Columbia Law School Professor Matthew C. Waxman told Senate Armed Services Committee members March 2 that the law offers no quick guide for saying when a cyber attack constitutes an act of war.
“International law in this area is not settled,” he advised the 18 committee members on hand for the hearing on cyber strategy and policy. Waxman, the Law School’s Liviu Librescu Professor of Law and faculty chair of the Roger Hertog Program on Law and National Security, has held senior posts at the U.S. State Department, the Department of Defense and the National Security Council. He also serves as co-chair of the Cybersecurity Center at Columbia’s Data Science Institute.
The hearing came while Washington is embroiled in what U.S. intelligence agencies say is Russia’s hacking of Democrats’ email accounts in an effort to help Republican Donald Trump in the 2016 presidential election. On Feb. 28, U.S. Attorney General Jeff Sessions recused himself from a Justice Department investigation into the issue after it was revealed that he didn’t disclose to the Senate Judiciary Committee his contacts with the Russian ambassador while serving as an adviser to Trump’s campaign.
The March 2 hearing was tied to a defense policy bill that requires the Trump administration to declare what kinds of cyber attacks represent acts of war against the United States. Armed Services Committee Chairman John McCain, an Arizona Republican, and several Democrats on the panel asked witnesses whether Russia’s action could be considered a hostile act and what kind of U.S. response is legally justified.
“What kind of message does it send to Vladimir Putin and the rest of the world…if we don’t respond?” asked Senator Jeanne Shaheen, a New Hampshire Democrat.
Waxman, who has published several papers on cyberwar and international law, said whether hacking is an act of war depends on “case-by-case facts,” including any damage to property or harm to people. He suggested cyber attacks rarely meet a United Nations’ Charter threshold for an “armed attack,” which triggers the most expansive rights of self-defense, but that the United States still has a wide range of options for responding to cyber attacks below that threshold, such as sanctions or some cyber actions of its own.
He noted that existing U.S. policy is that the country may regard cyber attacks as armed attacks at least in some “extreme scenarios, such as inducing a nuclear meltdown or causing aircraft to crash by interfering with control systems.”
Waxman said this approach was “generally sensible” and flexible enough to “accommodate a strong cyber policy.” He also said the current approach is better than ignoring international law “or trying to negotiate new legal rules from scratch.” But he added that more legal clarity was needed to guide policy.
Waxman also urged lawmakers to consider state sovereignty in setting cyber policy. “Because of the global interconnectedness of digital systems, including the fact that much data is stored abroad and constantly moving across territorial borders,” Waxman warned that overly-strict interpretations of sovereignty could hamper “U.S. offensive cyber-actions or defensive cyber-measures that occur in or transit third-countries without their consent.” Although the United States has a “strong interest in limiting infiltration and manipulation of our own digital systems,” he said that there is no clear legal prohibition on “cyber-operations just because, for example, some cyber-activities take place within another state, or even have some effects on its cyber-infrastructure, without consent.”
Because of “gray areas of unsettled law,” Waxman said in response to questioning, “it’s very important that lawyers be working hand in hand with policy makers...We don’t want to say ‘lawyers, you go into a room, figure it out and come back and tell us where the limits are.’ We want the lawyers to be consulting with the policy makers on where they want to go.”
Retired General Keith Alexander, former head of the National Security Agency, Dr. Craig Field, chairman of the Defense Science Board, and James Miller, former undersecretary of defense for policy, also gave testimony.
Read Waxman's Senate testimony
Posted March 3, 2017