First, I should note that I am speaking today in my personal capacity only, and my views do not represent those of the U.S. government, the Department of Defense, or U.S. Cyber Command. At the outset, let me provide a brief overview of U.S. Cyber Command. It is a relatively new command within the Department of Defense. Established about seven years ago as a subunified command, it is an operational headquarters at the strategic level but at the moment subordinate to U.S. Strategic Command, one of the combatant commands within the Department of Defense. The 2017 National Defense Authorization Act included a provision stating that there shall be established a combatant command known as U.S. Cyber Command. As a result, there is now a lot of movement afoot to see how we will meet that legislative intent. In all likelihood, U.S. Cyber Command will elevate at some time in the future as a full combatant command.

U.S. Cyber Command is missioned and responsible for three primary things. First, we secure, operate, and defend the information networks of the Department of Defense. The Department runs and utilizes a massive set of information technology networks on a day-to-day basis as well as in support of war-fighting functions. That is one of our primary functions on the cyber security defensive side. Second, we are missioned to be prepared to defend the United States broadly and also specifically from cyberattacks of significant consequence to the nation. Third, when directed, we use cyber capabilities in support of the geographic combatant commanders in their war-fighting functions. Thus, if U.S. Africa Command (AFRICOM) were to direct an operation in Libya, AFRICOM might be able to leverage certain cyber capabilities in support of those ongoing operations, just as it might use any other military capability.

In recent years, there has been quite a bit of thinking about how to incorporate cyber capabilities in a broader tool set for the nation for deterrence, both to deter adversary malicious cyber-actions as well as to use them a tool in the broader deterrence set against other states and nonstate actors. There is a term in vogue these days, particularly among strategists, called the “grey zone.” There is some debate about how novel it is along with its utility. Generally, it is used to describe the twilight between war and peace, and the inherent ambiguities in that zone exploited principally by revisionist states. It refers to a level of aggressive behavior below the threshold of warfare, below the threshold of use of force in legal terms, but above the normal peacetime geopolitical competition among states. In this zone, states try to achieve objectives through exploiting political and legal ambiguities in the international environment to achieve strategic objectives. To be sure, this is by no means limited to cyber. As examples of actions in this zone, some will point to China's efforts in the south China Sea, such as the creation of islands and the use of the coast guard in a robust fashion to establish a presence. Some will point to Russia's actions in Ukraine.

Cyber is a fertile area in this regard, and we have definitely seen a lot of activity in this zone. States have embraced cyberspace and cyber capabilities as a means and method of statecraft. Examples include actions attributed to Iran in damaging a multitude of computers belonging to the Saudi Arabian Oil Company (Saudi Aramco) through a cyber operation. Whether it crossed the threshold of a use of force is certainly something that has been debated, but it is on those margins. Here at home, we all are familiar with the U.S. Office of Personnel Management (OPM) breach, the Sony hack attributed to North Korea, as well as the hack of the Democratic National Committee, which has certainly figured prominently in recent days. These are all cyber-enabled operations executed in this zone, which have tended to fall short of warfare, but which are aggressive and concerning from a national security perspective. We are struggling to figure out how we categorize these actions.

A recent quote from the Defense Science Board Task Force on Cyber Deterrence from February of this year is instructive:

Relatedly, in an event at Duke University, John Carlin, the former Assistant Attorney General for the U.S. Department of Justice's National Security Division, recently noted that you cannot build a wall high enough in the cybersecurity world. This fact raises serious questions about what measures you can take, or might need to take, outside of your own networks as a nation-state, to address these threats. Another example sets this problem in context. In 2013, then Chairman of the Joint Chiefs, General Martin Dempsey, was talking about a left of launch air and missile defense program. He highlighted the importance of integrating new, nonkinetic capabilities such as cyber operations into the traditional antiballistic missile tool set to prevent adversaries from effectively employing any of their air and missile weapons against the United States or its allies.Footnote ²

As these comments illustrate, we are facing the question of how we can manage this new capability in this environment, an area Tallinn 2.0 took on as its new focal point: the law that governs the space below what is clearly identified as armed conflict. And I would note one salient point to keep in mind when states operate in this space: in order to be prepared to operate in cyberspace, by and large, you have to actually operate. It is somewhat paradoxical. Cyber differs from a lot of other capabilities, such as strategic bombing, for example. In those contexts, you can have assets in home station sitting prepared but dormant. You can fuel them up and have them over targets in relatively short order. That is vital, and it is also an important means of messaging. That approach is much harder in cyberspace. There is a much more sophisticated lead time that is necessary if you are going to be effective, and it requires some degree of activity in the environment outside of your own networks.

The distinctive features of cyber operations therefore raise profound questions, both legal and policy-related, about how you are going to deploy and use these capabilities. With respect to law, from a country dedicated and committed to the rule of law and a rules-based system, we have moved past the foundational question of whether international law applies to state-conducted activities in cyberspace. The answer to that question is clearly yes. But that's where the hard work starts. The facts matter. The question of how we apply existing international law and existing regimes to specific factual circumstances is not as easy.