Updated Monday, February 4, 2013 at 06:42 AM
WASHINGTON — A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.
That decision is among several reached in recent months as the administration moves to approve the nation’s first rules for how the military can defend, or retaliate, against a major attack.
New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.
The rules will be highly classified, just as those governing drone strikes have been closely held. John Brennan, Obama’s chief counterterrorism adviser and his nominee to run the Central Intelligence Agency (CIA), played a central role in developing the administration’s policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the U.S. arsenal.
Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow.
Under current rules, the military can openly carry out counterterrorism missions in nations where the U.S. operates under the rules of war, like Afghanistan. But the intelligence agencies have the authority to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones. The results have provoked wide protests.
Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered an escalating series of cyberattacks against Iran’s nuclear-enrichment facilities.
The operation was code-named Olympic Games, and while it began inside the Pentagon under President George W. Bush, it was quickly taken over by the National Security Agency, the largest of the intelligence agencies, under the president’s authority to conduct covert action.
While many potential targets are military, a country’s power grids, financial systems and communications networks also can be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.
One senior U.S. official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief. A possible exception would be in cases of narrowly targeted tactical strikes by the military, like turning off an air-defense system during a conventional strike against an adversary.
While the rules have been in development for more than two years, they are coming out at a time of greatly increased cyberattacks on U.S. companies and critical infrastructure.
The Department of Homeland Security recently announced that a U.S. power station, which it did not name, was crippled for weeks by cyberattacks. The New York Times reported last week that it had been struck, for more than four months, by a cyberattack emanating from China. The Wall Street Journal and The Washington Post have reported similar attacks on their systems.
International law allows any nation to defend itself from threats, and the United States has applied that concept to conduct pre-emptive attacks.
Pre-emption always has been a disputed legal concept, most recently after former President George W. Bush made it a central justification for the invasion of Iraq in 2003, based on faulty intelligence about that country’s weapons of mass destruction. Pre-emption in the context of cyberwar raises a potentially bigger quandary, because a country hit by a pre-emptive cyberstrike could easily claim that it was innocent, undermining the justification for the attack.
“It would be very hard to provide evidence to the world that you hit some deadly dangerous computer code,” one senior official said.
Alex Wong / Getty Images
President Obama speaks as John Brennan, his nominee to run the CIA, looks on.