While most details of the legal authorizations aren't known, the Times quoted anonymous sources as saying that the new policies "govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code – even if there is no declared war."
"The fact that DOD has moved to the point where it felt required to [conduct the policy review] is a step toward normalization and operationalization of cyberweapons," says Dan Kuehl, a professor of intelligence studies at Mercyhurst University and formerly at National Defense University. "If you've got a new bomb or a tank or a weapons system, there's a requirement to do a legal review of its usage – under the Law of Armed Conflict. With DOD having done that for cyber, it's a significant step toward normalization of cyber as a weapon we can actually use militarily."
Word that legal hurdles have been largely surmounted for cyberweapons comes amid a backdrop of daily reports of cyberespionage attacks on US businesses, government agencies, and the Pentagon – not to mention numerous recent statements of concern by the nation's military officials.
In a speech last fall, Secretary of Defense Leon Panetta warned of the potential for a "cyber 9/11" and urged tougher laws that would help protect US critical infrastructure like the power grid and water systems. Other current and former senior administration and Pentagon officials have echoed that concern – and say that the legal review is long past due.