Trump's Casual Approach to Cyber Warfare Puts National Security at Risk

Opinion China Iran War National security

Perhaps our government's habit of treating its own cyberattacks as if they aren't acts of war is attributable to the fact that our country is increasingly a gerontocracy, and older officials unfamiliar with technology have trouble grasping the nature and risk of the activity at hand. Or perhaps it's just another case of congressional disinterest in the legislature's constitutional role in foreign policy. Whatever the reason, Washington's casual approach to cyber warfare is dangerous, and an investigation published by Yahoo News this month shows just how lax U.S. cyberattack policy has become.

At the impetus of hawkish figures like Secretary of State (and former CIA director) Mike Pompeo and former national security adviser John Bolton, Yahoo reports, the Trump administration has given the CIA wide latitude to conduct cyber warfare with little to no oversight from the White House or Congress. In 2018, President Donald Trump signed a secret authorization, called a "presidential finding," which permits the CIA to carry out covert cyberattacks without first seeking presidential approval, as was previously required under the George W. Bush and Obama administrations.

Trump's finding reportedly allows the CIA to attack Russia, China, Iran and North Korea, and it leaves open avenues to strike other nations, as well. The attacks aren't limited to regime targets. The finding permits cyberattacks on individuals, businesses, media outlets, charities and even religious institutions if the CIA suspects them of working for an adversarial government—and the finding lowers the evidentiary standard for that suspicion, too. "Before, you would need years of signals and dozens of pages of intelligence to show that this thing is a de facto arm of the government," an unnamed former U.S. official told Yahoo. Now, "as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you're good."

The use of "attack" here is crucial to understanding what Trump's finding permits and why cyber warfare requires far more oversight than this arrangement produces. The CIA's use of its new power "has been a combination of destructive things—stuff is on fire and exploding," the same official said, "and also public dissemination of data: leaking or things that look like leaking."

Cyber warfare's effects are not limited to the technological realm. It isn't just "hacking": deleting files, taking down websites, corrupting databases or gathering digital intelligence. Cyberattacks can damage or destroy physical infrastructure. The use of "on fire and exploding" is not metaphorical. Data leaks like the information on millions of Iranians' debit cards published late last year (a breach some think was perpetrated by a state actor, possibly the CIA) can create mass financial risk for ordinary people. Cyberattacks can even kill people, whether directly—if they're inside a building or vehicle when it's destroyed—or indirectly, by fostering political instability that leads to violence (e.g., via election meddling) or exposing compromising information (e.g., by publishing private communications critical of an unscrupulous regime). With lowered evidentiary requirements, this puts innocent lives in peril.

President Donald Trump at CIA Headquarters — U.S. President Donald Trump speaks at the CIA headquarters on January 21, 2017, in Langley, Virginia. Olivier Doulier-Pool/Getty

The gravity of cyber warfare may often be missed because cyberattacks have yet to occasion a major shooting war. The United States has both perpetrated and suffered cyberattacks, notably hitting Iranian and Russian targets. These strikes haven't pushed us into open conflict, but they do have an escalatory effect. It's easy to imagine scenarios in which an accretion of U.S. cyberattacks—or even a single attack with serious enough damage—could tip the balance of U.S. relations with one of these targeted nations into outright war. A strike that blows up a missile site or medical clinic, like the as-yet unexplained explosions in Iran this year, is no less an act of war when accomplished with a computer rather than a drone.

Treating cyberattacks like they're not "real" warfare is naïve and reckless. The CIA should not have free rein with a tactic that could conceivably implicate the United States in a new war—in the worst-case scenario, nuclear conflict with a fellow great power in Russia or China. The Trump administration finding granting that rein was a mistake that must be reversed before U.S. security is put in irrevocable danger.

Like any initiation of military conflict, the authority to approve cyberattacks should rest with Congress, as the Constitution dictates. And the CIA, freed up from a busy schedule of self-directed cyber warfare, should instead bolster the obviously inadequate defenses of our own government's digital territory from those who would do us harm.

Bonnie Kristian is a fellow at Defense Priorities and contributing editor at The Week. Her writing has also appeared at CNN, Politico, USA Today, the Los Angeles Times, Defense One and The American Conservative, among other outlets.

The views expressed in this article are the author's own.