Cyber Defense Review

Enter the Policy and Legal Void

By Dr. Aaron Brantly | August 21, 2016

Soldiers are down range and have suites of tools available to them that they cannot use to their full capability. They are not technically limited, but rather constrained by the authorities and pre-requisite policies established in a pre-digital age. We tell them to go and defeat ISIS, Al al’Qaeda, or pick another future adversary, but they must do so with their hands tied behind their backs. Make no mistake, as a nation we are currently involved in a global conflict. The conflict is not defined by traditional weapons, but by bits and bytes traversing fiber lines and airwaves. This global information war collides with many of the values of Western Democracies, and the societal constraints of authoritarian regimes. The robust constraints on governmental instruments serve a valuable purpose, yet at the same time our Soldiers in the field are struggling to navigate complex legal and policy waters while corporations are drowning in data that might inform or provide context for a variety of mission sets. The volume and velocity of this data is only set to grow as globally the number of Internet enabled devices increases from approximately 17 billion to 50 billion and beyond. At the beginning of the digital age it is imperative that we, as a society, begin discussing the future we are rapidly entering.

Constraints are pivotal for maintaining the fundamental civil rights Americans cherish.  Civil rights, to include various liberties such as privacy, free speech, and freedom of religion among others are challenged by data repositories that eliminate anonymity and the ability to be forgotten and to forget. Yet, we as a society are fooling ourselves if we believe that when we order Google to delete us from search results, or Facebook to remove our profile that that data ever really disappears. The vast majority of US Internet users are simultaneously consumers and products in a complex digital ecosystem that will only become more complicated with the expansion of the Internet of Things into our homes, offices, and even our bodies. We and our political elite can pretend to be neo-Luddites, but we are not. We are voracious consumers of innovation. We innovate without significant thought to consequence, and in so doing often fail to assess the risks of the world we are designing.

As we demand and consume innovation, we ignore the fact that we are retaining the policies and laws of yesterday, and in the process shackling those in our society to whom we have assigned the responsibility for protecting us. As we innovate and adapt so to do our enemies, with terrorists, states adversaries, and criminal networks preying upon our innovation and learning to innovate and adapt as we do. All the while, we tell ourselves that if we provide the military and law enforcement with the policies and legal structure to defend us that we will be entering into some Orwellian nightmare. Yet, in many respects the nightmare is of our own making. We bleed trillions of dollars a year to cyber criminals and state espionage campaigns, and willingly allow those who engage in political violence, child pornography and other nefarious behavoirs to run rampant through the systems that we once thought would usher in a bright new era for humanity.

General Michael Hayden asserted during a talk after his time at the NSA that he would go right up to the line in using every legal authority granted him and the agencies under his control, but that he would go no further. He said the agencies of the federal government were designed to operate within a rule of law system beholden to the will of the people. Edward Snowden, the EFF, the ACLU, and others have challenged the extent to which federal authorities extend control over systems used by the US and allies. They have challenged the concept of secret courts and classified policy directives. Some have even indicated that individuals from the intelligence community (IC) engaged in illegal activities beyond the scope of even secret courts and classified policies. Around the margins there will always be those who violate the intent of law and policy. However, the vast majority of members of the IC are well intentioned individuals who seek to protect their fellow citizens.

The basic distribution of relevant national security and law enforcement authorities within United States Code are divided between Title 10 (Military), Title 18 (Law Enforcement), and Title 50 (Intelligence). The U.S. Code has been evolving in various forms since World War II, and was designed primarily in a pre-digital era in which it was logical to provide clear lines of demarcation between domestic and foreign, law-enforcement, military and intelligence. These lines are blurred in a world in which terrorists recruit from abroad, and plan in both conflict and non-conflict zones operations against the Homeland. These lines are strained by states engaging in cyberattacks against critical infrastructure, and espionage environments that span military, civilian, and intelligence spheres.

I have met with police agencies asking for intelligence capabilities, and with military organizations requesting the ability to view online media accounts with known terrorist connections. In the present environment, the tools available to track and engage terrorists are robust, but authorities require the military, IC, and law enforcement to engage in a dance along a legal and policy tightrope that slows the process down and increases risks. Moreover, because each entity is so ingrained within its authorized framework they are limited in their abilities to think effectively across the lines to anticipate what other agencies and entities need. Often they are further constrained by not knowing what they are truly allowed to share, when they are allowed to share it, and under what conditions. To some extent fusion centers provide valuable bridges between stovepiped institutions. Additionally, entities often embed personnel within one another’s structures, but even these attempts provide avenues for communication fail to fully mitigate the problems faced.

The constraints imposed by the various titles within the cyber environment are particularly frustrating when one realizes that the tools available to the corporate sector for marketing and sales often in many ways exceed the capabilities of both intelligence and law-enforcement. Critics are correct in challenging the assertions of the government and its agencies that these tools are capable of preventing all attacks, but as the volume of data increases, and as the skill and efficiency of the community increases in tandem with advances in technology and volumes and types of data, it is likely that these challenges will be met head on and solutions found.

We can and must educate the citizenry about the world we are rapidly entering. The world in which we carry mobile supercomputers that far exceed the capabilities of the devices used to land astronauts on the moon. We excrete data from our phones, our watches, our credit card transactions, our communications, our homes, and soon our cars. We produce zettabytes of data, and we are only at the beginning of the digital age. We can fool ourselves into saying we can remain private, we can remain anonymous, we can remain hidden from the future, but the reality is  far different. The US is operating in a policy and legal void based on a static technological environment of yesterday. Yet the environment is not static, it is nearly exponential.

Credit needs to be given to EFF, CDT, the ACLU, and others for challenging the conversation, but this challenge needs to go further and extend to our schools, our local and state and federal legislative and legal bodies. If we want to maintain the current constraints on law enforcement, intelligence and military institutions, we must do so knowing these constraints are self-imposed and carry certain risks, just as there are risks associated with the removal of constraints. We must acknowledge that the constraints we impose are primarily limited to those to whom we have delegated responsibility for our protection both at home and abroad and not to the companies we so willingly give our data to on a daily basis. We must recognize that we will continue to generate and consume enormous amounts of data both as consumers and products in a complex socio-technical-economic ecosystem that is still in its infancy. It is only by confronting the reality of both the present and the future that we can begin to address the current status of laws and policies and determine where they need to be.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.