2023 DoD Manual Revision – What Was Left Unsaid for Cyber Operations

Since the long-awaited update to the Department of Defense (DoD) Law of War Manual, there has been no shortage of commentary and scholarship surrounding the new amendments. While updates to the Manual are worthy of attention, what was not updated is equally deserving of comment.

Nearly seven years have passed since the Manual was last updated and since then, global events have changed the way we live and are changing the way humans wage war. Yet, July’s revision is limited to 18 pages of modifications, leaving the majority of the Manual untouched. There is room for further progress to optimize the usefulness of the Manual in areas such as detention operations and space warfare.

Also deserving of further update is the rapid evolution and threats to national security posed in the cyber domain. Deemed the most critical threat to the United States by the American public today, cyberterrorism and the use of cyberspace for nefarious purposes is arguably one of the most pressing issues facing the DoD. Yet, none of the substantive changes to the Manual impact Chapter 16: Cyberspace Operations. Even the citations remain untouched from the previous version. The DoD should have considered updating this complex and ever-evolving area of the Manual to improve guidance to attorneys advising in this area as well as to signal U.S. compliance with domestic and international laws when conducting cyber operations.

The Purpose of the DoD Law of War Manual

In its preface, the Manual describes itself as a “DoD-wide resource for DoD personnel—including commanders, legal practitioners, and other military and civilian personnel—on the law of war.” It is an “institutional publication” that “reflects the view of the Department of Defense” and contains “sound legal positions based on relevant authoritative sources . . .” (emphasis added). As such, the Manual is designed to be the primer for those faced with a question of law or policy involving cyber operations. And while the Manual cannot and should not be expected to be a comprehensive guide, it should, at a minimum, provide an up-to-date reference point both in substantive content and cited references. Chapter 16 in its present form falls short, because nothing has been updated since December 2016.

From a policy and political standpoint, it is sensible for the DoD to choose a conservative approach rather than endorsing particular views on unsettled questions in this domain. But there are areas where the DoD has settled its position over recent years in the form of official statements and policy positions. Affirming these official positions in the Manual is critical as a basis for fostering unified understandings across the DoD in response to the rapidly transforming cyber domain.

The Simple Fixes 

First, the Manual’s citations to doctrine in Chapter 16 do not reflect the latest revisions of relevant publications. Joint Publication (JP) 3-12 Joint Cyberspace Operations and JP 3-0 Joint Operations are both cited, but the references do not reflect their 2022 updated versions. While updating the citation does not change the substantive content of Chapter 16, it remains vital that those who use the Manual are directed to the most up-to-date iteration of doctrine should they seek additional guidance. For example, the Manual cites the 2013 version of JP 3-12, but in 2018 significant changes were made to the publication, including an expanded discussion of the law of war as applied to cyberspace, detailed descriptions of offensive and defensive cyberspace operations, and newly defined terms. Even the name of the publication changed and therefore is not accurate in the current citation, as Cyberspace Operations became Joint Cyberspace Operations in the 2018 update. To fulfill its role as a useful and relevant tool, the DoD Manual should rely on the most current versions of doctrine as matter of both precision and professionalism.

The Manual should also reflect developments in cyber policy to maximize its value to the practitioner. In Chapter 16, Harold Koh’s 2012 remarks are cited 12 times. But since Mr. Koh’s tenure as legal advisor to the Department of State, more recent statements have emerged. The Honorable Paul C. Ney, for example, gave a speech at the U.S. Cyber Command (USCYBERCOM) Conference in 2020, providing a useful guide on how cyberspace operations would be analyzed under a legal framework and how the law of armed conflict would apply in cyberspace. Importantly, his commentary provides a step-by-step methodology for conducting legal analysis on proposed cyber operations.

More recently, the Honorable Caroline Krass’s statement at the 2023 U.S. CYBERCOM Conference similarly reflects the most updated DoD legal perspectives in this domain, and yet her comments are not referenced or cited to in the Manual. Ms. Krass emphasized the important role international law continues to play in cyber operations, specifically highlighting the areas of prohibited intervention and countermeasures. While conference statements are not formally signed or adopted by the Secretary of Defense, in practice they are widely trusted by DoD practitioners when analyzing legal issues. Conference statements are at the very least solid indications of the DoD’s perspective and how the DoD applies the law to cyber operations.

Chapter 16 should also have referred to the fact the United States is not only a signatory to, but also a member of the UN Group of Governmental Experts that created the Norms on Responsible State Behavior in Cyberspace. While not legally binding, the United States has committed to upholding and observing these norms. Legal practitioners confronting cyber-related issues should be made aware of all equities facing DoD activities in the cyber domain. In its present form, the Manual appears to lack some of the key references that attorneys should be aware of and rely on in order to fully advise their clients.

Emerging Issues Worthy of Acknowledgement

The Manual can further solidify its role as a helpful reference by acknowledging complex areas of the law that are still in development without taking an official position. State-sponsored or State-endorsed “patriotic hacktivism,” for example, is an exponentially growing practice, especially among militarily weaker nations. The updated Manual could have identified relevant legal implications arising from this practice, such as regarding the responsible individuals’ targetability and status if captured. DoD practitioners should be aware that this emerging and growing practice not only exists but is utilized by partners and allies, making the practice relevant by association.

Similarly, the role of private industry in the cyber domain is not new and is unlikely to change. As the globe becomes ever more interconnected, instances like the Viasat hack and Starlink’s subsequent action to save Ukraine’s connectivity could become more commonplace in future conflict. The updated Manual could have usefully mapped out legal risks associated with muddying of the waters between private industry and government entities in Section 16.5.5, “Use of Civilian Personnel to Support Cyber Operations.”

Finally, the most notable change to the Manual is the addition of the “presumptive civilian status” rule. This update appears to be driven by rising Congressional concern about civilian harm both within and outside of armed conflict. The Civilian Harm Mitigation and Response Action Plan (CHMR-AP) adopted in August 2022 outlines the steps the DoD will take to improve how it mitigates and responds to civilian harm.

However, it remains unclear how these changes might affect military operations in the cyber domain. The Manual should consider the impact of the civilian presumption in cyberspace, where nearly everything is, in whole or in part, a civilian entity. Whether it is cyber actors, networks, or other aspects of the private sector, Chapter 16 is deeply impacted by this adoption of a civilian presumption. The DoD will need to grapple with what that means for cyber operations likely sooner rather than later.

Concluding Thoughts

The third sentence of the Manual’s Chapter 16 reads, “Precisely how the law of war applies to cyber operations is not well-settled . . . .” While true in many respects, the law of war in cyber operations has become less “unsettled” over the last seven years. In the intervening period, the use of cyber tools in armed conflict and in situations short of conflict has become more common, and their underpinning in domestic and international legal authorities is more apparent. The DoD needs to keep up with the fast-developing and complex legal landscape in the cyber domain by providing relevant resources to DoD practitioners and signaling its vigilance in complying with domestic and international law and norms to the international community.

***

Photo credit: Unsplash