Following a challenging election cycle that saw renewed attempts at interference and disinformation by foreign state actors, America’s cyber and intelligence agencies were blindsided in December 2020 by a disturbing revelation. Russian intelligence services had broadly penetrated United States government and private industry networks for at least half a year. U.S. cybersecurity policies had utterly failed. Officials did not even learn of the attack until a private cybersecurity company, FireEye, publicly revealed that, while investigating Russia’s theft of its digital toolkit, it had discovered a vulnerability in the software produced by SolarWinds. The infected software (known as Orion) was a network management tool employed widely by government and private entities. Further investigation since the revelation has found that nearly 18,000 customers were exposed by the vulnerability, with 250 of them actually penetrated as the intruders deployed malicious code through software updates—a supply-chain-based attack. The code penetrated customers’ networks and installed backdoors that gave persistent, largely unfettered access.
Affected entities include the Department of Justice, State Department, Department of Homeland Security, Treasury Department, Department of Labor, Department of Energy, Department of Commerce, Department of Defense, and the federal judiciary, in addition to multiple private sector and local government entities. As the investigation continues, it is becoming increasingly clear that Russia may have obtained access to sensitive data (although no infiltrations of classified networks have been detected) and that the full extent of the attack—including whether sabotage was carried out or undetected backdoors installed—remains unknown. In the aftermath of the attack, most of the debate has centered on the failure of policy, particularly the failure of aggressive approaches by the U.S. Cyber Command under the Trump administration, in preventing this attack. President Biden has ordered an interagency assessment of the attack and has stated that he will make a policy determination on how to respond after the completion of the assessment. However, there is also the key legal question about what authorized options are available for the Biden administration to use to respond.
I.
The options that the Biden administration is authorized to use in response to the hack are dependent on several sources of law and what legal findings are made. The first option is a response under war powers or other military powers. From a policy perspective, “war” may seem to be an extreme overreaction. As many have rightly pointed out, while the investigation is still ongoing, the SolarWinds attack initially appears to be an espionage attack, not a military action, and even if it were a military action, there are strong policy reasons to not consider it an act of war and/or to not respond to it with war.
However, cyberattacks have the potential to be crippling, as they obliterate command and control (C2) systems and could perceivably shut down the entire military apparatus of a country. SolarWinds hackers accessed critical systems including nuclear agency networks, and the full scope of their activities—including any alteration or destruction of data—remains unknown. For this reason, policymakers may consider attacks like SolarWinds to be close to, or on par with, physical attacks that justify the exploration of military powers. In fact, several members of Congress have suggested as much in the wake of SolarWinds. Besides, military action itself does not necessarily mean retaliating with kinetic force but rather could involve certain types of retaliatory cyberattacks. In any event, it is appropriate to consider what lawful options President Biden has under war and military powers to respond, whether such a response involves physical hostilities, use of the military for non-combat aims (e.g., intimidation or coercion), or a cyberattack for a digitally destructive or physically kinetic purpose.
Under domestic law, there are no legal requirements for Congress to declare war under Article I of the Constitution. As for the President, Article II authorizes him to wage war upon a declaration by Congress, or upon a surprise attack that triggers a state of war, which the President is “bound to accept…without waiting for any special legislative authority” as the Supreme Court put it in the Prize Cases (1862). Since Congress has not declared war nor is it obvious that the U.S. is in a state of war triggered by the SolarWinds attack, the President is not necessarily automatically authorized to go to war (and use the subordinate powers that a state of war triggers) to respond to the hack.
The President also possesses powers that allow him or her to initiate hostilities without a declaration of war. Notably, the War Powers Resolution of 1973 provides a legal justification framework under which the President can introduce U.S. forces into hostilities so long as he or she informs Congress afterwards within 48 hours and withdraws the forces from hostilities within sixty days unless further authorized by Congress via a force authorization or declaration of war. If President Biden were to determine that physical or traditional forms of hostilities were a necessary response to SolarWinds, he could plausibly order forces into those hostilities and would be bound by the requirements of the War Powers Resolution.
If, however, he determines that a retaliatory cyberattack is the best response, it is not clear that he would be bound by the War Powers Resolution. Whether a retaliatory cyberattack could be considered “hostilities” for the purposes of the War Powers Resolution or waging war for the purposes of Article II constitutional concerns would probably depend on the nature of the attack: whether it is intended for espionage, kinetic (e.g., destroying uranium enrichment centrifuges by hacking industrial control systems), or other purposes. Furthermore, the National Defense Authorization Act (NDAA) of 2019 authorized the National Command Authority (President and Secretary of Defense) to undertake “appropriate and proportional action in foreign cyberspace…to disrupt, defeat, and deter” ongoing cyber operations by a list of specific adversaries that includes Russia. Yet, that authorization does not make any mention of whether the War Powers Resolution applies and if there are other separation-of-powers limitations on the President’s authority to respond to an ongoing Russian cyberattack. In short, under domestic law, the President has statutory powers to respond to an ongoing Russian cyberattack, but it is unclear whether the use of such powers is subject to statutory and constitutional limits that traditionally govern the President’s war powers, and even further, it is unclear if cyberattacks authorized by the President should be considered under a legal framework of war at all.
It is necessary to also consider international law. Given the ambiguities of cyberspace, as well as the lack of a clear international legal framework for interstate cyberconflict, international law, as former National Security Council legal advisor Yevgeny Vindman suggests, would essentially authorize the U.S. to act in self-defense if the U.S. asserts that the SolarWinds attack was indeed an act of war. In short, international law authorizes a right to self-defense against illegal use of force or armed attack, especially when an attack is ongoing. The primary question is when does a cyberattack constitute a use of force or armed attack. France, for example, asserts that even non-physically destructive attacks may cross its threshold for an act of war. Since several states, like France and the Netherlands, have used declaratory policies to indicate what their threshold is for considering a cyberattack an act of war under international law, Vindman suggests that—within reason—the SolarWinds attack constitutes an act of war, and self-defense is authorized under international law, if the U.S. says it is.
II.
The scope of the SolarWinds attack remains unknown and even once it is clear, there may be policy reasons for pursuing the war/military options route explored above. However, given that it initially appears to be a cyberespionage attack, it is worth exploring what lawful options President Biden may have to retaliate using his intelligence and covert action powers. A proportionate retaliatory cyberespionage attack would probably be authorized by the same section of the 2019 NDAA mentioned earlier in the discussion on cyberattacks under the military action framework. The Hughes-Ryan Amendment of 1974 set into place the notorious “covert action” process, which requires the President to make a finding for deniable operations (i.e., those which the U.S. will not acknowledge) that are intended for a non-intelligence purpose. If the Biden administration takes the advice of some who suggest that the U.S. needs to launch an asymmetrical retaliatory cyberattack against Russia, the covert action route could be used so that the U.S. could deny responsibility even while it would be clear to Russia who had sent the message. The covert action framework was most recently used for cyber operations under the Trump administration, which issued a finding authorizing the Central Intelligence Agency to target the networks of, among others, Russia and front organizations for Russian intelligence. In that type of response, the legal requirements for covert actions—including specific requirements for making findings and reporting such actions to Congress—would apply.
III.
The last general set of response options that President Biden may consider is legal and diplomatic retaliation. These response options are generally legally clear and plainly authorized by constitutional and/or statutory powers, though some may require the assistance of Congress. They include, but are not limited to, criminal indictments, sanctions, and a variety of diplomatic punishments ranging from expulsion of diplomats to withdrawal from treaties or other agreements. Criminal indictment is a strategy that has been particularly used against foreign state hackers engaged in espionage campaigns against the U.S. Given the Department of Justice (DOJ)’s legal traditions of independence, this is likely not a tool that the President would directly wield but rather would look to his Attorney General to utilize. DOJ officials can investigate and likely are already looking into indictments against Russian intelligence officers who carried out the SolarWinds attacks.
Economic sanctions can be issued via a national emergency declaration executive order by the President under the International Emergency Economic Powers Act of 1977 (IEEPA), whose broad framework is the basis of most U.S. sanctions. Generally, this involves a highly coordinated interagency effort, but it can be done fairly quickly. There is precedent for sanctioning Russian agents under the IEEPA framework for hacking. The Treasury Secretary has ongoing authority under an Obama-era executive order to—in consultation with the Attorney General and Secretary of State—sanction “individuals and entities…responsible for or complicit in” producing “specific harms caused by significant malicious-cyber enabled activities.” President Biden could choose to declare a new emergency given the magnitude of the SolarWinds hack or use the existing legal framework for cyberattack-related sanctions.
Diplomatic punishments cover a broad category ranging from individual punishments—such as the expulsion of diplomats and restriction of diplomatic protections—to high-level political action—such as withdrawal from treaties or agreements. A 1980 DOJ Office of Legal Counsel (OLC) opinion provides the current legal justification for the President to unilaterally declare individuals as persona non grata and expel them from the United States, rooting it as an inherent component of the Article II constitutional power to recognize foreign nations and receive foreign ministers. However, the power is also traced back to the Washington administration and is recognized in international law under the Vienna Convention on Diplomatic Relations of 1961. There is also precedent for the expulsion of Russian diplomats as persona non grata in response to a Russian cyberattack: President Obama ordered 35 Russian diplomats to exit within 72 hours in response to Russian cyberattacks and political interference in the 2016 presidential election. Related diplomatic punishments include closing diplomatic facilities, etc. More high-level diplomatic punishments such as withdrawal from treaties or other arrangements can also be carried out unilaterally. Article II, Sec. 2 of the Constitution outlines a specific process for entering international agreements but does not indicate a process for withdrawal. As a matter of domestic law, the President is generally understood to have the authority to withdraw from executive agreements passed by predecessors. As for treaties, there is less of a legal consensus, but, due in part to tradition and the Supreme Court’s refusal to touch the issue in Goldwater v. Carter (1979), the President can likely withdraw from treaties unilaterally. While there may be policy reasons for not doing so, President Biden has the authority to withdraw from treaties or agreements with Russia as a response to SolarWinds.
***
While the interagency assessment of SolarWinds continues, President Biden is no doubt being made aware of the lawful options available to him to use to respond to what many cybersecurity experts are calling the most sophisticated attack in history to date. The options explored here are just the tip of the iceberg of the vast powers of the Executive, some of which will become even more important, not only for responding to Russia, but more critically for the upgrades of cybersecurity defenses and coordination in the months to come. Yet, it is also apparent that more clarity is needed within laws on critical military and intelligence powers specifically in relation to cyber operations. In particular, there is ambiguity in international law about thresholds for considering a cyberattack an act of war. Domestic law also needs clarity about which unilateral presidential powers, if any, are triggered by cyberattacks and whether the President’s authority varies based on the type of attack and/or the type of cyber-based response (e.g., kinetic versus espionage retaliatory cyberattack) he seeks to employ.
More details on the hack continue to emerge, including that Russian intelligence officers exploited the legal restrictions on the National Security Agency (NSA)’s authorities by launching their attacks using servers on American soil in order to escape NSA detection that might have stopped an attack at its origin in Russia. The assessment is still ongoing but so is the attack, and there will never be full assurances that it has ended until every piece of software and hardware exposed is removed. Given the intelligence community’s initial findings that the operation was for espionage, not necessarily sabotage or destruction, it seems likely that the Biden administration will steer away from military powers and resort to intelligence, covert action, legal, and/or diplomatic powers in its response. In any case, it is clear from the legal conclusions provided here and the growing policy consensus in cyber policy circles: there is no excuse to not assess and act.