Flame On: Malware, Collection, Covert Action, and TMA
A number of sources are reporting the discovery of a complex malware toolkit, mostly described as "Flame," which appears to have been distributed in a targeted fashion to infect computers in Iran in particular, though also throughout the Middle East. Wired's Kim Zetter has the most thorough coverage, here. The story is quite interesting in its own right, but I'm posting about it primarily because it is a useful fact pattern (if we assume for the sake of argument that the US government is responsible in whole or in part fo
Published by The Lawfare Institute
in Cooperation With
A number of sources are reporting the discovery of a complex malware toolkit, mostly described as "Flame," which appears to have been distributed in a targeted fashion to infect computers in Iran in particular, though also throughout the Middle East. Wired's Kim Zetter has the most thorough coverage, here. The story is quite interesting in its own right, but I'm posting about it primarily because it is a useful fact pattern (if we assume for the sake of argument that the US government is responsible in whole or in part for Flame, which has certainly not been acknowledged) for thinking through some of the complexities of federal law relating to the oversight and regulation of intelligence activities.
Zetter's account emphasizes that Flame in fact consists of a host of modules with distinct functionality, at least some of which are dormant as a default matter. For the most part, these modules are collection-oriented. That is, they aim in various ways to collect information and exfiltrate it (keystroke logging, screenshots, microphones, bluetooth scanning...the list is fascinating). But Zetter notes that there is some reason to believe that one or more modules may also provide the option of deleting or scrambling data on an infected machine as well. This highlights a fundamental point about malware. Malware, much like a human agent, can in theory serve both the purpose of intelligence collection and acting affirmatively to influence events. And again like a human agent, it may be hard to say on the front end of an operation which purpose, if either will be dominant. Flame, according to Zetter, is very much a collection-oriented toolkit...yet it does appear to have some capacity to foul up an infected computer as well, as the remote operator's discretion.
Would Flame therefore constitute covert action under Title 50 (again, assuming hypothetically it was a USG operation)? If so, a presidential finding would be required, the finding would have to be reported to HPSCI and SSCI (the oversight committees), and certain other constraints would come into play. So let's look at Title 50's relevant provisions. According to 50 USC 413b(e)(1) (Section 503 of the National Security Act), an activity is not a covert action for statutory purposes if the "primary purpose...is to acquire intelligence...." (though please note that if categorized as a collection activity, there would still be a statutory requirement to keep the oversight committees fully and currently informed). We all know, from the FISA/Fourth Amendment context, how tricky it can be to figure out what the "primary" purpose of a government activity can be at a given point in time, and from that same context we also should understand the possible argument that certain purposes are not so easily separable. But in any event, if one applies this particular primary-purpose test to Flame as a whole, it is certainly possible to argue that the exemption applies, given that the vast bulk of the functionality seems focused on collection. On the other hand, if instead one chooses to take an atomized or serial approach--i.e., asking this question repeatedly with respect to particular actions that might be undertaken once Flame is in place--the answer would differ once one gets to the moment when the remote operator wants to direct Flame to scramble or destroy information.
So which is the right way to approach this issue? The statute doesn't really provide the answer; it is, instead, the sort of nuance that has to be--and no doubt has been--worked out over time, at least to some extent, in the course of practice of the interactions between the relevant executive branch agency(ies) and SSCI and HPSCI. I've not heard before any rumblings that SSCI/HPSCI feel that the executive branch improperly exploits this particular issue to avoid a covert action determination, which may or may not indicate that the issue is reasonably well settled internally. Given that (as I noted above) this sort of uncertainty is not unique to cyberspace, but in theory can arise as well with respect to human agents, I do think it likely that the matter has been worked out (though I guess I should note here a report suggesting that HPSCI's chair, Rep. Mike Rogers, has argued that the recent operation involving a mole within AQAP (who foiled a new underwear bomb plot) was a covert action that was not reported to his committee; I suppose this could be tangled up in some way with the collection/covert action issue discussed above, though I think it more likely that it has more to do either with the apparent centrality of other state's intelligence agencies in running that operation or perhaps simply a CIA decision that notification simply had to be delayed in this instance; note too that categorization of that mole operation as collection rather than covert action would not actually void the obligation to keep Congress informed).
Now, this doesn't end the analysis. Let's say that one applies a serial approach, and is at the point of assessing the use of flame to destroy data rather than copy-and-exfiltrate it. Conclusion: not primarily a collection activity. But might it still avoid categorization as a covert action, under 50 USC 413(b)(2), which exempts "traditional military activities"? That is an interesting question, one for which we would need to know a lot more information. As I describe in way too much detail here, an unacknowledged operation can qualify as TMA if commanded and executed by military personnel (e.g., CYBERCOM), and if undertaken in a context in which overt hostilities either are ongoing (not the case here) or at least are "anticipated" in the sense that the National Command Authorities have authorized operational planning. Insofar as Flame is directed at Iran, one can certainly imagine that the requisite planning has been authorized. Insofar as Flame is also or instead directed at various terrorism-related targets, one can imagine both that the requisite planning has been authorized and even, in some instances, that a case can be made for a relationship to already-ongoing hostilities.
All of which is a long way of suggesting that the Flame fact-pattern would make a good final exam question. Speaking of which, time to get back to grading....
Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.