Cybercrime Vs. Cyberwar: Paradigms For Addressing Malicious Cyber Activity

Cybercrime vs. Cyberwar: Paradigms for

Addressing Malicious Cyber Activity

Mieke Eoyang* & Chime

`ne Keitner**

As we move toward a world of fully connected devices that share data on an

unprecedented scale (the “Internet of Things” or IoT), the cybercrime enforce-

ment gap will pose an ever-greater threat to personal and national security.

1

A va-

riety of factors contribute to the relative vulnerability of the United States to

harm from malicious cyber activity (MCA).

2

In 2018, then-DHS Secretary

Kirstjen Nielsen warned that “our digital lives are in danger like never before.”

3

She identif‌ied the threat as coming from “hostile states, terrorists, and transna-

tional criminals”—and, one might add, domestic terrorists and criminals.

4

In the

face of these various threats, U.S. government responses to national security chal-

lenges in both the physical and virtual worlds have increasingly blurred the line

between transnational crime and armed conf‌lict. This shift in narrative comes at a

cost. The displacement of law enforcement approaches by an armed conf‌lict

model carries implications for institutional design, legal authorities, and resource

allocation. Notably, one result of a militarized approach to transnational cyber

threats has been to leave domestic law enforcement off‌icers inadequately trained,

inadequately resourced, and inadequately supported to identify, deter, and punish

offenders.

5

The urgent need for better resourced and better coordinated law

enforcement responses suggests a corresponding need to keep the essentially

criminal nature of most malicious cyber activity in focus, even as we grapple

with the implications of MCA that is conducted, sponsored, encouraged, or tacitly

permitted by nation-states.

This contribution aims to encourage greater self-awareness about the consequences

of viewing MCA predominantly through the lens of armed conf‌lict, rather than law

* Then-Vice President for the Third Way National Security Program and Chairperson of the Cyber

Enforcement Initiative. This article was completed before her return to government service, and

represents her personal views, and not those of the US government, the Department of Defense, or

President Biden. © 2021, Mieke Eoyang and Chime

`ne Keitner.

** Alfred & Hanna Fromm Professor of International and Comparative Law, UC Hastings Law.

1. See, e.g., Allison Peters & Amy Jordan, Countering the Cyber Enforcement Gap: Strengthening

Global Capacity in Cybercrime, 10 J. NAT’L. SECURITY L. & POL’Y 487 (2020).

2. See Jack Goldsmith & Stuart Russell, Strengths Become Vulnerabilities: How a Digital World

Disadvantages the United States in Its International Relations, AEGIS SERIES PAPER NO. 1806 (2018),

https://perma.cc/M8LJ-HQZM.

3. DEP’T OF HOMELAND SECURITY, SECRETARY KIRSTJEN M. NIELSEN REMARKS: RETHINKING

HOMELAND SECURITY IN AN AGE OF DISRUPTION (Sept. 5, 2018), https://perma.cc/DU2F-KXML.

4. See also FBI Director Christopher Wray, Statement Before the Senate Homeland Security and

Governmental Affairs Committee (Oct. 10, 2018) (indicating that “[v]irtually every national and

criminal threat the FBI faces is cyber-based or technologically facilitated”), https://perma.cc/DNU6-

SUC5.

5. See, e.g., Nick Selby, Local Police Don’t Go After Most Cybercriminals. We Need Better

Training., WASH . POST (Apr. 21, 2017, 6:00 AM), https://perma.cc/6P9G-4LL8; on the scale of the

problem, see e.g., JONATHAN LUSTHAUS, INDUSTRY OF ANONYMITY: INSIDE THE BUSINESS OF

CYBERCRIME (2018).

327

enforcement. The tension between competing paradigms for addressing criminal ac-

tivity that rises to the level of a national security threat is familiar from—and can

trace its roots to—the U.S. response to the attacks of 9/11. Rather than deal with

transnational terrorism primarily as a law enforcement matter, the United States opted

for a military response, invading Afghanistan in 2001 and Iraq in 2003. In the wake

of 9/11, the U.S. government adopted the term “Global War on Terror” or GWOT

and began viewing measures taken against terrorist groups and nation-states that har-

bor or support them through an armed conf‌lict, rather than a law enforcement, lens.

Many policy decisions previously addressed through civilian authorities and proc-

esses were revisited under new national security authorizations as part of this global

“war.” For example, the decision to prosecute “enemy combatants” using military

commissions rather than Article III courts exemplif‌ies the view that the United States

was, and is, engaged in a “war” on terror. Early justif‌ications for the Bush administra-

tion’s Terrorist Surveillance Program, later revealed as “Stellar Wind,” rested on the

President’s national security powers, and ignored existing civil and law enforcement

authorities under the Foreign Intelligence Surveillance Act of 1978 (FISA).

6

This

militarized paradigm has become embedded in our vocabulary, and it has informed

the allocation of authority and resources in efforts to protect the United States from

terrorist threats.

This contribution seeks to identify and assess the frameworks used to describe

and deter malicious cyber activity, and to highlight legal and operational chal-

lenges in tackling problems that arise where these frameworks overlap or intersect.

To that end, we examine two different models, an “armed conf‌lict model” and a

“law enforcement model,” that have been used to address the threat posed by such

activity. The terms cyberwar and cybercrime, respectively, encapsulate each of

these models—yet the line separating these categories is not well def‌ined, and

both terms have been used by laypersons and experts alike to describe conduct

ranging from network intrusions to data exf‌iltration to denials-of-service. Our

analysis of these ambiguities and their implications proceeds in four parts. Part I

canvasses recent U.S. government approaches to combating MCA. Part II explores

the assumptions underlying the predominant armed conf‌lict model. Part III dis-

cusses the implications of characterizing MCA as cyberwar as opposed to cyber-

crime. Part IV concludes by suggesting that these characterizations should be

viewed along a continuum, and that the law enforcement model should not be

given short shrift by policy makers or—perhaps most importantly—appropriators.

I. U.S. GOVERNMENT RESPONSES TO CYBER THREATS

As the United States began grappling seriously with cybersecurity and mali-

cious cyber activity, it did so within a militarized lens. In 2009, the Secretary of

Defense directed the establishment of Cyber Command within the Department of

6. See U.S. DEP’T JUST., OFF. INSPECTOR GEN., OVERSIGHT & REV. DIV., REPORT NO. 2009-0013-

AS, REV. DEP’T JUST.’S INVOLVEMENT WITH PRESIDENT’S SURVEILLANCE PROGRAM (U) (2009), https://

perma.cc/P7H9-384M.

328 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 11:327