* scholarship and commentary from the Harvard National Security Journal
The Harvard National Security Journal has recently posted a lot of interesting papers, including:
Steven G. Bradbury, The Developing Legal Frameworks for Defensive and Offensive Cyber Operations
[From the introduction to the speech] What I’d like to do today is to sketch out the basic legal framework that I see developing to govern the cyber operations of the federal
government. I want to talk, first, about the legal framework for defensive cybersecurity activities. Then I’ll address legal authorities potentially applicable to offensive cyber operations, including cyberwarfare. Lastly, I’ll say a word about possible responses to WikiLeaks.
Michael J. Glennon, The Cost of ‘Empty Words’: A Comment on the Justice Department’s Libya Opinion
[From the introduction] The April 1, 2011 opinion of the Justice Department’s Office of Legal Counsel (OLC), entitled “Authority to Use Military Force in Libya,” presents three main arguments in seeking to justify the constitutionality of the U.S. use of force against Libya: (1) the President has a “broad constitutional power” to order the use of force without congressional approval, particularly when the use of force isn’t really a war; (2) the existence of a United Nations Security Council resolution expands that power because the President has a responsibility to preserve the Council’s credibility and to ensure that its edicts do not turn out to be “empty words”; and (3) in any event, Congress has allowed the President to undertake this action through the War Powers Resolution, which permits him to use force for up to 60 days without specific, advance approval.
I proceed to suggest that none of these claims is convincing and I conclude with some thoughts about OLC’s concern about empty words.
Philip B. Heymann, Detention
[From the introduction] In a peculiar way, the still unresolved issues of seizure and detention of those suspected of alliances with terrorist groups and causes raise a set of fundamental jurisprudential questions.
First, international terrorism neither fits neatly into the practices and constraints of ordinary law enforcement nor does it justify the powers of a nation at war with a mighty foreign power. So don’t we need new law here and, if so, what should be the range of activities to which it applies; and must it not be international to serve our needs?
Second, developing new international law would take a decade or more. In the meantime, which body of law should the United States apply to guarantee minimum standards of accuracy, fairness, and humanity at the same time as adequate security? Or would we be legally justified to choose to satisfy either, depending on the situation?
Third, if the literal language of the protections of the law of war or the law of crime — each having been written with a quite different situation in mind — doesn’t meet these multiple needs for security, accuracy and fairness, does it at least make sense to insist that the obvious purposes of common protective provisions be honored during this interim period? If so, how would that work?
These questions, generally ignored, lie behind this paper.
David D. Clark & Susan Landau, Untangling Attribution
[Abstract] As a result of increasing Internet insecurity — DDoS attacks, spam, cybercrime, and data theft — there have been calls for an Internet architecture that would link people to packets (the fundamental communications unit used in the Internet). The notion is that this technical “fix” would enable better investigations and thus deterrence of attacks. However, in the context in which the most serious national-security cybersecurity threat the US faces is data exfiltration from corporate and government sites by other jurisdictions, such a solution would be a mistake. Cyberattacks and cyberexploitations are more different than they are the same, and multi-jurisdictional, multi-stage attacks (in which machine A penetrates and “takes over” machine B) are the critical cybersecurity threat. Meanwhile IP addresses are more useful as a basis for various kinds of attribution than has been sometimes thought, and the occasions when attribution at the level of an individual person is useful are very limited. We consider how cyberexploitations and cyberattacks might be traced, and discuss how technical contributions can only be contemplated in the larger regulatory context of various legal jurisdictions.