Published by The Lawfare Institute
in Cooperation With
On Tuesday, Associate Deputy Attorney General Sujit Raman delivered the following remarks to the ABA Rule of Law Initiative annual conference in a speech entitled “The Rule of Law in the Age of Great Power Competition in Cyberspace.”
It is a privilege to be here today to speak at the ABA Rule of Law Initiative’s annual issues conference. And I am honored to follow to the podium three prominent defenders of the rule of law, both at home and abroad. Thank you, Judge McKeown, Mr. Mora, and Dr. Yang for dedicating your lives to upholding and promoting this noble ideal.
Our theme today is the rule of law in cyberspace. No topic could be more timely. And no domain poses a greater threat to America’s public safety and national security. As the Director of National Intelligence observed earlier this year, “Our adversaries and strategic competitors will increasingly use cyber capabilities—including cyber espionage, attack, and influence—to seek political, economic, and military advantage over the United States and its allies and partners.”
The threat isn’t limited to state actors. FBI Director Chris Wray informed Congress last fall that we also face sophisticated cyber threats from “hackers for hire, organized crime syndicates, and terrorists.” Not only do “[t]hese threat actors constantly seek to access and steal our nation’s classified information, trade secrets, technology, and ideas—all of which are of great importance to U.S. national and economic security[—][t]hey [also] seek to strike our critical infrastructure and to harm our economy.”
Reading quotes like this, you might think cyberspace is the 21st century equivalent of the 19th century Wild West. It’s true that actors in ungoverned physical spaces aim to spread instability around the globe, including through cyber means. But much of the world’s cyber instability today is caused by actors who live in very tightly governed spaces: authoritarian nations like China, Russia, Iran, and North Korea. These nations actively work to destabilize the U.S.-led international order, thereby promoting and advancing their own geopolitical interests.
I’d like to use my time with you this morning to discuss three interrelated ideas. The first is that we have moved into a new era of great power competition. In its early years, the internet’s openness seemed to represent an unvarnished good that would promote free thinking and human rights around the world; defeat authoritarianism; and drive the growth of new markets. Today, that vision has darkened. Our adversaries have used the internet to exercise control over their own populations. And they have leveraged cyberspace’s open and unregulated character to threaten our economic and national security; narrow our nation’s strategic advantage; and attempt to undermine our values.
The second idea relates to the importance of law in the new age of great power competition. International law—that is, the law governing the relationships between sovereign states—applies in cyberspace, and could serve as a stabilizing force in this new era. But international law in this context is still in its infancy, and many of the details remain to be worked out. The reality is that states tend to follow their own rules, especially in the “gray zone” between peace and war where so much of today’s great power competition is taking place. For that reason, I will emphasize U.S. domestic law, and the important role that the U.S. Department of Justice, in particular, plays in defending the rule of law in cyberspace, and in promoting global cyber norms.
Finally, I will briefly address a characteristic aspect of the new era in great power competition: foreign adversaries’ weaponization of information in their attempts to sow discord in our society, undermine our democratic values, and disrupt the rule of law within our own borders. I will explain how our domestic legal traditions empower us in this brave new era. And I’ll leave you with this thought: Under the Constitution, we are not powerless to confront and to counter other nations’ covert, deceptive misuse of cyberspace in their efforts to turn our free speech ideals against us.
Cyberspace was once seen as a medium for accelerating the spread of liberal values. As Ira Magaziner, President Clinton’s “internet czar,” observed in 1999, “The Internet is . . . a force for the promotion of democracy, because dictatorship depends upon the control of the flow of information. The Internet makes this control much more difficult in the short run,” he wrote, “and impossible in the long run.” “In addition,” Magaziner stated, “the Internet will promote better understanding among nations,” and “will be a tremendous force for improving education.”
Many thoughtful people shared those views, which in one form or another animated the internet governance policies of the Clinton, Bush, and Obama administrations. To be sure, technology firms experienced tremendous growth in those years, and the networked, interconnected world did draw closer together, creating obvious benefits. But since then, we have learned that many of the policy choices made in the internet’s infancy sowed the seeds of that early vision’s destruction.
To understand why, it’s useful to consider the internet’s structure. The way our defense strategists sometimes conceive of it, cyberspace is composed of three interdependent layers: physical, logical, and persona. Hardware and tangible infrastructure comprise the physical layer; the human beings who develop a digital representation of themselves (such as an email address or a social media profile) to participate in internet-connected activity, comprise the persona layer.
In the middle is the logical layer, in essence, the internet’s nervous system. Colloquially, we think of this layer as “code.” This is where data exists; it is also what links network nodes together, as packets of information move around the globe. To promote rapid growth and universal connectivity, those who shaped the internet prioritized the logical layer’s openness, speed, and mutability. They did not prioritize its security. Many internet protocols simply assumed that every other computer on the network could be trusted. Thus, for all its benefits, this open structure also came with a cost. It wasn’t long before our adversaries began using this aspect of the internet’s openness against us.
At the same time, the internet has never been truly “borderless” in the sense of being completely undifferentiated. As Jack Goldsmith observes, “the very notion of an ‘Inter-net’ implies fragmentation.” As data packets move from one connected network to another, they can be filtered and routed based on various attributes, including the source of the data, and the intended destination.
Authoritarian nations have used filtering to control the content of the data that enters and exits their borders, and to monitor and censor what moves around within them. China’s great firewall is probably the most notorious example; Russia’s reported plans to “unplug” from the global internet fall into the same category, as do that nation’s repeated calls in international fora for greater “information security.” Thus, the growth of the internet actually fortified illiberal regimes’ hold over their citizens, and empowered those governments in new and alarming ways.
Taken together, these trends have fundamentally reoriented international relations. Over the past few years, our competitors have used cyberspace to consolidate authority at home, while accessing our information and intruding into our affairs in ways they could never do in a purely physical world. All the while, they have carefully sought to operate below the threshold of the use of force, so as not to trigger an armed U.S. response.
Nevertheless, their tactics have become increasingly assertive.
As General Paul Nakasone, the commander of U.S. Cyber Command, observes, “Ten years ago, [cyber] threats were primarily [about] other nations” engaging in espionage by “coming into our networks and stealing information.” That activity was serious enough. The situation turned for the worse starting in 2013, when our adversaries “began disrupting a series of networks within the United States,” often targeting and victimizing private parties. From the denial of service attacks that Iran launched against our financial sector to the destructive attack it launched against an American casino; from North Korea’s targeted attack on Sony Pictures to its reckless propagation worldwide of the WannaCry ransomware; from Russia’s spread of the destructive NotPetya malware to the information operations it has launched against its adversaries around the world; from China’s mass theft of U.S. government personnel data to that nation’s sustained campaign of intellectual property theft—our adversaries, in General Nakasone’s words, have “mount[ed] continuous, nonviolent [cyber] operations that produce cumulative, strategic impacts by eroding U.S. military, economic, and political power without reaching a threshold that triggers an armed response.”
This, in a nutshell, is what we mean when we say that great power competition has revived—and that its “locus . . . has shifted to cyberspace.”
Both the latest National Security Strategy and the National Cyber Strategy identify a number of priority actions to ensure that America remains safe in this new era. Law enforcement plays an important role in our shared, all-of-government effort.
At the U.S. Department of Justice, our primary missions include enforcing federal criminal law and protecting national security. Combating cybercrime and cyber-enabled threats to our nation rate among our highest priorities. For many years, we have targeted and successfully disrupted transnational criminal syndicates engaged in cybercrime, as well as the digital infrastructure those actors employ. More recently, we began publicly charging foreign state actors whose malicious cyber activity broke U.S. law. It is fair to ask why we devote significant resources to prosecuting state actors whom we may never bring to the United States to face justice. And it is fair to ask why we shifted from an approach that relied mainly on intelligence collection and diplomacy to one that includes a law enforcement response. As I will explain, prosecutions of state-sponsored malicious cyber activity serve an important purpose, even if we cannot guarantee that we will be able to produce in court every individual involved.
Since the indictment of Chinese PLA officers in 2014, the Department of Justice has remained focused on state-sponsored criminal activity that targets U.S. companies. We are also now focused on activity that targets the U.S. political process. In the past two years, the Department brought more national security cyber cases against criminals acting on behalf of our major adversaries than in the previous five years.
There are several reasons for the increasing prosecutions. The main one is that we are following the threat, just as we did in responding to the threat of terrorism. As I’ve explained, nation states are engaged in activity that victimizes individuals and companies in the United States, violates U.S. law, and departs from international norms of responsible state behavior—norms that benefit all nations. Our criminal cases reflect our adversaries’ efforts to harm our companies and our nation.
Second, the increasing number of national security cyber cases reinforces the lesson that our adversaries’ conduct lies outside the norms of responsible behavior. The actions we highlight in indictments are not legitimate state-craft. They are crimes without justification in international relations. I will say more about that in a moment.
Third, our cases reflect our increasingly sophisticated ability to attribute this criminal conduct to the individuals and states involved. This ability is closely related to my second point, because it shows the commitment of our law enforcement and intelligence agencies to work closely together, while protecting intelligence sources and methods. These partnerships, which were forged in the counterterrorism context, serve to solidify the consensus that a law enforcement response to malign nation-state cyber activity makes sense.
In bringing these cases, we are guided by six basic principles.
First, the Department has a duty to enforce our laws and protect our people. We cannot refuse to act when foreign state actors violate our criminal laws, transgress established norms, and victimize our citizens. That is especially true when such crimes often represent severe violations of the victim’s privacy rights, and can have lasting, damaging impact. The Department has an obligation to work toward a future where our citizens can live and conduct their business with confidence in the integrity of their information and institutions.
Second, attribution is the key to deterrence. “Without attribution, there will be no consequences . . . and thus, no deterrence.” Attribution through the criminal justice system escalates the stakes for state-sponsored activity in a way that a press release or a public statement alone would not. We have on occasion obtained custody of foreign criminal defendants. Our indictments limit their travel. And the prospect of criminal indictment can help deter some cyber actors from engaging in such conduct in the first place. This can make it more difficult for states to recruit the manpower and resources for cyber-attacks, and raise the cost of engaging in malicious cyber activity.
Third, attribution through the criminal justice system is a powerful way to expose state conduct that violates norms of responsible behavior. It complicates our adversaries’ attempts to feign ignorance of illegal acts they thought could be taken in secret, or to hide behind public denials. Our cases are governed by well-known policies relating to the conduct of all federal prosecutors. An indictment is brought by a grand jury, under established procedures; charges are brought only when the facts and law justify it. The allegations in our indictments are thorough and detailed, and we can prove them in a courtroom, using admissible evidence, at proof beyond any reasonable doubt. For all these reasons, criminal indictments are among the most powerful statements we can make as a government.
Fourth, unsealed indictments promote transparency. There will always be cases in which our ability to expose malicious cyber activity is limited by our obligation to protect intelligence sources and methods or sensitive ongoing investigations. But where we are able to do so, we strive to expose such schemes to the American people and the international community. Attribution through detailed indictments educates the public about our adversaries’ efforts and methods to spread disinformation, steal commercial technology, and target computer networks.
Fifth, although our goal is to hold accountable in court those we charge with trade theft or cyber crimes, our investigations can provide critical support for the use of civil, diplomatic, economic, and military tools. Some thoughtful critics have criticized the Department’s so-called “name and shame” strategy on the theory that our indictments have failed to stanch the activity. But you can’t separate our indictments from the broader array of tools our government now uses to counter malign cyber activity. These include freezing assets or prohibiting transactions, or adding companies to the Department of Commerce Entity List. As the National Security Advisor has confirmed, it also includes “undertaking offensive cyber operations” aimed at defending our national interests. Our tools also include other authorities that can block criminals’ assets, restrict their access to the banking system, and prohibit them from freely engaging in trade. We developed this approach to address terrorism and terrorist financing. We are applying it to the cyber threat, as well.
Finally, by using public law to emphasize the need to protect private U.S. victims against nation-state actors, we help develop the framework of public-private cooperation that is critical to cybersecurity. The Department tries to show through our actions how we can help companies respond to nation-state threats they cannot face alone, in a way that respects their status as victims. The Department has developed strong relationships with the private sector based on our aggressive pursuit of criminal nation-state conduct, ranging from cyber theft to information operations using third-party social media platforms.
No one seriously suggests that we can prosecute our way out of this problem. But to dismiss the role that federal law enforcement plays in the government’s shared fight against cyber-enabled threats is to unfairly discount—and diminish—our nation’s powerful commitment to the rule of law, both within our borders and without.
Before I conclude, I’d like to briefly address one final topic. That is the question of how we can respond to one of the latest and most potentially destabilizing manifestations of great power competition in cyberspace: our adversaries’ use of covert information operations to influence, and subvert, our nation’s democratic institutions, including specifically our elections.
The Department of Justice has been instrumental in revealing that foreign actors create and operate false U.S. personas on internet sites designed to attract U.S. audiences, and spread divisive messages. They also fabricate news stories in an effort to discredit American individuals or organizations. In the process, they reach unprecedented numbers of Americans covertly, without ever setting foot on U.S. soil.
These deceitful actions are especially pernicious because they seek to weaponize our traditions of free speech, open inquiry, and individual conscience against us, as part of a broader project to undermine the very concept of self-government.
Foreign attempts to pollute our public discourse are nothing new. These efforts have taken many forms across the decades, from covertly funding newspapers and financing front groups, to creating and spreading fake internal government communications. One traditional response has been to require transparency. The Foreign Agents Registration Act (FARA), for example, requires persons who engage in certain conduct as agents of foreign principals to register with the Department of Justice, to file periodic reports thereafter, and to include a “conspicuous statement” disclosing that relationship on any materials disseminated by the agent on behalf of the foreign principal. FARA’s purpose is to ensure that the American public and our lawmakers know the source of information that is provided at the behest of a foreign principal, where that information may be intended to influence U.S. public opinion, policy, and laws. The statute enhances the public’s and the government’s ability to evaluate such information.
Our recent indictments exposing Russian malign influence activity fall within the same heritage.
Uncovering and disclosing such malign influence activity after it has happened is not a panacea, however, especially where public disclosure of a foreign influence operation could amplify it; could create undue public alarm or confusion; or could compromise intelligence sources and methods.
That raises obvious questions: In defending our elections, are we limited to enforcing federal disclosure laws and other federal criminal laws that address foreign interference in our elections? And are we limited to uncovering and disclosing such conduct only after it occurs? Or can we take affirmative action to prevent covert, cyber-enabled foreign influence campaigns that are designed to attack and undermine our elections through the weaponization of speech? I think the answer to that last question is yes.
If non-U.S. persons outside the United States are covertly interfering in our elections, whether through malicious cyber activity or covert operations using social media, the government can act to prevent that conduct consistent with the First Amendment. The fact is, it has been settled law for over a century that non-U.S. persons located outside the United States have no rights under the First Amendment. Foreign governments similarly lack First Amendment protection.
The more difficult question is whether hypothetical U.S. government efforts outside our borders to block or target such activity would impact the First Amendment rights of U.S. persons who are potential consumers of the covert foreign dissemination —or, for that matter, the free speech rights of U.S. persons whose own online speech may be amplified by covert foreign activity (as where covert foreign-controlled accounts disseminate the content using bots).
In a line of cases stretching back several decades, the Supreme Court has indicated that the First Amendment encompasses a “right to receive” information, that is, a right of a would-be recipient of information that is independent of any right possessed by the speaker. Hypothetical activity by the U.S. government to prevent foreign dissemination of information to the American public could therefore implicate the First Amendment rights of U.S. citizens and residents to receive information.
In my view, however, such hypothetical activity would likely not violate the First Amendment where it targets messaging covertly disseminated by a foreign government and/or its agents seeking to interfere with a U.S. election, and where our government’s actions are based exclusively on the (foreign) source of the information.
That is because the Supreme Court precedents suggesting that Americans might have a right to receive foreign “political propaganda” and circumscribing the government’s ability to “limit[ ] the stock of information from which members of the public may draw” when making voting decisions, presuppose that the recipient can weigh the information he receives in light of the source of that information, so as “to evaluate the import of the propaganda.” The calculus is very different where the foreign actors have deceitfully misattributed information in a manner designed to mislead rather than inform. The First Amendment does not provide a right to receive covert foreign propaganda. Otherwise, disclosure statutes like FARA would be unconstitutional.
Hypothetical U.S. government activity would likely be consistent with the First Amendment even where it involved action to prevent foreign governments and their agents from covertly amplifying the online speech of Americans. The speech of Americans is fully protected by the First Amendment; the government thus could not remove or impede the online communications of a U.S. person. But such a person has no constitutional right to amplification by a foreign government, which itself is without constitutional rights. The Department of Justice has previously expressed the view that a U.S. person has no First Amendment right to speak on behalf of a foreign nation, on the theory that the U.S. person’s speech in that context isn’t his speech at all, but rather that of “his [foreign] master’s unprotected voice.” In much the same way, a U.S. person’s ability to speak is not impaired by the denial of amplification from a foreign nation that lacks First Amendment rights, at least where the amplification conceals the role of the foreign nation.
I should emphasize that my thinking here is tentative and the context is hypothetical. Moreover, my thinking assumes two important factors, namely, (1) hypothetical U.S. government activity would target covert acts by a foreign government and/or its agents, and (2) our activity would focus on protecting the integrity of the U.S. electoral system—though the analysis for covert foreign speech relating to political issues generally may well follow a similar track. Under these circumstances, U.S. government activity to regulate harm from foreign misinformation would be on the most solid ground.
Let me close by emphasizing that how we respond to the challenges posed by this new era of great power competition in cyberspace will have far-reaching consequences. As our adversaries use fraud, theft, and deception to project their power and to undermine internationally-supported norms, I am reminded of the words of U.S. Supreme Court Justice Robert H. Jackson. Writing in the wake of the Second World War, when the global community faced a different set of emerging challenges, Justice Jackson noted that “[w]e are put under a heavy responsibility to see that our behavior during this unsettled period will direct the world’s thought toward a firmer enforcement of the laws[.]”
I can think of no more poetic a description of our duty today. We, too, face an uncertain future. And we, too, must act in accordance with law, ensuring that everything we do in these unsettled times directs the world’s thoughts “toward a firmer enforcement of the laws.”
Thank you for everything you do to aid in that noble effort.