Outsourcing the Cyber Kill Chain: Reinforcing the Cyber Mission Force and Allowing Increased Contractor Support of Cyber Operations

• Author: Homer A. La Rue
• Position: J.D. candidate at Georgetown University Law Center, Class of 2022, and currently serves the U.S. Department of Defense as a warranted contracting officer
• Pages: 583-609

STUDENT NOTES

Outsourcing the Cyber Kill Chain: Reinforcing the

Cyber Mission Force and Allowing Increased

Contractor Support of Cyber Operations

Homer A. La Rue*

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

I. THE U.S. NEEDS TO REINFORCE ITS CYBER MISSION FORCE . .. . . . . . . . . 586

A. The United States is Under Persistent and Increasing Threat

of Cyber-Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

B. Cyber Command Will Conduct More Cyber Operations . . . . 589

C. The CMF was not Designed for Defend Forward or Persistent

Engagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

II. CYBER COMMAND SHOULD REINFORCE THE CMF WITH CONTRACTOR

SUPPORT . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

A. Background: The Cyber Operation Kill Chain and Current

Levels of Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

1. The Cyber Operation Kill Chain . .. . . . . . . . . . . . . . . . . 592

2. Pre-Launch – Current Contractor Participation in the

Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

C. The Recommendation: Moving Down the Kill Chain . . . . . . . 594

1. Contractors Should Support Every Phase of the Kill Chain 594

2. Scope Limitations: Short Term and Gray-Zone Operations

Only........................................ 595

III. THE ADVANTAGES OF INCREASED CONTRACTOR SUPPORT . . . . . . . . . . . . . 597

A. No Need for New Domestic Legal Authorities . . . . . . . . . . . . 597

1. Cyber Command’s Legal Authority to Conduct Cyber

Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

2. Inherently Governmental Functions . . . . . . . . . . . . . . . . 598

3. The Computer Fraud and Abuse Act (CFAA) . . . . . . . . . 600

* Homer A. La Rue is a J.D. candidate at Georgetown University Law Center, Class of 2022, and

currently serves the U.S. Department of Defense as a warranted contracting officer. He would like to

express deep gratitude to Professor Mary B. DeRosa for her generous feedback and guidance. In

addition, the author would like to extend special thanks to the Journal of National Security Law & Policy

Managing Editors, Staff Editors, and LLMs who contributed such thoughtful edits to this paper.

Disclaimer: This article represents the opinions of the author, and does not represent the opinions, views,

or policy of his agency, the Department of Defense or any component thereof, or the United States

Government. © 2022, Homer A. La Rue.

583

4. Legal Obstacles Presented by Other Public-Private

Collaboration Models .. . . . . . . . . . . . . . . . . . . . . . . . . . 601

B. Cyber Command Can Fully Leverage the U.S. Technology

Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

C. Contracting Minimizes Command and Control Risk . . . . . . . 604

IV. OTHER RISK CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

A. Normalizing the Use of Cyber Proxies .. . . . . . . . . . . . . . . . . 607

B. Expanding the Market for Highly Sophisticated Cyber

Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

CONCLUSION .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

INTRODUCTION

The United States is under persistent and increasing threat of cyberattack.

1

A Proclamation on Cybersecurity Awareness Month, 2021, WHITE HOUSE, (Sept. 30, 2021),

https://perma.cc/P3JJ-NMF5. This paper uses the term ‘cyber-attack’ as it is defined by the U.S.

National Institute of Standards and Technology (NIST), Computer Security Resource Center (CSRC).

The CRSC defines a ‘cyber-attack’ as “[a]n attack, via cyberspace, targeting an enterprise’s use of

cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing

environment/infrastructure; or destroying the integrity of the data or stealing controlled information.”

Cyber Attack, NAT’L INST. OF STANDARDS & TECH., (Dec. 2, 2021), https://perma.cc/3MW7-WWZR.

As

the successful attacks against SolarWinds,

2

Robert Morgus, The SolarWinds Breach Is a Failure of U.S. Cyber Strategy, LAWFARE BLOG

(Dec. 18, 2020, 8:01 AM), https://perma.cc/6FFV-S7HD.

Microsoft,

3

Thomas Brewster, Warning: ‘Extremely Serious’ Microsoft Vulnerabilities Hacked By

Ransomware Criminals, FORBES (Aug. 23, 2021, 6:33 AM), https://perma.cc/Q2FD-P2DV.

and Colonial Pipeline

4

David E. Sanger & Nicole Perlroth, F.B.I. Identifies Group Behind Pipeline Hack, N.Y. TIMES

(May 10, 2021), https://perma.cc/KR8F-5B7P.

indicate, the U.S. is still working to secure critical supply chains and infrastruc-

ture against future attacks.

5

This task is made more difficult by the fact that so much of U.S. critical infrastructure is owned

and controlled by private industry. INT’L INST. FOR STRATEGIC STUD., CYBER CAPABILITIES AND

NATIONAL POWER - A NET ASSESSMENT, 16 (2021), https://perma.cc/4MVE-W656.

In addition to efforts to make the U.S. more resilient

to attack, the United States has responded to the growing cyber threat by commit-

ting U.S. Cyber Command to more assertive and persistent peacetime confronta-

tion of cyber adversaries.

6

Paul M. Nakasone, A Cyber Force for Persistent Operations, 92 JOINT FORCE Q. 10 (2019), https://

perma.cc/9VKD-XJQG. See also Vishnu Kannan, What Really Happened in the Cyber Command

Action Against Iran?, LAWFARE BLOG (July 11, 2019, 10:15 AM), https://perma.cc/6DCN-65MT;

Robert Chesney, Persistently Engaging TrickBot: USCYBERCOM Takes on a Notorious Botnet,

LAWFARE BLOG (Oct. 12, 2020, 3:53 PM), https://perma.cc/M8TA-BLUH.

This more-assertive U.S. cyber strategy will require the Department of

Defense (DoD) Cyber Mission Force (CMF) to conduct more cyber operations.

7

This paper uses the term “cyber operations” to refer to “the employment of cyber capabilities to

achieve objectives in or through cyberspace.” TALLINN MANUAL 2.0 ON THE INTERNATIONAL LAW

APPLICABLE TO CYBER OPERATIONS 564 (Michael N. Schmitt ed., 2017), [hereinafter Tallinn Manual

2.0]. That definition is sufficient for the purposes of this paper, though DoD distinguishes offensive

cyber operations from defensive cyber operations. See CATHERINE A. THEOHARY, CONG. RSCH. SERV.,

IF10537, DEFENSE PRIMER: CYBERSPACE OPERATIONS 1 (2021), https://perma.cc/3ABC-TT63.

However, the CMF force structure and size were not designed with this new

1.

2.

3.

4.

5.

6.

7.

584 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 12:583