Cyberterrorism and Private Infrastructure: a Thorny Legal Problem
By: David W. Opderbeck, Professor of Law, Seton Hall University Law School; Director, Gibbons Institute of Law, Science & Technology
Cyberspace is the new frontier in espionage, intellectual property theft, warfare between nation-states - and terrorism. Although fears of a cyber-Armageddon provoked by computer-savvy terrorist cells may be overblown, the tools necessary to produce substantial cyber-disruptions are readily available to anyone.
There is a thriving online black market in user-friendly, customizable malware, and for a relatively small fee, it is possible to rent a "botnet" of millions of compromised computers capable of initiating a powerful denial of service attack or other malicious event. Such events could disrupt intelligence gathering and communications capabilities in advance of a kinetic attack, destabilize financial markets, interfere with transportation, induce public panic, or even produce kinetic effects of their own when public utilities and other facilities are computer-controlled.
This threat poses a significant policy and legal problem because most critical cyber infrastructure is privately owned. As the ongoing public debate over the National Security Agency's online data collection programs demonstrates, it is very difficult to balance the twin goals of liberty and security in the cyber domain. This article maps some of the legal terrain over which any potential solution must travel. In future articles, I will discuss particular threats and possible responses. Police, Military Power, and Intelligence: Basic Distinctions Under our Constitutional system, broadly speaking, criminal matters are the responsibility of state and local police forces and national security matters are the responsibility of the military forces. A substantial role has also developed, of course, for federal law enforcement agencies as the body of federal criminal law has grown, but the law enforcement / military distinction remains.
Intelligence activities related to national security historically existed in a grey area between law enforcement and military activities. Abuses of power during the Vietnam era led to reforms such as the "Hughes-Ryan Amendment" and the War Powers Resolution. Such laws increased Congressional oversight over foreign intelligence activities and strengthened the "wall" between law enforcement and intelligence operations, which helps preserve the civil liberties of citizens in relation to law enforcement without compromising the ability to defend the nation against foreign
Threats: The War on Terror The September 11 attacks shattered any illusion that the wall between law enforcement and intelligence gathering, and the related balance between liberty and security, would be easy to maintain. In fact, the 9/11 Commission Report identified the wall as a primary reason why the attacks had not been prevented. The Report includes the infamous e-mail of a frustrated FBI agent stating that "someday someone will die-and wall or not-the public will not understand why we were not more effective and throwing every resource we had at certain 'problems.'" Among other efforts to break down the "wall," the Patriot Act amended Foreign Intelligence Surveillance Act to lessen legal restrictions on surveillance - a change that led directly to the NSA wiretap programs.
The "War on Terror" is not technically a "war," but it has been prosecuted under the Congressional "Authorization for the Use of Military Force" issued on September 14, 2001. The AUMF triggers various emergency provisions under federal law that allow the Executive to take some actions that would fall under the law enforcement / civil liberties rubric in normal times. The AUMF authorized the President "to use all necessary and appropriate force against those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored such organizations or persons, in order to prevent any future acts of international terrorism against the United States by such nations, organizations or persons."
There are significant legal and policy questions about the ongoing use of the AUMF to prosecute the war on terror when the original perpetrators of the September 11 attacks have all been killed or captured, but it remains in force.
Application to Cyber-Infrastructure The Internet is not really a single, unified thing. It is, rather, a network of networks that are interconnected through common, voluntarily adopted communications protocols. It is helpful to think of the components of the Internet in terms of "layers." There is a "content" layer, which includes all of our actual communications over the Internet; a "code" layer, which includes the software protocols that enable different networks to "talk" with each other; and a "hardware" layer, which includes all the network's cables, switches, routers, computer servers, and other physical components.
The Internet's hardware and code layers were born in part out of U.S. military efforts during the cold war. Significant aspects of both the hardware and code layers, however, were developed by private entities and academic institutions. The present hardware "backbone" of the Internet is controlled in large part by a small number of telecommunications companies such as Verizon and AT&T. The present code layer of the Internet is administered by a loose confederation of voluntary standards-setting organizations and, with respect to the domain name addressing system, by the Internet Corporation for Assigned Names and Numbers (ICANN), a semi-private organization. In other words, no national government or international governance body "owns" or "governs" the Internet.
The Internet's decentralized structure has facilitated its incredible rise, in the space of less than twenty years, from an obscure military and academic resource to the foundation of our contemporary global society. That same decentralization, however, means that efforts to prevent the use of the Internet as a tool of terror do not fit neatly into any legal box.
A Case Study: the Internet "Kill Switch" These tensions have been highlighted in recent debates over the propriety of a Presidential Internet "kill switch." There is nothing exceptional in the notion that the Executive branch (the President, or a Governor) can temporarily suspend some civil liberties in the event of an emergency. There is, of course, an entire federal government agency - the Federal Emergency Management Agency (FEMA) - tasked with certain kinds of large-scale emergency response. But what about a "cyber" emergency?
What if, for example, a group of terror-hacktivists compromised a segment of Internet-connected utility providers using malware that threatened to spread nation-wide or even worldwide over the public Internet? Could the President, through FEMA or some other agency, issue an order to Verizon or AT&T to cut off Internet service to the public until the crisis is resolved?
The Obama Administration has claimed that legal authority for such a move already exists under a telecommunications statute that dates back to the 1930's, but that claim is highly dubious.
Proposals have been floated in Congress that would make this authority explicit, but they attracted sustained opposition from civil liberties groups and were scaled back significantly. The most recent proposals would establish voluntary public-private compliance frameworks and emergency contingency plans that could be triggered in the event of a major cyber event. Even these substantially watered-down proposals, however, have been sidelined be concerns over the NSA surveillance disclosures.
Thinking About Frameworks The policy and legal complexity of emergency power over cyber infrastructure suggests the need for a graduated response. In my published work on this subject, I have suggested the following rubric for the exercise of Executive power over cyber emergencies. This rubric accounts for the different "layers" of the Internet, various levels of response (ranging from limiting some channels to priority communications, seizing or controlling some resources, or shutting down some resources), and varied time limitations and degrees of Congressional and judicial oversight:
The development of any such policy framework will require sustained attention from lawmakers, private Internet infrastructure operators, and the law enforcement, military and intelligence communities. I believe the task, though difficult, is central to the ongoing mission of preserving both liberty and security.