Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Can lawyers lose wars by stifling cyber capabilities?

Intelligence experts argue that stringent legal frameworks weaken the effectiveness of Western cyber defence capabilities
Main Top Image
Image created with the assistance of Midjourney

Lawyers don’t win wars, but can they lose one?’

Stewart Baker, former General Counsel of the United States National Security Agency, pondered this exact question in 2011, predicting that law could completely stifle Western cyber capabilities. In many Western intelligence and military agencies, his prediction is coming true.

Toothless watchdog

Recently, two ex-spy chiefs from the German foreign intelligence agency (BND) rang the alarm in a prominent German news outlet. They argued that the German intelligence community was being reduced to ‘toothless watchdogs’ because of ‘an excess of oversight’ and that ‘policies and courts must no longer denigrate intelligence services as a threat to the rights of German citizens’.

In the United States, critics argue that Section 702 of the US Foreign Intelligence Surveillance Act – a law many see as crucial for detecting and mitigating adversary cyber operations – is an unacceptable infringement on citizens’ privacy. David Ignatius recently offered a chilling account of how the CIA lost its competition with China’s intelligence services because regulation made agency operations inflexible and predictable.

Legal debates centred around balancing the ‘needs of national security with the needs for liberty’, as described by former director of the U.S. National Security Agency Michael Hayden, are not new. What is novel is that technologies crucial for cyberspace capabilities also increasingly permeate and structure everyday life. As we rely more on technology, so do our civil liberties – our privacy is intimately tied to our data. Yet to pursue strategic cyber competition, intelligence and military agencies must use these technologies. Legal imperatives put in place to safeguard civil liberties can directly impact a state’s ability to perform in cyber conflict.

Idealistic legalism

As debates raged on the renewal of Section 702, Hayden, together with Michael Goodman and David Gioe, recently stated: ‘Never before has an intelligence community begged, cajoled, and pleaded with lawmakers to enable it to do its job.’ For intelligence professionals, Section 702 is a vital legal tool for US national security. However, most discussions have merely centred around privacy concerns. Privacy advocates have even accused the US government of ‘scaring people’ when they have presented success stories of Section 702 – when intelligence gathered through the programmes it has enabled have thwarted security threats and saved lives.

Debates around cyberspace capabilities are increasingly focused on legal frameworks driven by privacy advocates, lawyers, lawmakers and legal scholars. These posit that without detailed laws, Western cyber powers would completely undermine democratic norms and values.

This increasing focus on law leads to what I call idealistic legalism: a one-sided view of the intelligence and cyber domains that sees law as an ideal governance tool in shaping cyberspace capabilities. Law is no longer seen as a system of checks and balances but as a way to shape state behaviour in cyberspace. Idealistic legalism causes legal debates on cyber capabilities to miss a crucial discussion point: what operational constraints are we willing to accept and what consequences does that have for our national security? Law has become a more important talking point than the capability we can bring to bear.

This is not a call for lawlessness. As an intelligence practitioner, I fully embrace regulations and oversight committees and recognise their role in legitimising and regulating my actions. It is not my place to determine the existence and form of legal frameworks – all I can do is attempt to make currently invisible constraints visible. Below, I will highlight four consequences of idealistic legalism.

Legal creep

First, law generalises and abstracts operational realities, providing a false sense of clarity that pushes policymakers to rely too heavily on legal codification instead of appreciating nuance. Laws attempt to capture as many activities in cyberspace as possible. To do so, legal frameworks must oversimplify. This is ill-suited to such a complex domain. To less knowledgeable policymakers, these frameworks become an easy but flawed tool for understanding cyberspace. This results in a seemingly unstoppable push for legal codification of every aspect of cyber operations, causing a paradigm of an ever-increasing reliance on law in decisions regarding such activities. The influence of practitioners slowly diminishes as lawyers increasingly take the lead in shaping senior leadership opinions on proposed cyber operations rather than merely advising.

Such legal creep negatively impacts the efficacy of cyber capabilities, as they are no longer predicated on operational realities but increasingly on legal opinions. As several scholars aptly put it in the title of a recent piece, ‘Blessed Are The Lawyers, For They Shall Inherit Cybersecurity’.

Effectiveness versus compliance

Second, the increasing reliance on law can create an environment in which compliance trumps effectiveness. When a proposed cyber operation is crucial for ensuring mission success but not codified in existing legal frameworks, it is not compliant and cannot be conducted. This is true even if such an operation adheres to norms in international law on respecting human rights and common principles such as proportionality and necessity.

For example, a law might stipulate that a (foreign) intelligence agency cannot collect information from systems owned by the citizens of its country. But what if, as Chinese and Russian cyber threat actors do, a system belonging to a citizen is being abused to route attack traffic through? Such an operational development is not foreseen, and thus not prescribed, by law. To collect information would then be illegal and require judicial overhaul – a process that can take years in a domain that can see modus operandi shift in a matter of days.

Such constraints can shape operational thinking so that practitioners no longer conduct effective operations, but compliant ones. As a former head of the Dutch Defence Cyber Command noted: ‘Lawyers are blocking the cyber experts’ imagination, improvisation, and creativity which are necessary for future cyber scenarios’. When effectiveness is seen as secondary, cyber activities may be compliant, but they are not winning the fight.

Law enhances asymmetry

Third, concern over following the law is one that is very much centred in democratic states. Initiatives attempting to establish international norms, such as the ICRC’s ‘digital red cross’, often miss the fact that non-democratic cyber actors do not intend to adhere to those norms. That is the consequence – or privilege – of being a democracy. We have an obligation to uphold civil liberties and the instrument for safeguarding these are legal constraints. However, such constraints also incur costs due to increased bureaucratic complexity. This hampers operational flexibility and innovation – a trade-off often not adequately weighed by, or even visible to, law- and decision-makers. When appointing ex-ante oversight boards or judicial approval, preparation time for conducting cyber operations inevitably increases, even for those perfectly legal from the beginning.

How can we pursue the initiative if legal processes to greenlight an operation take weeks, or if oversight committees shut down ongoing operations because of possible minor legal discrepancies or shifting interpretations of a legal norm? This is a losing game because, as Calder Walton noted, ‘Chinese and Russian services are limited only by operational effectiveness’.

From the shadows

Privacy advocates and government proponents both attempt to influence debates on legal frameworks in their favour. The reapproval of Section 702 was heavily debated in the public arena, and legal frameworks can even be subject to referendums – creating more incentive for influencing public debate.

Intelligence communities face little choice but to share how legal friction is undermining national security. That can only be done by doing what agencies are innately averse to, which is showcasing operations and modus operandi. Are agencies going to publicly admit they were unable to collect intelligence on certain adversary cyber actors because of legal boundaries?

The increased focus and weight put on law in public debates is making it almost inevitable that intelligence communities will need to do so, which is certainly not without national security implications itself. Constant publicity has the danger not only of cumulatively leaking sources and methods, but also of revealing our weak points.

The need for balanced debate

Idealistic legalism is increasingly constraining our ability to manoeuvre and contest our adversaries in and through cyberspace. A balanced debate on any legal framework overseeing cyber capabilities is necessary, with as much thought to operational constraints as to any inevitable privacy impact. In our desire to protect civil liberties and our democracy, we should not look merely to law, but as much to the actual capabilities that our intelligence and military agencies are able to bring to bear to protect our values.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.