Cyberlawyering in the U.S. Department of Defense: a practitioner’s perspective
What’s it like to be a cyber lawyer in America’s national security enterprise? What kind of issues do they grapple with? Do you know what “Rickrolled” means in the cyber context? Our guest post today by Commander Robin Crabtree, a U.S. Navy judge advocate who spoke at the U.S. Cyber Command (USCYBERCOM) Legal Conference in March, has some answers for you.
She discusses her work on cyberspace operations’ law while serving in the Department of Defense Office of General Counsel. Although you can watch the video of her presentation here, she has kindly shared with us the text of her remarks as prepared for delivery.
So you can enjoy a podcast by listening/watching here (and hear some interesting Q & A moderated by Lawfire® author Marine lieutenant colonel Kurt Sanger), or you can read her prepared remarks below (or do both, as I did!)
Here are CDR Crabtree’s remarks prepared for USCYBERCOM’s Legal Conference (Virtual) 4 March 2021:
Thank you for putting this conference together this year. I am sorry we are not together in person, although it is exciting that this virtual format allows for more opportunity to participate, especially as you indicated earlier, from our allies around the world, with whom we work very hard on these issues.
It is of course important for me to make clear at the outset that the views I am about to express are my views alone. They do not represent the views of the Department of Defense, the Department of the Navy, or U.S. Central Command.
As I get into my remarks today, I also wanted to advise viewers that there may be frequent use of air quotes as I lay out some Department of Defense (“DoD”) terminology that may not be familiar to many in this large and diverse audience.
What I am going to do today is take some of the concepts you already heard about this morning and discuss strategic-level issues that arise in the context of planning for and executing cyber operations and how lawyers at multiple levels within the Department of Defense contribute to shaping and addressing those issues.
I should also explain in light of the remarks we just heard from Jim Lewis, that when I say “strategic level,” I am referring to the agency-head and National Security Council level within the United States, as opposed to what we refer to in military doctrine as the “operational” and “tactical” levels. I am not referring to the global strategic context that Mr. Lewis was referring to.
In the cyber realm, as compared with other types of operations, DoD’s [Department of Defense’s] activities are still largely managed at the strategic level; that is, within the Office of the Secretary of Defense (OSD), and to some extent at the combatant command level.
For legal counsel at the operational and tactical levels, an awareness of some strategic-level issues helps our clients plan and execute operations at the speed of relevance.
It helps them to do that by helping them anticipate questions from higher headquarters, from elsewhere in the U.S. Government, and even from foreign governments in some circumstances, and allows them to bake the answers to those questions into their products. This enables us to execute operations in a timeframe that helps us meet our objectives.
As you may have gleaned from General [Paul] Nakasone’s remarks earlier today, managing cyber policy at the strategic level is characterized by extensive coordination among diverse stakeholders, particularly other U.S. Government agencies, which we refer to affectionately as “the interagency.” This drives many of the strategic level considerations.
There is no question that there is often tremendous collaboration among U.S. Government agencies operating in cyberspace – collaboration that serves the interests of the United States in profound, often classified, and therefore unsung, ways.
But there is sometimes the perception that cyber operations are a zero-sum game in which one agency’s actions in cyberspace actually interfere with other agencies’ activities. And you can imagine that, because of its massive budget and broad operational and intelligence authorities, to the other agencies that operate in cyberspace, DoD is the problem. We are the gazillion pound behemoth that rises up and blocks out the cyber sun.
Yet, DoD’s role in cyberspace is actually fairly limited. We are outward looking. We are defending forward against foreign threats targeting the United States and preparing to fight and win the nation’s wars. The DoD conducts cyber operations and intelligence activities only in support of missions assigned to the Department. Congress doesn’t give us money to do anything else.
Part of our mission can be to support other agencies’ cyber-related activities in accordance with law and regulations established for that purpose. I consistently saw that DoD leaders do not want to perform or interfere with other agency’s missions. But given that huge budget and extensive authorities you can understand why other agencies may still view DoD’s hulking mass warily. So, what you see, advising clients at OSD who are interacting with their interagency counterparts, is a cycle of questions about DoD’s activities, collaboration, assurances, more collaboration, reassurances, and so on.
My observation is that lawyers can assist in this process of interagency collaboration and assurance in several ways.
First, we can help with language. The importance of language in the interagency arena comes up just as it does in other practice areas. First, lawyers help craft language that reflects their clients’ interests and, to the greatest extent possible, a common understanding.
There were occasions when, even in the face of pressing external timelines, we spent days working with other agencies’ lawyers on one sentence in a larger document related to DoD authorities, such as mulling over the nuanced differences between “substantial,” “substantive,” “material,” and “significant.”
I think that the time and effort this takes is worthwhile. It helps DoD accomplish its mission and the process helps manage expectations in the interagency. And, I hope, it also demonstrates DoD’s desire to plan and conduct well-coordinated operations.
Language also creates confusion in collaboration with other agencies—as well as Congress—when we give in to the military tendency to describe all activities in combat terminology. For example, let us say we conducted a cyber operation that replaced live streaming of U.S. troop movements in Iraq with the music video for Rick Astley’s 1987 hit “Never Gonna Give You Up.”
That is, we “Rickrolled” them. But we did not destroy or damage any computers or injure or kill any people. In such an instance, it is not helpful to send up an assessment or Congressional notification that says the target was “destroyed.” Lawyers reviewing these products can help refine language to accurately describe our operations so that we do not have to clarify later on.
In addition to that focus on language, it is helpful to understand the other agencies’ basic missions and the legal issues really matter to them. I have been fortunate to work in a couple of assignments that involved significant interagency coordination. I have found that the coordination works best when people take a moment to recognize that each agency has missions assigned to it by Congress and the President.
Sometimes those missions overlap and our activities in support of those missions can conflict, no question about it.
For example, DoJ has a mission to use law enforcement tools to disrupt foreign cyber operations targeting the United States. It wants to bring indictments against, for example, Chinese military cyber operators; DoD has said that as part of its defend forward strategy, it may want to disrupt those operations at the source.
If DoJ brings an indictment, the operators know they are burned. They may change their tactics and DoD will have to start over. This is frustrating. But, DoJ is executing its assigned mission.
And it may happen the other way around, a DoD operation may destroy evidence that DoJ wants for a future prosecution. That would no doubt frustrate DoJ. But, the American people, through Congress and the President, have said they want both of us to work on that same problem set. So, we have to figure it out.
I think lawyers can help move things in the collaboration direction while continuing to represent the Department’s interests by understanding the basic outlines of those other agencies’ missions and the legal issues that are important to them.
For instance, we could help our clients think through whether DoD could conduct a “defend forward” operation before DoJ announces its indictment and do so in a manner that would not preclude prosecution. Or, could we work with DoJ to amend an indictment so that it does not disrupt other U.S. Government operations targeting actors that may be using the same tactics?
I’m using a DoJ example, but the same is true for other agencies, like the State Department, which will be looking at how an operation may impact the development of international law and our ability to promote certain norms.
A basic understanding of other agencies lawful missions, the legal processes involved, and relevant legal considerations helps to provide our clients with options and address likely interagency concerns in a timely manner.
The last point I will make about the role lawyers play in the interagency push and pull is that it is critically important to keep an eye on the distinction between law and policy. Most policy choices that were made during my time at DoD OGC were bound in some way by statute, such as laws assigning responsibility to U.S. Government agencies.
There were also occasions in which policy choices were made to preserve legal flexibility. And then sometimes the discussion was straight policy, and I was just lucky to be at the table. But it was really important, no matter how strongly I felt (and there were times I did feel strongly), that I was clear about what was a no-kidding legal limitation.
So, I talked about language, other agency’s missions and authorities, and the law/policy relationship. As a practical matter, how do lawyers at the operational level contribute to DoD’s success in this process? And here I am thinking about lawyers at combatant commands, and the component commands and joint task forces that report to the combatant commanders.
For those in the audience not familiar with DoD’s organizational structure, the combatant commands are created by law. They are joint headquarters staffs led by a 4-star admiral or general who commands and controls military forces. There are 11 combatant commands. Most of them are responsible for a geographic area. For example, U.S. Central Command exercises command and control (or “C2”) of military forces in the Middle East and up to Central Asia.
Some combatant commands, like USCYBERCOM, are functional combatant commands responsible for coordinating certain types of operations. Combatant commanders exercise C2 through subordinate commands called component commands or joint task forces.
A lot of the work DoD lawyers do at all levels of command is in conducting legal reviews of documents and proposed operations. The legal review is not only a necessary and standard part of our military practice, it is also an opportunity. It allows us to identify areas of law that remain uncertain and to advocate for our clients. It is also an opportunity to bridge community lexicons within commands and up and down the chain of command.
“HANG ON!” you say. “I’m not assigned to a cyber-specific command, doesn’t CYBERCOM do those legal reviews?”
Yes – CYBERCOM lawyers do review cyber operations. But so must you, particularly if you are at the combatant command, component command, or joint task force level. Remember that, in general, geographic combatant commanders are the supported commanders for military operations in their areas of responsibility – their “AORs”—unless the Secretary of Defesne tells us otherwise.
That means that your commander will need to provide planning guidance, approve operations, and control the timing and tempo of operations. For commanders to exercise these responsibilities, their staffs—including their lawyers—must be ready to advise them.
In preparing your legal advice, you should consult with CYBERCOM’s lawyers. But, you have a professional obligation to provide your own advice. You and your CYBERCOM colleagues may arrive at different conclusions. Your staff and commander may identify risks, including legal and quasi-legal policy risks, that CYBERCOM has not yet considered, and vice versa. This is a strength of the system, helping ensure DoD’s operations comply with applicable law. And, again, this is no different than what is expected for other activities, such as certain counterterrorism operations.
What goes into one of these legal reviews? The DoD General Counsel articulated a framework at this conference in 2020. His remarks are available online. I want to highlight and expand a bit upon a couple of considerations.
I. Accurately characterizing the operation.
The concept of the operation – or “CONOP” – must contain the facts sufficient to analyze the relevant legal issues. For cyber operations, it is of course relevant to show the computers involved, the network pathways, and explain the ownership or use of the network. But, in addition to these things, for our purposes, we need to know what will happen to the people or the institution or services that rely on the target network. I think we are still refining our ability to make these assessments. So, it’s important to ask lots of questions.
But note that the legal review cannot be the only place the relevant facts appear. The commander and his or her staff must have those facts available to them. The facts must appear in the CONOP. You ask the questions – and follow up to make sure the answers get into the CONOP itself.
Facts about effects are also critical when we are reviewing proposed responses to foreign cyber operations. In my opinion, governmental and private sector actors have gotten pretty good at attributing cyber activities to an actor. We are not as good at understanding the “so what.” That is because it’s hard.
For example, during the COVID pandemic, we have seen reports of foreign government intrusions into hospital networks. My personal view is that an operation that disrupted the delivery of health services during a pandemic could foreseeably rise to the level of a prohibited intervention under international law. But the problem is determining whether the intrusion actually involves any disruption or if it appears to be limited to stealing information, or if it’s stealing information for the purpose of conducting information operations that undermine the nation’s pandemic response.
These are the facts that are important to characterizing the operation under international law and, in turn, informing policy choices about how to respond. We need to elicit that information so that we can help operators provide leaders with a robust set of response options. And, as Jim Lewis indicated, developing those facts helps us work with our international partners as part of a larger effort to impact the global cyber environment.
At the same time, once you have the facts, embrace the operational law version of constitutional avoidance. You may want to avoid characterizing an operation or activity as a use of force if you can while still accomplishing the Department’s mission. For example, stretching to declare an operation a use of force could provide an international law basis for a use of force in response, but before you go there, ask yourself, “what would we lose?” And, do I have to answer this question in order to analyze whether our proposed response would be lawful?
Take, for example, the Solar Winds hack – reportedly a supply-chain operation that gave the Russian Government access to multiple U.S. Government and private sector networks.
Some have argued that because of the large number of networks accessed and the latent possibility of a significant attack generating effects on those networks, the access alone can and should be considered an armed attack under the UN Charter. If the U.S. Government were to take that position, we would have an international law basis for the use of force in response.
But, taking the position that access alone is an armed attack would undermine our foreign intelligence collection activities. Forget about virtual presence—what about physical presence? Would the presence of a spy be considered an armed attack justifying a use of force in response? And does the number of networks involved really make that much of a difference if the access is never used to generate effects or was even unintentional?
Regardless of the legal merits of this particular argument, you can see that characterizing something as an armed attack could create legal risk for other U.S. Government activities—and for those of our allies. Sometimes it is very clear cut, but most of what we see is not. In that case, our job is to do the legal analysis of the proposed operation and also identify the risks associated with that analysis so that leaders can make informed choices.
II. And then there are norms….
As you know, all U.S. military operations are planned and executed in support of the National Defense Strategy, which in turn supports the National Security Strategy. There are also national and DoD cyber strategies.
For cyber operations, all the relevant strategies refer to deterrence, competition, and strengthening alliances and partnerships. One of the main national efforts in this area has been the promotion of certain voluntary, non-binding peacetime norms for state behavior in cyberspace. This is a Department of State-led effort, with active DoD support in policy and legal channels. It has been a focus for the last two administration and, as you heard earlier, the recently released national security strategic guidance seems to continue this focus.
What are these non-binding norms? Background can be found in the U.S. submissions to the United Nations Group of Government Experts (UNGGE) process that Jim Lewis discussed previously and in UNGGE reports. Look to national and DoD guidance for information about how we in DoD take promotion of these norms into account in planning operations.
To be clear, these are voluntary, non-binding, peacetime norms. The possibility that a proposed cyber operation may be perceived as inconsistent with a norm does not mean the operation would be unlawful. It may present the risk, however, that executing the operation could undermine U.S. efforts to promote adoption of the relevant norm. As a matter of policy and practice, commanders consider this risk.
And, of course, it will not have escaped your notice that voluntary, non-binding norms—whatever they may be—are not law. That’s right – this is a not a legal issue; it is a policy issue. But, the norms have words and paragraphs. They involve the United Nations. They look like law to the warfighter.
Commanders look to their lawyers for assistance in assessing this policy risk. As I indicated earlier, advising on policy as well as legal risks is within our competency, provided we distinguish between the two and make it clear when something is a policy choice rather than a legal prohibition.
III. Finally, processes.
The last several years have seen a great deal of progress on national and DoD-level policies and procedures for planning and approving cyber operations. Like I said earlier, work continues. One area in which work continues to be done is in developing processes by which geographic combatant commanders receive the information they need in a timely manner to fulfill their obligations with respect to cyber operations in their AORs.
For other types of operations, the GCCs [Geographic Combatant Commands] have those component commands I mentioned earlier. They report to the GCC. For cyber operations, DoD has adopted a model in which cyber component commands are under the operational control of Commander, U.S Cyber Command, and only “aligned” to one or more GCCs.
Under the model DoD has in place for cyber operations, we need to adapt the processes we have within the combatant commands to coordinating across combatant commands. Coordination is more than notification—and as I said before, with the exceptions of certain missions, geographic combatant commanders will be the supported commanders for cyber operations.
Lawyers can assist in the development of those processes by helping ensure there is a meeting of the minds and by ensuring the process will provide both staffs—including the lawyers—with the information they need to advise their commanders appropriately.
About the author
Commander Robin D. Crabtree, USN, JAGC, is currently assigned to the Office of the Staff Judge Advocate, U.S. Central Command. She has served in various capacities in the United States and overseas, including as operational law advisor to the Chief of Operations for military operations in Iraq during Operation Iraqi Freedom, and as a legal advisor to the Convening Authority for Military Commissions.
She holds a L.L.M. and a J.D. from Georgetown University Law Center, and a B.A. in Economics from the College of William and Mary.
The views and opinions expressed here are the author’s and do not necessarily reflect the official policy or position of the U.S. Navy, U.S. Central Command, the Department of Defense, or any other agency of the U.S. government.
Moreover, the views and opinion expressed by guest authors do not necessarily reflect the views of the Center on Law, Ethics and National Security, or Duke University.
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!