Cyber Operations on Domestic Networks Redux

Cyber operations may already be coming for Antifa. The rest of us, and especially Big Tech, will be caught in the middle.

This past June we wrote, speculatively, in these pages about the legal issues that might surround the deployment of U.S. military forces to conduct cyber operations against domestic targets. We feared that there were “few remaining obstacles to the U.S. military using offensive cyber operations at home against the president’s domestic ‘enemies.’” At the time, some observers derided our concerns as overly dramatized and apocalyptic. Even we, realistically, thought and hoped that our fears would far outstrip reality.

How times have changed.

Combat Troops in the Homeland

Just days after our article appeared, President Trump federalized National Guards across the nation and deployed the U.S. Marine Corps to Los Angeles. Beyond Trump’s use of National Guard troops to fight an invasion at the southern border—which is the focus of our original article—now troops have been deployed to Los Angeles, Washington, D.C., and Memphis because of (Trump contends) his inability “with the regular forces to execute the laws of the United States.” Attempted deployments to Chicago and Portland have, thus far, been restrained by the courts.

The domestic use of traditional federal military forces, which we considered a condition for follow-on use of cyber forces, is now reality.

Trump has also doubled down on his legal (mis-)characterization of his domestic political opponents as the “enemies within,” issuing two executive orders. One generally directs civilian executive agencies to combat domestic terrorism and organized political violence. The other defines Antifa as a militarist, anarchist enterprise calling for the overthrow of the U.S. government, and designates it as a domestic terrorist organization.

This definition of Antifa could be especially troubling when applied to cyber operations (and intelligence more generally). As Benjamin Wittes pointed out, “Antifa is not really an organization. It’s just a bunch of people and groups doing a bunch of different things, some of them constitutionally protected and laudable and some of them violent and criminal. It has no central leadership or organizational structure. It’s also not one group.”

The Trump anti-Antifa order then purports to authorize all executive departments to “investigate, disrupt, and dismantle” the criminal operations of any person acting on behalf of or providing material support to Antifa.

These two trends have come together almost seamlessly. In seeking to justify the deployment of troops to Chicago, the secretary of homeland security wrote to the secretary of defense as follows:

Federal facilities, including those directly supporting Immigration and Customs Enforcement … and the Federal Protective Service … have come under coordinated assault by violent groups intent on obstructing lawful federal enforcement actions. These groups are actively aligned with designated domestic terrorist organizations and have sought to impede the deportation and removal of criminal noncitizens through violent protest, intimidation, and sabotage of federal operations.

Taken together, Trump’s military deployments onto U.S. soil, and designation of Antifa as a terrorist organization, now make far more real the possibility that cyber operations against domestic groups will occur. Once the legal groundwork for military operations is laid, it is likely that all aspects of military force (both kinetic and cyber-related) will be employed.

Bringing Offensive Cyber Home

Many Americans likely support some goals that are also espoused by those groups that Trump might identify as Antifa. They might, for example, oppose fascism in America or equate Trump’s actions with those of historical fascists. Publicly saying so could readily result in their personal information being trawled and analyzed.

Worse, as a previous head of U.S. Cyber Command (and the National Security Agency) said 15 years ago, “you need the haystack to find the needle.” But what does this mean in practice? During the war on terrorism, this meant that intelligence agencies could collect two or three “hops” away from an individual suspect—in other words, if person A was a target who knew person B, and B in turn was in contact with person C, then intelligence collection against all three was authorized. If they used the same methodology here, an individual might be targeted if they know someone who knows someone who is a suspected member of Antifa.

To be “suspected” of being a member of Antifa (or another group designated by the government), the government would likely need to have probable cause (or possibly) a “reasonable, articulable suspicion” of a connection The amorphous nature of Antifa may mean this is even a lower threshold than normal since almost any action could, in Trump’s view, fit within the scope of allegedly prohibited activities.

Even worse, the use of cyber operations need not be limited to just vacuuming and analysis of information. The government might launch an operation to disrupt a suspected target’s allegedly “criminal operations” even if those acts were more appropriately characterized as political protest. The operations could come in the form of denial-of-service attacks, or the disabling of phones, computers, and servers. Imagine going to a protest that the Trump administration has determined is somehow associated with Antifa and soon after finding a pop-up note on your phone or computer that reads, “This computer and the data on it were used to support a designated domestic terrorist organization and is no longer operable. Please contact U.S. Cyber Command.”

To be sure, these activities might be undertaken by regular troops—we are not aware of instances in which cyber operators within state National Guards have been federalized. Thus, it remains the case that cyber operations are likely limited by the Posse Comitatus Act, which limits the use of regular military forces for domestic law enforcement. But either a federalized cyber National Guard or the Cyber National Mission Force might be deployed against protesters and political opponents if the president so directs and (as he has threatened) invokes the Insurrection Act.

Indeed, given that cyber activities (unlike the deployment of troops) generally take place outside the public view, it is possible that some surveillance operations have already begun. No one should be surprised if, at this juncture, national cyber operations were directed against—in increasing order of plausibility—the No Kings movement; the resistance to Immigration and Customs Enforcement in major cities; domestic human smugglers, to repel the “invasion” of immigrants since the military has already been ordered to “seal the borders and maintain the sovereignty, territorial integrity, and security of the United States by repelling forms of invasion”; U.S.-based drug smugglers, downstream of those in the “enemy combatant” boats blown up by the U.S. military; or domestic members of the Tren de Aragua or MS-13 gangs, who have also been designated as terrorist organizations.

The legality, vel non, of these sorts of activities is uncertain. Under traditional analysis, domestic surveillance activities must comport with the Fourth Amendment when directed at citizens. And these limitations would apply in modified form even to domestic intelligence collection against foreign nationals. But those protections arguably fade if the Insurrection Act is invoked since military actions are not generally subject to domestic law enforcement limitations. And even if it is not, so many of the president’s actions to date have been extralegal and unchecked that compliance with existing requirements is problematic and, in the case of surreptitious surveillance, often unverifiable.

Big Tech to the Rescue?

Though the situation has become more grave, the passage of time has at least suggested more solutions than the weak and unsatisfying “vigilance of citizens” upon which we hung our hopes in our first article.

One of the main remedies for an overreaching executive would be a counterbalancing legislature, which could reform the emergency acts that have granted so much authority to the president. First up, in a normal government, should be reform of the Insurrection Act to restrain Trump’s instinct to deploy the military. But that’s not happening.

Since courts may be more effective, civil rights groups and state and local officials should be ready with appropriate lawsuits to both remove the veil of classification from any military operations and put legal constraints on them. There may be other possibilities, so these groups and officials should brainstorm other potential countermeasures.

Unlike troops-on-the-streets, transparency may be a limiting factor as citizens may not know if these cyber operations have been ordered or are underway. Vigilance by reporters will be, as ever, a first line of defense. Unless they want to be potentially complicit in spying on their own employees or their families, cybersecurity companies must be on the lookout for this activity and be prepared to report on U.S. cyber operations, something they’ve not previously tackled.

There is another potential line of defense—one that has become increasingly salient as this confrontation has intensified.

What will Big Tech do?

One possible model for their response might be Microsoft’s restriction of services in Israel. After a public report suggested that the Israel Defense Forces Unit 8200 was using Azure to track Palestinian phone calls, Microsoft restricted certain services. The company didn’t want its software to be part of the Israel-Gaza conflict.

So how will Microsoft or Amazon or any of the other major service providers to the federal government react when and if it becomes clear that their software services are enabling military action against domestic political opponents?

The firestorm over support for Israel in Gaza would look like a tempest in a teapot compared to the public uproar that would attend this kind of revelation. In such a military operation, the U.S. Department of Defense could go far beyond passively collecting communications to potentially hacking everyday Americans’ devices and disrupting them because they might be linked to “terrorists.” And yet, increasingly, it seems likely that this is no longer wild speculation.

Big Tech might have a limited response, to simply cancel certain services, such as data storage and other cloud services, that directly supported domestic offensive cyber operations. Beyond that, they might feel internal or external pressure to cancel some contracts that might be indirectly related to the government’s domestic cyber operations, such as for artificial intelligence (as happened previously at Google over Project Maven). At the most extreme, the blowback and impact to civil-military relations could be worse than that from the revelations from Edward Snowden, after which many major companies felt betrayed by the public exposure and National Security Agency operations against them, leading many to substantially restrict dealings with the military. This might not be an unlikely scenario as these companies would be assisting the government to spy on their own employees merely because they might know someone who hates fascists.

***

Trump is increasingly using the military in domestic contexts. He has threatened to go further—even further than we speculated he might a few short months ago. And he has doubled down on his characterization of his political enemies as potential domestic terrorists. All of this raises even higher the specter that military domestic intervention may occur—and if it does there will no doubt be a cyber component to that intervention as cyber tools are deployed against Trump’s adversaries. Trump’s war on Antifa—and other political adversaries—will only grow in the next few months. Whether Big Tech will resist that prospect remains to be seen.