Cyberattacks and the Covert Action Statute: Toward a Domestic Legal Framework for Offensive Cyberoperations

Cyberattacks are capable of penetrating and disabling vital national infrastructure, causing catastrophic economic harms, and approximating the effects of war, all from remote locations and without the use of conventional weapons. They can be nearly impossible to attribute definitively to their sources and require relatively few resources to launch. The United States is vulnerable to cyberattacks but also uniquely capable of carrying out cyberattacks of its own. To do so effectively, the United States requires a legal regime that is well suited to cyberattacks’ unique attributes and that preserves executive discretion while inducing the executive branch to coordinate with Congress. The trouble is that it is unclear which domestic legal framework should govern these attacks. The military and intelligence communities have disputed which of their respective legal regimes should control. The choice between these frameworks raises important issues about the policy benefits of the executive branch keeping Congress informed regarding cyberattacks that it conducts. It also raises constitutional questions about the branches’ respective roles in warmaking when the chosen course of conduct blurs the line between an intelligence operation and an act of war. This Note argues that, in the absence of an independent congressional authorization to use force against a target, the covert action statute, which demands written reports from the president to the congressional intelligence committees in advance of operations, should presumptively govern, and that the president should issue an executive order to that effect.