Jack Goldsmith (photo: arcticpenguin)
In a very interesting Op-Ed in today’s Washington Post, Jack Goldsmith appears to slip and disclose new information about a US cyberattack on al Qaeda in Iraq. Since Goldsmith displays inside information about this attack, it is curious that the Post would neglect to mention Goldsmith’s service in the Bush Department of Justice’s Office of Legal Counsel.
Goldsmith opens the Op-Ed by pointing out the hypocrisy of the US position on cyberwarfare, quoting US Secretary of State Hillary Clinton’s blanket condemnation of cyberattacks and then pointing out that the US has a highly developed offensive capability that it has put into use. It is in getting down to the details of this offensive capability that Goldsmith reveals new information on a previously disclosed attack. This new information raises the question of whether Goldsmith might have been involved, in his previous role in OLC, in delivering legal authorization for this attack or others like it. Given that possibility, it seems puzzling that the Post would only identify Goldsmith by his current Professorship at Harvard and his participation in the Hoover Institution while ignoring his OLC history.
Here is the critical part of the Op-Ed:
Finally, the U.S. government has perhaps the world’s most powerful and sophisticated offensive cyberattack capability. This capability remains highly classified. But the New York Times has reported that the Bush administration used cyberattacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran’s nuclear weapons program. And the government is surely doing much more. “We have U.S. warriors in cyberspace that are deployed overseas” and “live in adversary networks,” says Bob Gourley, the former chief technology officer for the Defense Intelligence Agency.
Note that Goldsmith says the US hacked into both cellphones and computers in Iraq. Yet, if we go to the New York Times April, 2009 article he cites, we find reference only to computers:
When American forces in Iraq wanted to lure members of Al Qaeda into a trap, they hacked into one of the group’s computers and altered information that drove them into American gun sights.
/snip/
So far, however, there are no broad authorizations for American forces to engage in cyberwar. The invasion of the Qaeda computer in Iraq several years ago and the covert activity in Iran were each individually authorized by Mr. Bush. When he issued a set of classified presidential orders in January 2008 to organize and improve America’s online defenses, the administration could not agree on how to write the authorization.
Because a date for the incident the Times reports is not given (it is merely “several years ago” in the April, 2009 article), it is not possible to determine whether it occurred during Goldsmiths’s brief tenure in OLC from October, 2003 to July, 2004. Note that Goldsmith is credited with having the worst of the initial OLC torture memos rescinded, only for new torture authorizations to be put into place after his departure. Also note that the Times states that the Iraq and Iran attacks were individually authorized actions, with the Bush administration still not achieving an overall authorization policy as late as January, 2008, long after Goldsmith’s departure from OLC.
In one sense, Goldsmith appears to be playing partisan games with his emphasis on the hypocrisy of the US position on cyberwarfare. What he really is doing with the Op-Ed becomes much murkier, though, when we realize that he is disclosing new information on previous attacks in which he might have played a role. I welcome any further insights that might be provided on what forces are in play with Goldsmith’s piece. Despite the uncertainty over Goldsmith’s motivations, his conclusion is good reading and appears to provide a useful framework from which to develop a cybersecurity policy:
Everyone agrees on the need to curb this race by creating proper norms of network behavior. But like Clinton, U.S. cybersecurity policymakers are in the habit of thinking too much about those who attack us and too little about our attacks on others. Creating norms to curb cyberattacks is difficult enough because the attackers’ identities are hard to ascertain. But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.
