The FY2012 defense authorization act of December 13 included the following
Congress affirms that the Department of Defense has the
capability, and upon direction by the President may conduct
offensive operations in cyberspace to defend our Nation,
Allies and interests, subject to–
(1) the policy principles and legal regimes that the
Department follows for kinetic capabilities, including the
law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
It goes on to say that spying also is authorized
Military activities in cyberspace (sec. 954)
The House bill contained a provision (sec. 962) that would
clarify that the Secretary of Defense has the authority to
conduct clandestine cyberspace activities in support of
military operations pursuant to the Authorization for the Use
of Military Force (Public Law 107-40; title 50 United States
Code, section 1541 note) outside of the United States or to
defend against a cyber attack on an asset of the Department
And finally the War Powers Act may not be applicable
The conferees stress that, as with any use of force, the War
Powers Resolution may apply.
Oh, whoops, that says it may apply. I take that to mean force is authorized until someone objects or just notices that it should have been regulated under the War Powers Resolution. Obviously I'm not a lawyer, though.
The most interesting aspect of the development is how it could have a ripple effect to the private sector. As I wrote earlier, the Senate is talking about 2012 as the year for the government to retake a leadership role and help drive the security of unclassified, non-military computer systems.
NIST's involvement after the Computer Security Act of 1987 was for that specific purpose so they technically aren't forging new ground but rather back on a path started under the Reagan administration.
On the other hand this announcement that the government will invest in "offensive operations in cyberspace to defend" might just be the green light that some companies have been looking for to legitimize and subsidize their own "gray" or even "black" operations.
Is your information security department capable of a non-kinetic defense or gray cyberoffensive defense? Follow the U.S. government's lead and you may have your team cracking servers, manipulating social networks and stealing credentials from your threats in no time, within the laws and purposes of defensive action of course (e.g. add a good lawyer to the team).
Updated to add the Preemptive Strike iPhone Theme. Don't push that red button.