Convention. Retrieved on 17/08/2013 from

    National Research Council of The National Academies (Owens, W., Dam, K. & Lin, H., Eds.), (2009). Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. Washington, D.C: National Academies Press.

    O'Connell, M., E. (2012). Cyber Security without Cyber War. Retrieved on 02/07/2013 from

    Roston, A. (2012). U.S.: Laws of war apply to cyber attacks. Retrieved on 17/08/2013 from

    Schneier, B. (2013). US Offensive Cyberwar Policy. Retrieved on 17/08/2013 from

    Simson, E. (2013). The U.S.–Russia Cybersecurity Pact: Just Paper. Retrieved on 17/08/2013 from

    Shackelford, S. J. (2009). From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. Retrieved on 02/07/2013 from

    The Guardian (2013). Obama orders US to draw up overseas target list for cyber-attacks. Retrieved on 17/08/2013 from

    The U.S. President (2013). Presidential Policy Directive/ PPD-20 (issued by The Guardian). Retrieved on 17/08/2013 from

    United Nations (1945). United Nations Charter. Retrieved from

    Waxman, M.C. (2011). Cyber-attacks and the use of force: Back to the future of Article 2(4). Yale Journal of International Law, 36.

    Waxman, M. (2013). Self-Defensive Force Against Cyber Attacks: Legal, Strategic and Political Dimensions. Retrieved on 02/07/2013 from

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.