Professor Robert M. Chesney, Director of the Strauss Center, James A. Baker Chair in the Rule of Law and World Affairs, and Associate Dean for Academic Affairs at the University of Texas School of Law, recently published an essay in the Aegis Paper Series of the Hoover Institution Journal titled “The Domestic Legal Framework for U.S. Military Cyber Operations.” In it, he discusses the legal architecture for cyber operations which has been quietly built by Congress and the executive branch over the last decade. This legal regime has been characterized by the “defend forward” operational model, wherein the U.S. engages in persistent deterrent military cyber operations—a practice which has raised a host of legal questions. Lawmakers have answered these questions, Chesney notes, with a framework which includes four main elements: Authorization rules, process rules, transparency rules, and substantive rules. In the portion on authorization rules, Chesney delineates existing statutory authority, and then discusses the authority to conduct cyber operations without such statutory authorization.

Chesney then discusses the War Powers Resolution of 1973 in depth, focusing on the two ways in which it delineates distribution of war powers. In the section on process rules, Chesney discusses whether or not the chain-of-command approval process which is present in traditional military affairs operations also holds in the field in cyber operations, and then discusses the debate surrounding the precise definition of “traditional military affairs.” Chesney then moved to a discussion of existing transparency rules, which “oblige executive branch actors to provide certain information to Congress…if not also to the public.” After discussing the handful of transparency rules on the books, Chesney noted that further research is necessary to assess the functionality of these rules.  Chesney concluded by discussing substantive rules, which are those rules which prohibit a particular type of action or outcome, noting that the U.S. has yet to adopt any substantive rules on cyber operations. He concludes by noting that his assessment reveals that there is a surprisingly robust legal framework surrounding U.S. cyber operations, despite the field’s relative infancy. Read the full essay here.