Argument: Legal aspects of cyberwarfareCyberattacks and the Constitution

Published 11 November 2020

The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the U.S. Constitution allocate power to use that capability? And, Matthew Waxman asks, what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy?

The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the U.S. Constitution allocate power to use that capability? And what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy? Matthew Waxman writes in Lawfare that the term “cyberattack” is often used loosely. “In this essay, I define a cyberattack as action that involves the use of computer code to disrupt, degrade, destroy, or manipulate computer systems or networks or the information on them.”

This definition of cyberattack still includes a wide array of operations. On one end are attacks on computer systems that have effects—including kinetic, sometimes violent ones—outside those systems. At the other end are the types of low-level and often discrete attacks that appear to be contemplated by the United States “Defend Forward” concept. There are of course many possibilities in between.

Waxman adds:

This essay offers a way to think about the constitutional distribution of powers between the president and Congress governing the use of US cyberattack capabilities. Some commentators and analysts view this problem almost reflexively as a “war powers” issue—a term I use throughout this essay to refer to the political branches’ respective constitutional authority over the hostile use of military force. That is especially true as one moves up the scale of expected damage. A corollary to that constitutional issue is a statutory question: Namely, how should the 1973 War Powers Resolution, which was intended to restrict extensive military hostilities without congressional approval, be interpreted or amended to account for cyberattacks? The imprecise rhetoric of “cyberwar,” “cyber conflict,” and “cyberattacks” probably contributes to this legal framing.

But many—and probably almost all—cyberattacks undertaken by the United States cannot plausibly be viewed as exercises of war powers. Indeed, the entire Defend Forward concept appears to involve low-level operations well below the “use of force” threshold under international law and far short of the types of operations that have typically triggered war powers analysis under domestic constitutional law.

This essay argues that as a conceptual and doctrinal matter, cyberattacks alone are rarely exercises of war powers—and they might never be. They are often instead best understood as exercises of other, nonwar military powers, foreign affairs powers, intelligence powers, and foreign commerce powers, among other constitutional powers not yet articulated. Although this more fine-grained and fact-specific constitutional conception of cyberattacks leaves room for broad executive leeway in some operational contexts, this discretion is often the result of congressional delegation or acquiescence as opposed to any inherent constitutional authority on the part of the president. At the same time, these alternative understandings of cyberattacks also contain a strong constitutional basis for Congress to pursue legislative regulation of the procedural and substantive parameters governing cyber operations.