The United States is under a growing and constant threat of cyberattack. US cybersecurity strategy has evolved in response, adapting to the new threat climate by committing US Cyber Command to more aggressive and persistent peacetime cyber operations. However, the Department of Defense Cyber Mission Force (CMF) has been stretched thin attempting to carry out its new mission, requiring additional commitments to resourcing, force size, and capabilities.
Homer A. La Rue argues that increased participation of private contractors in US cyber operations is the best way to bolster the CMF’s capabilities, at least in the short term. Contractors may be particularly useful in “gray-zone” operations, that is, operation in the area that exists beyond the threshold of conventional diplomacy but falls short of conventional war.
Although there are challenges and risks to increased contractor participation in cyber operations—particularly related to command and control—La Rue argues that methods of managing these risks already exist and that the benefits of outsourcing cyber operations outweighs the risks.
Although acts of cybercrime and cyberwar are different, the lines between the two have been become blurred over time. The nature of cyberspace has complicated the pre-existing doctrine for armed attacks, yet they are still being applied. Furthermore, the United States historically has responded to malicious cyber activity through a militarized lens.
This tendency to lean towards and emphasize a militarized approach has displaced the domestic law enforcement approach and left it inadequately trained, inadequately resourced, and inadequately supported to identify, deter, and punish offenders. Discussions currently neglect other existing frameworks and the development of new ones to address malicious cyber activity
Without a comprehensive international legal framework governing malicious cyber activity, Mieke Eoyang and Chimène Keitner seek to encourage greater awareness of the consequences of viewing malicious cyber activity through only an armed conflict lens.
Cyber investigations often involve devices and data that cross or are located across international borders. This raises challenges for law enforcement which often finds itself limited by enforcement jurisdiction that stops at its territorial borders.
What happens when law enforcement is seeking to access data or a device and the location is unknown? What about situations in which law enforcement has its hands on a device, but the data being accessed via that device is located in another state’s jurisdiction? What if the device itself is located overseas—in a jurisdiction unwilling or unable to aid the investigation?