Erica D. Borghard is an assistant professor in the Army Cyber Institute at the United States Military Academy at West Point, and a senior director on the Cyberspace Solarium Commission. Her views are personal and do not reflect the policy or position of the Army Cyber Institute, U.S. Military Academy, Department of the Army, Department of Defense, or U.S. Government.
Politicians and pundits in the United States have frequently described the challenge of controlling the COVID pandemic with the language of waging war. Given this terminology, it can be tempting to look to the Department of Defense (DOD) to solve problems it was not meant to address. While nefarious actors in cyberspace are seeking to capitalize on scared and vulnerable individuals during the pandemic for criminal gain and national strategic objectives, any efforts to leverage DOD capabilities in combating these efforts must distinguish between nation-state and criminal activity.
Recently, a bipartisan group of senators sent a letter [PDF] to the heads of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency, National Security Agency, and U.S. Cyber Command calling for (among other things) the United States to “evaluate further action to defend forward [PDF] in order to detect and deter” cyber threats to the health-care sector and personnel. The letter was careful to identify threat actors associated with four nation-state adversaries: Russia, China, Iran, and North Korea. This is important because, as defined in Section 1642 of the 2019 National Defense Authorization Act, the DOD can take action as part of traditional military activity to “disrupt, defeat, and deter” cyberattacks from these threat actors.
In addition, some analysts have called for the DOD to “defend forward” against cybercriminals exploiting the current global health crisis. For instance, in a recent piece, J.D. Work advocates that, “[t]he military should be called upon to degrade and destroy the capabilities of criminals to conduct ransomware extortion.” Doing so, Work asserts, would be consistent with, and in support of, the DOD’s defend forward strategy and U.S. Cyber Command’s implementation of it through persistent engagement [PDF]. The recently reported example of the Australian Signals Directorate (ASD) conducting offensive cyber operations against cybercriminals pursuing coronavirus-related cyber scams is held up as a potential model to emulate.
Unlike defending forward to counter nation-state adversaries, doing so against cybercriminals would be a bad idea for three reasons. First, conducting offensive cyber operations against cybercriminals stretches the concept of defend forward beyond its original intent and dilutes the already limited resources that the DOD and Cyber Command currently have to pursue predefined national security missions in cyberspace.
Successful offensive cyber operations require significant investments [PDF] in time, skill, and resources, especially when conducted against capable and strategic nation-state adversaries, such as China and Russia. As the Cyberspace Solarium Commission’s March 2020 report notes, the DOD’s Cyber Mission Force (CMF)—the operational force that conducts offensive and defensive cyber operations—is already insufficiently sized and equipped for its current mission set. Placing additional demands on the 133 teams [PDF] that comprise the CMF, especially in non-traditional mission spaces, would create further stress on the force and divert resources away from core missions vital to national security.
Second, there are obvious civil liberties concerns. What if these criminal actors are U.S. citizens or U.S. persons or entities [PDF]? Even if they are foreign nationals, what if they are operating on compromised domestic infrastructure? The DOD has extremely limited authorities to conduct offensive cyber operations in domestic cyberspace, which is likely where much of this activity is occurring. As articulated in the 2018 DOD Cyber Strategy, campaigns and operations in support of defend forward are explicitly meant to occur “outward to stop threats before they reach their targets [PDF],” not domestically.
Third, other government departments and agencies are equipped with the appropriate domestic authorities, capabilities, and international partnerships to pursue coronavirus-related malicious criminal behavior. This not only includes DHS Hunt and Incident Response Teams [PDF] that can assist affected entities, but also the FBI and the National Guard. Law enforcement should play the central role in responding to, thwarting, and punishing cybercriminals that exploit the COVID-19 crisis. The FBI already actively addresses cybercrime, including by botnet takedowns and shutting down illicit markets on the dark web, and the FBI has extensive international law enforcement partnerships that it can leverage to disrupt international COVID-19 cybercrimes. There is also a role for the National Guard using its authorities under Title 32. Governors of a number of states have already mobilized the National Guard to support the COVID-19 response, and this could be extended to include support to entities affected by cybercriminal activity (similar to the mobilization of the National Guard in 2019 in Louisiana and Texas). However, employing the National Guard should not be confused with using DOD resources and capabilities under Title 10 authorities to conduct cyber operations against criminals perpetrating coronavirus-related crimes.
If policymakers are looking for an international effort to fight cyberattacks during a pandemic, the lead should be the State Department, not DOD. For example, the Dutch delegation [PDF] to the UN Open-Ended Working Group (OEWG) recently called for a norm banning attacks against health networks. U.S. officials could work with the Netherlands and other like-minded states to promote such a norm at the UN and other international institutions.
Policymakers should avoid the siren call of employing DOD cyber forces to solve any challenge or threat that may emerge in cyberspace. Doing so not only risks democratic values, but also threatens to erode the ability of military cyber forces to achieve the crucial missions they were meant to accomplish in the first place.