Thinking about cyber strategy

Given the endless string of costly data breaches and cyberattacks on U.S. businesses - most originating overseas - some have openly wondered whether and when the United States military would become more overtly involved in domestic cybersecurity.

Earlier this year, the Department of Defense released a policy paper titled "The Department of Defense Cyber Strategy." The strategy makes clear that the Obama administration believes the DOD has a "limited and specific role to play" in defending the United States from "cyberattacks of significant consequence." It contains an important message for U.S. businesses: The DOD may consider attacks on American companies to be a matter of national import warranting government involvement. Thus, for the first time, an American president has said that a significant data breach or other cyberattack on a U.S. business may trigger military action.

In a recent lecture at Stanford University, DOD Secretary Ash Carter discussed DOD's renewed focus on cyber defense. Plans include collaborating with Silicon Valley companies to better deal with cyberattacks. Carter also announced the establishment of the Defense Innovation Unit X, or DUX, in Silicon Valley. The purpose is to "strengthen existing relationships and build new ones; help scout for new technologies; and help function as a local interface for the department."

Just a week prior to Carter's announcement, the Department of Homeland Security announced its plan to set up a Silicon Valley office to strengthen relationships with technology companies and recruit new talent. Both programs are in the early stages of development.

The purpose of the strategy is "to guide the development of DOD's cyber forces and strengthen its cyber defense and cyber deterrence posture." It focuses on three broad missions: (1) defend DOD networks, systems and information; (2) defend the U.S. and its interests against cyberattacks of significant consequence; and (3) provide integrated cyber capabilities to support military operations and contingency plans.

It contains five strategic goals for the DOD, each aligning with one or more of the above missions: (1) build and maintain ready forces and capabilities to conduct cyberspace operations; (2) defend the DOD information network, secure DOD data and mitigate risks to DOD missions; (3) be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence; (4) build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages; (5) build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Companies should pay attention. The strategy is a window into how the Obama administration intends to treat cyberattacks on private sector assets, and how it views its relationship with the private sector in the prevention of and response to cyberattacks.

One consideration is how the military's involvement in defending against cyberattacks on non-governmental targets in the U.S. implicates the Posse Comitatus Act. "The purpose of the Act is to uphold the American tradition of restricting military intrusions into civilian affairs, except where Congress has recognized a special need for military assistance in law enforcement." United States v. Al-Talib, 55 F.3d 923, 929 (4th Cir. 1995) (internal citation omitted). While the act does not foreclose all DOD domestic cyber defense roles, it may limit the degree to which the military could be involved in responding to an attack by a non-state actor against a U.S. business.

Existing case law helps. In holding that the military was barred from performing blood tests for civilian law enforcement agencies, a federal Court of Appeals explained that it "interpret(s) [the act] and authorizing statutes in keeping with the traditional American insistence on exclusion of the military from civilian law enforcement, which some have suggested is lodged in the Constitution." United States v. Johnson, 410 F.3d 137, 148 (4th Cir. 2005) (internal citation omitted). The Johnson court distinguished the military performing blood tests for law enforcement from transporting a car and drugs in support of a Drug Enforcement Administration sting operation. In that latter case, Al-Talib, the court decided that the "use of military resources ... had no direct impact on the defendants whatsoever" and thus did not violate the act. Al-Talib, 55 F.3d 923, 930. Under this reasoning, and unless otherwise authorized by Congress, the DOD could face limitations under the Posse Comitatus Act in assisting law enforcement in ways that would directly impact the non-state attacker, but might be able to provide logistical and intelligence support.

For the private sector, the most directly relevant section of the strategy concerns the DOD's role in protecting the U.S. and its interests from "cyberattacks of significant consequence." The strategy is vague on what constitutes such an attack, stating that attacks are evaluated "on a case-by-case and fact-specific basis by the President and the U.S. national security team." It provides some elaboration - "significant consequences may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States." In the event of such an incident, the DOD must be prepared to conduct cyber operations "to counter an imminent or on-going attack against the U.S. homeland or U.S. interests in cyberspace," for the purpose of "blunt[ing] an attack and prevent[ing] the destruction of property or the loss of life." The strategy adds that "[a]s a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation."

However, for the private sector, the key question of how to determine if a given cyber incident is a cyberattack "of significant consequence" per the DOD, remains unanswered. Additionally, also unclear is what a company must do vis a vis the DOD if it believes or the DOD determines that an incident is a cyberattack of significant consequence. The strategy does not address what a company can expect if it notifies the DOD of such a cyberattack.

The strategy leaves open some questions. An important aspect of its discussion of defending against cyberattacks of significant consequence is its recognition that the government has "a limited and specific role to play," and that the private sector is a critical, if diffuse and disaggregated participant in the nation's cybersecurity. The strategy explains that "[w]hile the U.S. government must prepare to defend the country against the most dangerous attacks, the majority of intrusions can be stopped through relatively basic cybersecurity investments that companies can and must make themselves." However, the strategy does not discuss the government's role in working with companies to identify what kinds of security investments they "must" make.

The private sector should find the strategy helpful in that it signals the government's efforts to fill a gap that until now has remained unresolved - the military's role in addressing a major cyberattack against a private entity. With most other emergencies, be they natural disasters or criminal activity, the private sector always had access to the government's support and could expect its involvement - but not cyber incidents. The strategy somewhat remedies this gap by acknowledging there is a role for the DOD to play - while leaving several key questions unanswered.

It remains clear that companies and counsel should be prepared for potential military involvement in a significant cyber incident. Companies should evaluate strategic ramifications of possible DOD intervention. They should review incident response plans and ensure to plans address and include the impact of possible DOD referrals, when DOD assistance will be requested, and what interactions with the DOD will entail. Maintaining on-going relations with the DOD or DHS could be appropriate so companies have contacts in case of an incident. The private sector should pay close attention to future DOD policy papers and public statements. To partner with the private sector to address cybersecurity, the government will be increasingly interested in providing further guidance on its role in the event of a cyberattack on a private company.

Jeff Rabkin is a partner in the San Francisco office of Jones Day, where he is a member of the firm's Cybersecurity, Privacy & Data Protection Practice. Nandini Iyer is an associate in Jones Day's Silicon Valley office.