Over the past couple months, the Pentagon has assumed an increasing role in defending American networks. In October, Secretary of Defense Leon Panetta announced new rules of engagement for the Pentagon's cyber operations. "The new rules will make clear that the department has a responsibility, not only to defend DOD networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace." Panetta insisted that the Pentagon would play only a "supporting role," but as James Lewis at the Center for Strategic and International Studies pointed out, "When it comes to cybersecurity, the center of action just shifted." And, indeed, a few weeks ago, the Washington Post revealed that President Obama had signed a secret directive expanding the U.S. military's authority in cyberspace to include defense of non-military networks.
It is a sign that efforts to develop the capacity of the Department of Homeland Security (DHS) to defend cyberspace have not kept pace with the perception of increasing threats. But it's also a sign that the United States is struggling to adapt to a world of transnational threats -- and risks eroding the fundamental distinction between the traditional roles of civilian and military forces in providing security. The Posse Comitatus Act of 1878 has restricted the deployment of federal troops in the homeland since the end of Reconstruction. It enshrined the idea that police forces are responsible for security within U.S. borders, while the military protects against threats beyond the country's borders. That is why only in extreme circumstances -- a natural or man-made crisis -- do we see troops in the streets.
The new policy is essentially the result of a trade-off between authority and capacity: The Department of Homeland Security has the authority, but not sufficient capacity to effectively defend the nation's networks. In contrast, the Department of Defense has better capacity, but not the authority. The choice then is to build up DHS's capacity, leaving the nation less protected in the interim, or expand DOD's authority. (This publication by National Defense University provides a more comprehensive analysis of the various policy options.)
Apparently, DHS has not been coming on fast enough. Lewis notes that "Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it," referencing the cyberattacks against the Saudi Aramco and RasGas companies. Secretary Panetta points out, "We know that foreign cyber-actors are probing America's critical infrastructure networks.... We know of specific instances where intruders have successfully gained access to these control systems. We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life."
So does that mean the Posse Comitatus Act doesn't apply in cyberspace? Or if it does apply, how so? While cyberspace is bound by physical infrastructure located on territory with national borders, cyberspace as a domain is very different from any of the four other territorial domains -- land, sea, air, and space. There is no physical border in cyberspace that an attacker must cross to hit at his or her target, as there was for the British ships in 1777, the Japanese planes in 1941, or the terrorists on 9/11. An attack can happen anywhere within the United States, and in the case of zero-day exploits -- a cyberattack using a previously unknown vulnerability -- without prior warning. How will the government know whether suspicious activity is a criminal matter most appropriate for law enforcement, or a security matter falling within the Department of Defense's mission to protect the nation against threats from abroad in light of the continued challenges to attribute the source of an attack?