Main Logo Expert commentary on tech and security

Can lawyers lose wars by stifling cyber capabilities?

An Anonymous European Intelligence Official 23 July 2024
Share On:
Intelligence experts argue that stringent legal frameworks weaken the effectiveness of Western cyber defence capabilities
Main Top Image
Image created with the assistance of Midjourney

Lawyers don’t win wars, but can they lose one?’

Stewart Baker, former General Counsel of the United States National Security Agency, pondered this exact question in 2011, predicting that law could completely stifle Western cyber capabilities. In many Western intelligence and military agencies, his prediction is coming true.

Toothless watchdog

Recently, two ex-spy chiefs from the German foreign intelligence agency (BND) rang the alarm in a prominent German news outlet. They argued that the German intelligence community was being reduced to ‘toothless watchdogs’ because of ‘an excess of oversight’ and that ‘policies and courts must no longer denigrate intelligence services as a threat to the rights of German citizens’.

In the United States, critics argue that Section 702 of the US Foreign Intelligence Surveillance Act – a law many see as crucial for detecting and mitigating adversary cyber operations – is an unacceptable infringement on citizens’ privacy. David Ignatius recently offered a chilling account of how the CIA lost its competition with China’s intelligence services because regulation made agency operations inflexible and predictable.

Legal debates centred around balancing the ‘needs of national security with the needs for liberty’, as described by former director of the U.S. National Security Agency Michael Hayden, are not new. What is novel is that technologies crucial for cyberspace capabilities also increasingly permeate and structure everyday life. As we rely more on technology, so do our civil liberties – our privacy is intimately tied to our data. Yet to pursue strategic cyber competition, intelligence and military agencies must use these technologies. Legal imperatives put in place to safeguard civil liberties can directly impact a state’s ability to perform in cyber conflict.

Idealistic legalism

As debates raged on the renewal of Section 702, Hayden, together with Michael Goodman and David Gioe, recently stated: ‘Never before has an intelligence community begged, cajoled, and pleaded with lawmakers to enable it to do its job.’ For intelligence professionals, Section 702 is a vital legal tool for US national security. However, most discussions have merely centred around privacy concerns. Privacy advocates have even accused the US government of ‘scaring people’ when they have presented success stories of Section 702 – when intelligence gathered through the programmes it has enabled have thwarted security threats and saved lives.

Debates around cyberspace capabilities are increasingly focused on legal frameworks driven by privacy advocates, lawyers, lawmakers and legal scholars. These posit that without detailed laws, Western cyber powers would completely undermine democratic norms and values.

This increasing focus on law leads to what I call idealistic legalism: a one-sided view of the intelligence and cyber domains that sees law as an ideal governance tool in shaping cyberspace capabilities. Law is no longer seen as a system of checks and balances but as a way to shape state behaviour in cyberspace. Idealistic legalism causes legal debates on cyber capabilities to miss a crucial discussion point: what operational constraints are we willing to accept and what consequences does that have for our national security? Law has become a more important talking point than the capability we can bring to bear.

This is not a call for lawlessness. As an intelligence practitioner, I fully embrace regulations and oversight committees and recognise their role in legitimising and regulating my actions. It is not my place to determine the existence and form of legal frameworks – all I can do is attempt to make currently invisible constraints visible. Below, I will highlight four consequences of idealistic legalism.

Legal creep

First, law generalises and abstracts operational realities, providing a false sense of clarity that pushes policymakers to rely too heavily on legal codification instead of appreciating nuance. Laws attempt to capture as many activities in cyberspace as possible. To do so, legal frameworks must oversimplify. This is ill-suited to such a complex domain. To less knowledgeable policymakers, these frameworks become an easy but flawed tool for understanding cyberspace. This results in a seemingly unstoppable push for legal codification of every aspect of cyber operations, causing a paradigm of an ever-increasing reliance on law in decisions regarding such activities. The influence of practitioners slowly diminishes as lawyers increasingly take the lead in shaping senior leadership opinions on proposed cyber operations rather than merely advising.

Such legal creep negatively impacts the efficacy of cyber capabilities, as they are no longer predicated on operational realities but increasingly on legal opinions. As several scholars aptly put it in the title of a recent piece, ‘Blessed Are The Lawyers, For They Shall Inherit Cybersecurity’.

Effectiveness versus compliance

Second, the increasing reliance on law can create an environment in which compliance trumps effectiveness. When a proposed cyber operation is crucial for ensuring mission success but not codified in existing legal frameworks, it is not compliant and cannot be conducted. This is true even if such an operation adheres to norms in international law on respecting human rights and common principles such as proportionality and necessity.

For example, a law might stipulate that a (foreign) intelligence agency cannot collect information from systems owned by the citizens of its country. But what if, as Chinese and Russian cyber threat actors do, a system belonging to a citizen is being abused to route attack traffic through? Such an operational development is not foreseen, and thus not prescribed, by law. To collect information would then be illegal and require judicial overhaul – a process that can take years in a domain that can see modus operandi shift in a matter of days.

Such constraints can shape operational thinking so that practitioners no longer conduct effective operations, but compliant ones. As a former head of the Dutch Defence Cyber Command noted: ‘Lawyers are blocking the cyber experts’ imagination, improvisation, and creativity which are necessary for future cyber scenarios’. When effectiveness is seen as secondary, cyber activities may be compliant, but they are not winning the fight.

Law enhances asymmetry

Third, concern over following the law is one that is very much centred in democratic states. Initiatives attempting to establish international norms, such as the ICRC’s ‘digital red cross’, often miss the fact that non-democratic cyber actors do not intend to adhere to those norms. That is the consequence – or privilege – of being a democracy. We have an obligation to uphold civil liberties and the instrument for safeguarding these are legal constraints. However, such constraints also incur costs due to increased bureaucratic complexity. This hampers operational flexibility and innovation – a trade-off often not adequately weighed by, or even visible to, law- and decision-makers. When appointing ex-ante oversight boards or judicial approval, preparation time for conducting cyber operations inevitably increases, even for those perfectly legal from the beginning.

How can we pursue the initiative if legal processes to greenlight an operation take weeks, or if oversight committees shut down ongoing operations because of possible minor legal discrepancies or shifting interpretations of a legal norm? This is a losing game because, as Calder Walton noted, ‘Chinese and Russian services are limited only by operational effectiveness’.

From the shadows

Privacy advocates and government proponents both attempt to influence debates on legal frameworks in their favour. The reapproval of Section 702 was heavily debated in the public arena, and legal frameworks can even be subject to referendums – creating more incentive for influencing public debate.

Intelligence communities face little choice but to share how legal friction is undermining national security. That can only be done by doing what agencies are innately averse to, which is showcasing operations and modus operandi. Are agencies going to publicly admit they were unable to collect intelligence on certain adversary cyber actors because of legal boundaries?

The increased focus and weight put on law in public debates is making it almost inevitable that intelligence communities will need to do so, which is certainly not without national security implications itself. Constant publicity has the danger not only of cumulatively leaking sources and methods, but also of revealing our weak points.

The need for balanced debate

Idealistic legalism is increasingly constraining our ability to manoeuvre and contest our adversaries in and through cyberspace. A balanced debate on any legal framework overseeing cyber capabilities is necessary, with as much thought to operational constraints as to any inevitable privacy impact. In our desire to protect civil liberties and our democracy, we should not look merely to law, but as much to the actual capabilities that our intelligence and military agencies are able to bring to bear to protect our values.

avatar
An Anonymous European Intelligence Official

Related

Featured image
Binding Edge
Debunking NotPetya’s cyber catastrophe myth
Tom Johansmeyer 10 April 2024
Read more arrow
Featured image
Binding Edge
How to ‘harden’ open-source software
John Speed Meyers / Jacqueline Kazil 7 November 2023
Read more arrow
Featured image
Binding Edge
Countering transnational dissident cyber espionage
Siena Anstis 7 November 2023
Read more arrow

Terms & Conditions

Lorem ipsum odor amet, consectetuer adipiscing elit. Integer vestibulum massa; habitasse molestie velit tincidunt commodo. Blandit class sollicitudin in natoque fusce tincidunt maecenas tempor potenti. Turpis velit elit pulvinar aliquet sociosqu pharetra eleifend montes? Arcu sed ultricies gravida, tincidunt cubilia lobortis elementum elit. Lectus aptent suscipit auctor ultricies facilisi ultrices. Etiam pellentesque elementum lacinia morbi ac nulla fermentum primis. Eleifend scelerisque phasellus finibus nulla nisl. Dapibus nec accumsan scelerisque fringilla, tempus duis odio.

Duis odio urna mattis sociosqu ornare ligula torquent. Ornare tempus velit euismod nisi eu duis. Interdum torquent libero finibus porta sem ornare sit mauris. Facilisi consequat semper enim torquent nisl penatibus metus quis etiam. Habitant pharetra bibendum rutrum inceptos fermentum volutpat. Vulputate montes dis adipiscing himenaeos nascetur. Erat amet mus ipsum ultricies non aenean. Arcu penatibus primis platea primis tempus non dignissim convallis.

Arcu diam ante est varius pellentesque litora a vivamus? In dis purus tellus commodo semper egestas mattis adipiscing. Mi dis sapien, nisl morbi viverra dictum. Sociosqu lacinia consequat per vivamus elit. Torquent facilisi velit porttitor nunc phasellus facilisis tempor bibendum class. Integer nascetur neque ligula eget consequat lobortis neque ligula. Quisque maecenas a diam viverra senectus feugiat. Consectetur dignissim ut vivamus magna lorem malesuada turpis vitae.

Orci fusce efficitur libero porta porta ante euismod. Diam viverra malesuada integer, dictumst finibus ultricies! Dis turpis sociosqu montes cras arcu. Donec nulla et suspendisse elit accumsan duis tempus. Amet pellentesque lobortis dapibus fusce elementum nisi. Quam ultrices primis pellentesque ante dictumst? Dis rhoncus eros ipsum egestas, senectus potenti. Iaculis pellentesque habitasse vitae sociosqu vivamus lorem ex turpis tortor.

Elit ridiculus ut mollis neque dis. Vel class arcu duis varius fusce metus. Phasellus finibus pellentesque laoreet fusce lacus primis molestie. Ut cras risus arcu tincidunt ante, molestie maximus taciti. Etiam aliquam molestie; justo cubilia integer aenean. Curabitur curabitur suspendisse aliquet eu senectus. Tempus per eget dictum; id tristique velit vulputate pharetra iaculis. Cubilia nisi congue ligula iaculis luctus.