Cybersecurity & Tech

Revisiting a Framework on Military Takedowns Against Cybercriminals

Peter Pascucci, Kurt Sanger
Friday, July 2, 2021, 11:07 AM

The U.S. military’s mission is not to carry out military operations. Its mission is to defend the nation. Cyberspace offers the military an incredibly useful capability to advance national security. Cybersecurity is national security.

Lt. Gen. Edward C. Cardon, commander of U.S. Army Cyber Command and Second Army, speaking at the Billington CyberSecurity International Summit. (U.S. Army Cyber Command photo)

Published by The Lawfare Institute
in Cooperation With
Brookings

In an April Lawfare post, Jason Healey offered a five-part test to determine the appropriateness of using U.S. military cyberspace operations to respond to criminal cyber activities. The test counsels that the military should operate against criminal cyber threats based solely on their imminence, the perils they pose, their magnitude, and their link to major nation-state adversaries.

If implemented, Healey’s five-part test would significantly disadvantage the United States and take major assets out of the president’s hands. The self-restraint imposed by this test is ill fit given the nature of cybercrime, the nature of cyberspace targets, and the threats cybercrime poses to the nation and its interests. It is also worth considering whether such self-restraint is exactly what U.S. adversaries hope for when committing lawfare and engaging in gray zone operations.

In the months following Healey’s post, ransomware events have demonstrated that what initially may be categorized as crime may be better thought of as a national security threat. The Colonial Pipeline hack, in particular, highlights the broad and severe impacts criminals can inflict through cyberspace. Such malicious cyber events are geopolitical events with a clear criminal aspect, but this is not a determinative factor when assessing which federal organization is in the best position to take action. If the United States is to defeat these cyber threats, traditional notions regarding the division between criminal and national security matters must be reevaluated.

The cyber incidents encountered in this calendar year alone are sufficient to highlight the United States’ mounting security challenges. The scope and scale of harm from these incidents are also increasing in comparison to past cyber incidents. Unlike the WannaCry ransomware attack, the U.S. Office of Personnel Management hack, and the Sony hack, each of which sought to target somewhat discrete communities, the SolarWinds and Colonial Pipeline events had pervasive impacts on many communities.

Under ideal conditions, law enforcement organizations would address any type of criminal activity; however, in cyberspace, ideal conditions rarely prevail. Transnational crimes, of varying scale and sophistication, can surpass the capacity of U.S. federal law enforcement to take immediate action. Further, with cybercrime’s precise scope and intent often uncertain, operational opportunities often must be seized immediately by whatever entity is best positioned to do so.

Past bright-line separations of the roles and responsibilities within the executive branch introduced risks that have led to catastrophic consequences. The most conspicuous example was the bright line between law enforcement and intelligence activities that plagued effective information sharing prior to Sept. 11, 2001. This strict distinction served to protect against domestic U.S. intelligence abuses that emerged in the 1970s. In contrast, the risk of abuse in countering cyber threats is substantially less with the Department of Defense focusing on foreign threats rather than domestic ones.

Cybercrime, by its nature, is different from other types of crime. Criminals can achieve strategic-level impact across multiple nations, entities, and individuals while situated in jurisdictions unlikely to hold them accountable. Not long ago, it would take a well-resourced armed attack to achieve the strategic impacts that can be produced by some cybercrimes. Those contemplating such attacks would have to anticipate a victim’s potential use of force in self-defense, likely dissuading many from taking armed action. Through cyberspace, criminals contemplating such action need not fear meaningful prosecution, much less a kinetic attack by the victim.

Likewise, targets in cyberspace differ from kinetic targets. For example, locating Osama bin Laden took 10 years because he was a dynamic target, constantly on the move. A high-value cyber target, in contrast, can be protected in place through low-cost security measures like a patch or simple change of operational routine. It would be as if bin Laden could have protected himself by changing his clothes and going to sleep an hour earlier. Transferring operational opportunities between organizations in such an environment may sacrifice those opportunities.

The source of the U.S. military’s domestic law enforcement limitations is worth examining as strategic threats overlap with criminality. In the land, sea, air, and space domains, the U.S. military typically conducts offensive operations against other militaries and terrorist organizations, with exceptions for a discrete set of criminal actors such as transnational drug traffickers. Limitations regarding the U.S. military’s use for law enforcement, particularly in the domestic realm, have roots in law, policy, and tradition, but these same limitations need not apply to cyberspace operations.

The Posse Comitatus Act significantly circumscribes the use of the U.S. Army and Air Force for domestic law enforcement purposes. Department of Defense policy extends that restriction to the U.S. Navy and Marine Corps. The act, and many of the expectations Americans have regarding the military’s use within the United States, was driven by a preference to avoid using the military to police U.S. citizens following the Civil War. As recent history has shown, that preference persists.

But the risks and dangers the act seeks to safeguard against are not present in cyberspace. The Department of Defense’s missions are foreign focused; thus, it is unlikely U.S. forces would ever be used against a purely domestic criminal cyber threat. However, the use of the Defense Department in a national defense mission against a domestic criminal actor is not without precedent. On Sept. 11, 2001, Defense Department aircraft flew defensive operations over U.S. cities and were prepared to shoot down airliners in U.S. airspace to counter a terrorist threat—a criminal actor.

Regardless of the criminal nature of the threat in cyberspace, the Defense Department’s involvement would not have a domestic law enforcement focus but a national defense one. Even if an unusual set of circumstances steered leaders to contemplate the use of Defense Department forces against domestic cybercrime, uniformed service members conducting cyberspace operations would do so only virtually, from systems inside Defense Department installations, rather than through a physical deployment on U.S. streets.

Cyber threats do not align to stovepipe mission sets, much like what the U.S. learned about terrorism after 9/11. U.S. government departments and agencies were forced to realign their priorities to address terrorism, regardless of their domestic or international missions. In the face of such a sizable threat, every capability was mobilized to deal with it, and many federal entities were reorganized under the Department of Homeland Security to address missions more effectively. Cyber threats of every category demand similar mission and organizational flexibility.

The strategic cybersecurity threats facing the United States are so numerous that it makes little sense for any portion of its capability to be unnecessarily restrained when it can be used to address those threats. Additionally, given the uncertain scope and scale of a cybercrime threat, any policy structure that limits the best-positioned entity at the time of the threat from countering it fails to appreciate the timeliness with which cyber operations must be executed.

The U.S. military’s mission is not to carry out military operations. Its mission is to defend the nation. It uses military operations, as well as other operations and activities, to carry out that mission. Cyberspace offers the military an incredibly useful capability to advance national security. Cybersecurity is national security.

It is against the United States’ interests to limit the use of cyber capabilities by the military solely because the military traditionally opposed only the nation’s gravest threats, or only certain categories of threat actor, or because the military is better known for achieving missions through kinetic activities rather than achieving them through more peaceful, humanitarian mechanisms. Such attitudes are precisely what makes the gray zone so dangerous, and what makes lawfare so attractive to U.S. adversaries. If the United States insists on customary alignment between threats, federal organizations, and capabilities, it certainly will fail to protect its citizens, its interests and its values.

These opinions are the authors’ own and do not necessarily reflect official positions of the Department of Defense or any other U.S. Government organization.


Peter Pascucci is a judge advocate in the United States Navy. In 2015, he received an LLM degree in national security law from Georgetown University Law Center, where he is currently an adjunct professor. Throughout his career, he advised multiple senior Department of Defense leaders, including two combatant commanders, a fleet commander, and the Office of the Secretary of Defense, on cyberspace operations and other national security law matters.
Kurt Sanger retired from the U.S. Marine Corps on November 1, 2022, after serving over 23 years as a judge advocate. He is a 2015 graduate of the Georgetown University Law Center’s national security law program and was a cyber law instructor at the National Defense University. Kurt was an attorney with U.S. Cyber Command from 2014 to 2022.

Subscribe to Lawfare