Colonial Pipeline's operations recently ground to a halt, and a major component of our nation's infrastructure was substantially crippled-at least temporarily. From the public's perspective, the harm was caused by bad actors in cyberspace seeking a ransom which, according to most news reports, was eventually paid.
Even if we assume the above as facts, adding nothing more, the national security implications are bone-chilling. Yet, those implications are not at all new to our national security and defense communities.
As an Air Force colonel and judge advocate ("JAG"), I was the Legal Advisor at Headquarters U.S. Space Command in Colorado Springs, 1998-2001. During that time, President Clinton assigned us the newly minted Department of Defense missions of Computer Network Attack and Computer Network Defense. Subsequent years saw the creation of the U.S. Cyber Command to assume those missions and developed new terminology regarding offensive and defensive cyberspace operations. I'll leave it to others to discuss authoritatively today's roles performed by Cyber Command, the National Security Agency, and others. I've been retired far too long for that. Instead, my purpose here is to emphasize that, at least as far back as the turn of the century, U.S. national security and defense officials contemplated cyberattacks on our infrastructure and elsewhere.
I was among the relatively small handful of legal professionals tasked with providing a legal framework for analysis in this context. At the time, some believed cyber operations gave rise to an entirely new field of law with countless new legal issues-a "Wild West" environment. Yet, most of us didn't view it that way at all. Instead, we turned to established rules and principles within that subset of international law known as either the laws of armed conflict or the laws of war.
In light of current events, I returned to my PowerPoint slides (UNCLASSIFIED) from November 2000. (As I said, these concepts are not new.) During those days, I regularly lectured and taught classes on these legal issues.
My slides reminded me that, as in most legal matters, the first inquiry is factual. In this context, it's attribution: Who did what to whom?
Regarding Colonial Pipeline, the case may have involved nothing more than a criminal element seeking a ransom payment-in contrast to an outright cyber attack on our infrastructure by a State actor (for example, Russia). Yet, the factual inquiry must continue: Was there a State actor that aided and abetted or otherwise provided a safe haven for that element, perhaps knowing of these activities and turning a blind eye? If so, to what extent should we hold that State accountable?
Next, if a State were involved, should we view the cyber attack as an "act of war"? Modern international law generally avoids that term, relying instead on the U.N. Charter analysis regarding the use of force. There, we focus on the threat or use of aggressive force. That gives rise to the right of self-defense, under the Charter's Art. 51, if an armed attack occurred. We may also consider the various arguments for and against our employing "anticipatory self-defense."
In 2000, as I offered these presentations, the majority view was that "force" involved armed force. So, where were we to fit cyber attacks? At the time, there was no clear consensus in international law-although I sense that may have evolved in recent years.
During that time, the Defense Department considered that the best approach was to focus on the effects or consequences of a cyber attack-not unlike considerations of an attack using bombs or missiles. My slides offered the following examples: "death, injury, property damage, release of dangerous forces, disruption of national security capabilities during a crisis, etc." In other words, if a cyber attack were to cause any of these or similar effects or consequences, then our legal analysis should view the attack as having used the equivalent of armed force.
In the Colonial Pipeline case, according to open news reporting, we saw a cyber attack that adversely impacted our economy and threatened our national security to a very substantial degree. Therefore, using the above legal analysis, I have no difficulty in concluding it should be viewed not unlike an attack using armed force.
What then? Having satisfied our legal analysis, the issues turn to those of policy: What-if anything-should our national decisionmakers do in response? The list of underlying policy considerations in deciding seems almost limitless. Yet, first, we must return to attribution: Do we know with certainty exactly who conducted the Colonial Pipeline attack, and do we know whether-and to what extent-a State actor was involved? Those answers require a tremendous capability on the part of our Intelligence Community. Those matters are, of course, beyond the scope of my comments here.
Bottom line: Don't think that the notion of a cyber attack is new within our national security and defense thinking nor that we don't know how to analyze those issues. We've been doing so for years.
- Col. Wayne E. Dillingham, USAF (Ret.), of Murfreesboro, is a Shelbyville native.