A Framework for Legal Risk in Military Cyber Operations

  • Colonel Nicholas F. Lancaster

Combatant and Joint Force Commanders are comfortable weighing operational risk, however they must also weigh legal risk when operating in cyberspace. Four areas of legal risk for cyber operations include avoiding inadvertent armed attacks, complying with the law of armed conflict, following the intelligence oversight rules, and ensuring operations do not qualify as covert action. An armed attack under international law is the trigger for a response in self-defense, so commanders must conduct their cyber activities below this threshold and conduct their operations in accordance with the law of armed conflict. On the domestic side, commanders must carefully plan and supervise their operations to ensure they comply with intelligence oversight rules designed to protect U.S. persons. Finally, because cyber operations are innately devoid of attribution, commanders must be vigilant to ensure their operations do not qualify as covert action that the President must independently authorize and report to Congress.