Cybersecurity & Tech

Lawfare Daily: Law Enforcement Hacking as a Tool Against Transnational Cyber Crime

Stephanie Pell, Gavin Wilde, Emma Landi
Tuesday, May 14, 2024, 8:00 AM
Discussing law enforcement efforts to "hack the hackers."

Published by The Lawfare Institute
in Cooperation With
Brookings

The U.S. Federal Bureau of Investigation (FBI) reported that the United States lost a record $12.5 billion to various types of cyber crime in 2023. Law enforcement hacking is one tool increasingly used to combat transnational cyber crime. Stephanie Pell, Senior Editor at Lawfare, sat down with Gavin Wilde, Senior Fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, and Emma Landi, Research Assistant in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, to talk about their new paper exploring law enforcement efforts to “hack the hackers” in the fight against cyber crime. They talked about the types of hacking operations performed by law enforcement, when law enforcement may be better suited to address the actions of malicious cyber actors as compared with the military and private sector, and some of the major policy questions posed by law enforcement hacking.

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Audio Excerpt]

Gavin Wilde

If we're still in early phases and thinking about this from a military to military and state to state context, we need a lot more, as I say, policy scaffolding if we're going to start wading into the law enforcement led operations.

Stephanie Pell

It's the Lawfare Podcast. I'm Stephanie Pell, Senior Editor at Lawfare with Gavin Wilde, Senior Fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, and Emma Landi, Research Assistant in the Technology and International Affairs Program at the Carnegie Endowment for International Peace.

Emma Landi

Each time a multinational group of law enforcement agencies get together and do one of these takedowns, they're establishing trust and they're building muscle memory to make the next one easier.

[Main Podcast]

Stephanie Pell

Today we're talking about law enforcement hacking as a tool against transnational cybercrime.

Gavin and Emma, you've recently published a paper about law enforcement hacking as a tool against transnational cybercrime. I want to start by having you describe the landscape of transnational cybercrime and the kinds of threats that persist.

Emma Landi

So in broad strokes, what we're talking about here are law enforcement agencies using their criminal investigative authorities to conduct what are essentially offensive cyber operations. Now, sometimes this is a preventative measure against compromised devices, and other times it's targeting the technology used by the criminals themselves. For instance, this might mean going into victims’ routers or networks, and sometimes without notifying victims beforehand. And it could also mean hacking the hackers themselves, where law enforcement deploys their own malware against the networks and devices used by cybercriminals or seizes the websites they use to conduct criminal activity.

Now to put this in a more simplified, real-world scenario, you can imagine the cops getting a tip that there are burglars currently in your house and then obtaining a warrant to go search and clear the premises, seize evidence, or spy on the criminals to see what they plan to do next. And so what we're seeing here is essentially Western law enforcement agencies increasingly adapting these old school practices to cyberspace. Now, these kinds of operations are somewhat different from what we usually see with law enforcement because here, arresting and prosecuting the cyber criminals are less the goal, especially because many times criminals operate from places like Russia that don't cooperate with U.S. authorities and aren't likely to prosecute. Instead, law enforcement here are playing a more preventative and proactive role.

I think one of the most well-known examples of these operations would be the 2021 takedown of a botnet that distributed and controlled malware called Emotet. And a botnet is an interconnected network of infected devices that take commands from a third party. And the group behind Emotet was targeting the banking, e-commerce, healthcare, and government sectors with phishing emails that ultimately enabled them to steal and download credentials. This takedown involved authorities from the United States, Canada, France, Germany, the Netherlands, and the United Kingdom who were able to take over Emotet’s command and control infrastructure, which included hundreds of servers located around the world, and then replaced the criminal malware with malware of their own. And the FBI calls this kind of program a network investigative technique, or a NIT. And this NIT was able to stop communication between the botnet and victim computers and redirect the digital traffic away towards law enforcement-controlled devices, which effectively severed the links between a large portion of the botnet and the group running it.

Stephanie Pell

So those are some very interesting examples of law enforcement hacking the hackers. I'm wondering if we could back up a bit because this is a relatively new role for law enforcement. I'm wondering If you could talk about, Gavin, the nature of the threats. What is driving law enforcement to engage in these, quote, “offensive” cyber operations?

Gavin Wilde

So I think the threat has certainly evolved over the last few years to where certainly ransomware and some other cyber-enabled operations have started to pose a national security threat and have started to be seen as something that's not merely victims being swindled by the fabled Nigerian prince-type of scams, but they're doing actual harm to victims, and that are actually having impacts on our critical infrastructure. And so I think the national security bureaucracy, certainly throughout the West, has started to see ransomware in particular as something of a national security threat that needs to be looked at as not only certainly a criminal matter but as from a geopolitical perspective.

Now, concurrent with that, you've also seen a lot of changes in the authorities that a lot of Western countries have looked at. Certainly, they look at their military and intelligence services as tools in this toolkit. And particularly, because that's where a lot of the offensive cyber capability has traditionally been nested. But you're also seeing a lot of new authorities or novel new applications of existing authorities, in this case for law enforcement, being drawn upon as part of a tool in the toolkit, so to speak, as well. And when we talk about the FBI's approach or the U.S. approach in particular, those rules were updated a few years ago, that we can get into a little bit more that, that enabled the FBI to be a little bit more assertive and less reliant upon, let's call it the analog era of criminal investigations, so that it could be more assertive against these types of crimes.

And so I think what you've seen and what caught our eye and was an impetus for this paper was that there's an upward trend across the U.S. and the West, led, I would argue, in part by the U.S. and the U.K. and allies and partners updating these authorities to lean into this problem. And so that trend augured our interest in this paper, but also augurs for some additional policy conversations to put more scaffolding around the practice.

Stephanie Pell

And you raised a very interesting issue regarding the way that law enforcement is using traditional criminal authorities, rules—let's let the cat out of the bag, we're talking about Federal Rule of Criminal Procedure 41, which is search warrant authority. I want to though, ask, is this primarily the FBI that we're seeing engaging in these law enforcement hacking operations? Or are there other federal agencies and/or even state entities?

Gavin Wilde

So our paper primarily focuses on operations at the federal level, for which the FBI is the main player on the field. But I think it's also worth noting that the United States Secret Service also has the authority and has employed these kinds of technical operations using the same authorities. So in addition to their traditional protective mission for the president, the Secret Service is also charged with protecting the integrity of the U.S. financial system. And so a bulk of their investigations and the subsequent prosecutions in that regard have to do with cyberspace, particularly since payment systems are all digital. However, by their very statute, I believe it's outlined in a 1984 piece of legislation, the Secret Service is charged with quote, “detecting and arresting,” whereas the FBI has a little bit more flexibility to pursue preemptive disruption of the kind that we're seeing. So often, these kinds of technical operations, if the Secret Service is going to be conducting them, are guided primarily by the goal of identifying and apprehending suspects, less necessarily by purely preempting or disrupting the operations.

As far as state and local authorities, obviously they're also guided by constitutional guidelines and procedures for their investigations but are far more limited by the scope and scale and resources and jurisdictions in terms of cyber operations. They might be conducting beyond routine kind of surveillance or investigative measures, for instance. But in most cases that we're aware of, I think it's more likely they're going to be conducting operations in collaboration with, or ultimately under the purview of, federal authorities.

Stephanie Pell

So it's not as if hacking on behalf of U.S. government agencies is a new thing, but we are primarily used to hearing about offensive cyber operations that are conducted by the military or, and I'm not sure, people generally use the term offensive cyber operations with respect to the private sector, but Microsoft has a history of engaging in certain kinds of activities that you might classify that way. Can you talk about what we have seen with respect, or what our understanding is with respect, to these military and private sector operations?

Gavin Wilde

Yeah, so in broad terms, and you mentioned Rule 41 and I would highly recommend, I think Timothy Edgar and Alex Iftimie have written really extensive treatises on Title 18 and Rule 41 in a law enforcement context, that I would highly recommend they've written for Lawfare. As far as the military and the private sector, obviously the military operates under Title 10 war-fighting authorities, the intelligence community under Title 50 covert action authorities. And as far as the private sector, they do have, what I would call a more civil flexibility under the civil system. So this isn't criminally investigative, but under civil courts, as you point out, and as Emma outlines in the paper, they can rely on these civil authorities to essentially obtain restraining orders from magistrates to take down a technical infrastructure that violates copyright or terms of service or those types of things. While the military and the private sector engage in their own technical takedowns and hacking activities right alongside law enforcement agencies, and particularly with regard to transnational cybercrime—I think TrickBot's a great example that the military undertook a few years ago, a massive botnet just in advance of the 2020 elections.

Military and intelligence services have traditionally been the primary government entities that engage in these operations. So we've seen some growth and flexibility in their authorities in the context of nation state conflict and espionage. And then, as you say, that the private sector with, I think it's Rule 65 of Civil Procedure, if I can be so bold as to play the role of a legal expert, which I certainly am not. But those things have been on the rise over the past few years. But the downfall is on the list of their priorities, certainly on the private sector part. They're profit driven, they can't play the role of law enforcement agencies all the time. And on the list of priorities that we want militaries and intelligence services to worry about, transnational cybercrime is probably further down on the list than we might like. And another thing to consider is that, when offensive cyber operations are conducted abroad and across borders, it's obviously a different issue if a private entity like Microsoft is doing it or a military is doing it. Those introduce a lot of kind of diplomatic and legal considerations, and potentially set a precedent in the instance of militaries that might actually exacerbate tensions more than it alleviates them.

So I think the other thing to bear in mind with the private sector is that Microsoft can obtain some of these civil injunctions against bad actors in civil court. They're under no obligation if you're in Germany to necessarily go along with those kinds of orders. Did I miss anything there, Emma, that we ought to highlight?

Emma Landi

Yeah. So another thing to think about with private sector engaging in these types of operations is that when they go through a civil court procedure, they risk having to involve their internal processes into a civil court procedure maybe down the line. And they're not going to want to do that. So that's another reason, while they're a great partner, there are some areas that they just can't have the same role as a government entity.

Stephanie Pell

So I think part of what you've both been saying is an argument for why law enforcement might be best suited, at least in certain circumstances, to be the one engaging in these, quote, “hacking operations.” So Gavin, I want to return, though, to this Rule 41 point. As we've noted, Rule 41 is a Rule of Criminal Procedure that is search warrant authority. What happened with respect to an update to Rule 41, now several years ago, that has enabled law enforcement to engage in these kinds of operations?

Gavin Wilde

Sure. So I think prior to this rule change, it's important to set the stage for federal authorities to conduct a search or seizure in technical terms. So thinking in terms of a victimized or hijacked or illicitly used device, federal investigators would need a warrant from a judge in each of the relevant jurisdictions where that IP address was geolocated. But as we know, cyberspace is borderless and it's often anonymous, so it's often difficult, if not impossible, to narrow down an IP address to some final geographic location with a lot of certainty. And so digital investigation, both domestically, or say, in response to international investigations or a tip or a lead or a request from a partner, an ally, were becoming increasingly difficult to pursue.

And in fact, in 2015, there was an interesting case where the U.S. had attempted, in partnership with international partners, to take down an illicit pornography ring called Playpen, but had done one of these technical takedown operations without some of the requisite warrants for some of these jurisdictions where they took down some IPs. And in the aftermath, some of the charges and convictions against the perpetrators were ultimately thrown out. And by late 2016, you have federal investigators finally successfully making the case for an update to these procedures, which then granted them the ability to obtain a single warrant to investigate these devices across jurisdictional lines, as long as they met a couple of criteria. One, that victims needed to be spread across five or more judicial districts throughout the United States. And two, if the offending device's locations and IP addresses are obscured through, quote unquote, “technical means,” so that means virtual private networks or peer-to-peer networks, anonymizing browsers like Tor, or proxy servers or encryption. So as long as they meet those two criteria, now federal authorities can just obtain a single warrant to conduct these essentially search and seizure operations.

Stephanie Pell

And I want to probe a little bit, given that this expanded search warrant authority, which is enabling some really new kinds of activities by law enforcement, what protections or oversight mechanisms are in place? Obviously, a judge, either a magistrate, federal district court judge, has to sign such a warrant. But these are still tools being drawn out of the traditional criminal toolkit. Do the crimes and activities being investigated here, in your view, call for something additional?

Gavin Wilde

I think it's something that came up in our research. Certainly, there are legal scholars that raise a lot of these same concerns. And I think, as you say, as far as oversight, the fact that a magistrate judge has to sign off on these warrants and the fact that prosecutors have to build a case that is ultimately going to be a matter of public record, those are good things. And that could be considered a degree of oversight and transparency that you, for instance, probably won't get for years after if it were in the military or intelligence context. So there's some benefits there.

However, as I say, a lot of legal scholars point out that this process has a couple of implications that are thorny. Number one, there's now international implications. That's an awful lot of weight and consideration to put on a magistrate court judge in in the United States. Those are implications that probably need a little bit of extra buy-in and weigh-in from other folks, certainly in the executive, and probably a little bit more scaffolding from the legislative branch. Others also point out that a rule of criminal investigative procedure is not a law. And so there is some concern that if one of these takedowns is contested in court by—I think it's easy to harken back to the Yevgeny Prigozhin and the Internet Research Agency prosecutions by the special prosecutor, Robert Mueller. If you had that kind of scenario where a bad actor decided to contest this takedown in court, it's a real risk there that, without legislative underpinning and without something codified in law, that this is what the FBI can and should do, these are the right and left boundaries like you now have with the U.S. military, that this entire practice may rest on a fairly shaky foundation.

Meanwhile, I think I would just add that under some of our international obligations, like the Budapest Treaty on Cybercrime, there is supposed to be some legislative backing for state entities that perform offensive cyber operations across international borders. And at present, that lack in U.S. law, I think, is something that we need to consider and that would hopefully add a little bit more oversight to the kinds of operations.

Stephanie Pell

That's a really interesting point. And I just want to clarify, you're drawing a distinction between law enforcement and military because when the military engages in lawfully authorized offensive cyber operations, that is grounded in statutory authority. Correct?

Gavin Wilde

Right. And entails a whole bunch of—in the international arena, when a military does something, you introduce and invoke a lot of additional kind of international law and norms that we've spent 20-plus years thinking about and theorizing and strategizing about and we still haven't really gotten it right. Part of the impetus for this paper is to go, geez, if we're still in early phases and thinking about this from a military to military and state to state context, we need a lot more, as I say, policy scaffolding if we're going to start wading into the law enforcement-led operations.

Stephanie Pell

Emma, I want to go back to something that you were talking about in the beginning as an example of some of these operations. You suggested that the United States is not the only country where law enforcement is engaging in them, and in fact, U.S. law enforcement often works with counterparts in other countries. Can you talk a little bit about that?

Emma Landi

Yeah, definitely. I think one of the most interesting things that I've learned in this project is how global this trend is of law enforcement being involved in these types of offensive cyber operations. And when you hear about these big botnet takedowns, it's more often than not a team effort involving multiple countries. And a lot of other countries have legal authorities for their own law enforcement agencies that is similar to what we see in the U.S. with Rule 41. The U.K., the Netherlands, Australia, France, and Germany, they all have similar legal authorizations for their law enforcement, and they've expanded these authorities in recent years that has allowed a lot of them to lead on many of the technical takedowns right along with the U.S. The Netherlands was instrumental in the Emotet takedown and the U.K., I think, has led a lot of the action we've seen recently with LockBit. And then France and Germany have also been involved or led on a couple of their own takedowns.

And another aspect of this that I hadn't been tracking before was that it's not only in Europe. The African continent has actually recently been involved in some of these takedowns through an Interpol program called Africa Cyber Surge, where African law enforcement agencies have disrupted and investigated cybercrime, like phishing scams, with the help of Interpol. And something that's stood out to us is how much cross-border coordination is going into many of these operations. We talked to people that have been involved in these takedowns in Europe, and they feel very optimistic about the collaboration that they've seen, and they think that there is a pressing need and adequate oversight for these kinds of operations happening in their own countries. In the Netherlands, I was told that their law enforcement agencies already have an established duty to protect instead of just investigating after the fact. So in the Netherlands, they have already pretty broad procedural leeway to do these types of operations.

And in terms of cooperation, the traditional way that countries usually collaborate on criminal investigations is through MLATs, or Mutual Legal Assistance Treaties, which are basically bilateral agreements that allow one nation to ask for evidence or assistance from another nation. But MLATs in practice actually do not work fast enough for the pace and geographical span of cybercrime. So a lot of countries have formed their own informal channels for coordination and collaboration, and they're able to divide and conquer and look at whose legal procedures and technical expertise are best suited for what kinds of actions. Because as we've seen, each country's law enforcement has different embedded institutional priorities or technical capacities that make them more suited sometimes for arrests or prosecution. And other times, they're going to be really well equipped to actually take down the criminal infrastructure and do the technical side of these technical takedowns.

So there is a ton of international cooperation and in practice it looks like they all get together and figure out whose law enforcement group is going to be better for what type of action. And I just want to give a shout-out to Interpol, Europol, Eurojust, European Cybercrime Center. They all have been really important hubs and conduits for getting all of these different groups in a room or in a Zoom call and doing these big multinational takedowns. I think it does remain to be seen whether duplicating this kind of collaboration that we've seen in Europe can be applicable to other regions, particularly the Indo-Pacific region. But the FBI has recently increased the number of their cyber-focused legal attaches posted at different U.S. embassies, and that includes places like India and Brazil. So I think the area that I am the most optimistic is actually this type of international collaboration that we've seen.

Stephanie Pell

So I think one thing this discussion does, though, is raise the question, how well is all of this working? And I appreciate you might want to say, how well are law enforcement efforts working? But I guess it's, insofar as the United States has multiple agencies that are now engaging in these efforts, maybe the better question is, holistically, how well are we doing in terms of reducing this transnational cybercrime, which, as you've pointed out, has international and national security implications?

Emma Landi

So one of the biggest challenges in this project was how to define working or what our expectations should be for law enforcement in these capacities. But there isn't a universal standard for measuring cybercrime in general, let alone or countermeasures. So is success less money lost to ransomware actors, is it more arrests? Maybe fewer victims affected is a good place to start from. But I think most of the people that we've talked with think that any friction that we can introduce for ransomware actors or other cybercriminals will probably spare more victims in the long run. And so the key is probably stretching that friction and downtime as long as possible, which means acting on a more sustained basis, in collaboration, both domestically and internationally and across public and private boundaries.

An example is bringing up Emotet again. Talking with the folks that were involved in that, they expected the group to reemerge in three months. It actually took them 11 months. And so that was considered a success. Even though they did reemerge, the downtime was more than expected. And there's also value in the collaboration. We keep talking about collaboration, but each time a multinational group of law enforcement agencies get together and do one of these takedowns, they're establishing trust and they're building muscle memory to make the next one easier. A lot of the folks that we interviewed actually considered just that happening as a success on its own.

And then there's also the matter of hurting a criminal group's credibility and reputation and sowing distrust among the groups. And I think we see this with LockBit currently, the NCA and other Western partners are embarrassing the organization by seizing their website and then doxing their leader and indicting him and slapping sanctions on him. The hope is, if you're a ransomware actor, you're no longer going to view LockBit as a trusted resource, and then hopefully there's a chilling effect among these illegal actors, where that kind of illegal behavior is riskier today than it was yesterday.

But all that being said, there are no standards of measure or metrics that are currently used to define success in these operations. And maybe as we have more cases to study and trace over a longer period of time, we might be able to follow a theory of change, but there's just too many unknowns. It is a black box. Gavin and I are hoping to maybe dedicate some follow-on research to measuring success and coming up with some standards.

Gavin Wilde

I think even just this week at RSAC, Rob Joyce kind of noted that cognitive effect that Emma outlines in reference to LockBit. You've certainly got now one of the most prolific and harmful ransomware collectives. There's probably a great deal more distrust and suspicion and wariness among its members than there was even a few months ago. And so I think leaning into that cognitive effect and making each of these actors feel a little bit more wary over time about whether they can trust the people that they're talking to and about whether the juice is actually worth the squeeze.

But we’re under no illusions that we're starting from a position of we're going to have to dig out of a real big hole because the numbers and the victimizations, particularly on ransomware, that the trend lines are still moving up. And 2023 was a particularly dismal year as far as the records that we do have.

Stephanie Pell

And just for our listeners who may not be as familiar, what is RSAC and who is Rob Joyce?

Gavin Wilde

So Rob Joyce is the newly retired NSA official that was in charge of the NSA's unit that does the most collaboration with external partners and commercial partners. And RSAC is the technology conference where a whole bunch of policymakers and hackers get together to both collect lanyards and stickers, but also talk about the cyber issues of the day.

Stephanie Pell

I want to talk, and you've mentioned this along the way, but what do you see or consider to be the most significant challenges or concerns raised by law enforcement hacking operations?

Gavin Wilde

I think the most pressing ones are those having to do with civil liberties. And by that I don't mean that—I think we've been impressed, as have a lot of the folks that we've spoken to, at how well the DOJ and the FBI and their partners and allies have done at transparency in the aftermath, granted, of a lot of these takedowns. But the reassurance piece and the demonstrating that there's process and deliberation behind these operations to make sure that the Fourth Amendment rights of Americans are protected against unreasonable search and seizure. I think that's gotta be at the forefront. And so, while I think there's been an admirable level of public discussion and transparency, again, putting hard policy scaffolding around that, I think is important.

I think there's some misaligned incentives for private sector support and collaboration. A lot of the folks we talked to felt like once they tried to provide tips and leads to federal law enforcement, they didn't get much feedback. Some of that is for good reason. Federal investigators don't want to tip their hand, obviously. But there's also, as Emma points out, there's liability concerns if something breaks inadvertently or the degree to which their own internal practices are going to be hauled into civil or criminal proceedings. I think another thing that needs to be looked at hard is the proliferation of cyber intrusion tools and whether the increased use of these incentivizes the market. How do we ensure that they're validated by third parties or independent researchers to make sure that they will do only what they are supposed to do?

And speaking of incentives, I think it's important that the federal government make sure to underscore that, particularly for critical infrastructure operators, that we don't inadvertently disincentivize folks taking cyber hygiene. That no one operates under the illusion that the U.S. government, whether it's military or law enforcement or partners, are going to be able to be the white knight that rides in to save them from some of these things. I think there's a lot of room to bang that drum a little bit louder, that particularly in the aftermath of the Volt Typhoon takedown that the FBI just conducted, that it's important and that there's a role to play. But this is not a substitute for more concerted effort and resources on the part of private, commercial entities that operate critical infrastructure.

Stephanie Pell

I'm sure the Cybersecurity Infrastructure Security Agency, or CISA, would be very happy to hear you say that.

Gavin Wilde

I hope so.

Stephanie Pell

So in your paper, as with all good researchers, you end up raising a lot of questions at the end of your research. If you can both talk about what you consider some of the major policy questions raised by law enforcement hacking operations that we really need to grapple with?

Gavin Wilde

I think there's a couple that spring to mind that I think are the most interesting philosophically. One, the degree to which, I think, the criminal justice system, particularly in the United States, how it handles this idea that disruption and preemption is a new goalpost and apprehension and ultimate prosecution in a courtroom can take a secondary seat, the degree to which that's a philosophical discussion and the degree to which our Title 18 infrastructure writ large lends itself to that goal, I think is an interesting academic discussion that I think is worth fleshing out.

But I also think, Emma's point, we do seem to be entering, particularly in terms of this practice and with Western allies and partners, a space where there's almost, in our conversations with stakeholders, there's almost a degree of, if not tolerance, almost encouragement, that we've got each other's backs. And if that means we, like-minded states, inadvertently violate one another's sovereignty in service of these takedowns, that we're okay with that. And that's an interesting discussion and debate to have, particularly against the backdrop of a lot of the cyber norms discussion that we've seen in terms of state-on-state military and intelligence hacking. So I think there's a universe in which we need to build towards a common understanding, and the CLOUD Act may offer an opportunity here as well, where like-minded states get together and say, as long as you meet X, Y, and Z criteria, we're going to watch each other's backs with these takedowns, and we're going to be tolerant of this kind of fuzzier notion of sovereignty than perhaps we've talked about over the years.

Because I think as these technical takedowns have unpredictable global reach, there's a degree of comfort that we're going to need to grapple with across borders that I don't know if we've had those kinds of hard conversations yet. But I think, again, this practice as well as new legislation like the CLOUD Act augurs those conversations well.

Stephanie Pell

So on the sovereignty point, because as you are well aware, there's quite a bit of debate in the international space about whether sovereignty is a primary rule of international law or simply a principle upon which other rules of international law derive from. And it's very interesting to consider in the context of these offensive cyber operations, whether a violation of a state's sovereignty occurs. And if it does, does that mean it's an internationally wrongful act? Or, something that maybe aggressive in nature, but not actually a violation of international law? It sounds like one of the things that you are arguing is that as these law enforcement offensive cyber operations increase, that that issue becomes more and more interesting, critical, necessary to suss out.

Gavin Wilde

I think so. And I think you could draw a line between this idea of retortion or retribution on one hand for bad acts or perceived bad acts versus what seems to be the primary objective in a lot of these takedowns, which is preemption, less trying to impose a cost, if you will, to borrow a trite phrase, but more to make sure that further costs are not imposed. And so I think, again, these are very thorny philosophical discussions that are, dare I say, almost cliched now in terms of in the cyber conversations we've had about how militaries certainly operate in cyberspace. But we have not really considered them with law enforcement agencies being front of mind yet.

Emma Landi

And I think another thing that we didn't really talk about in the paper as much, but a lot of the takedowns that we've seen occur with like-minded countries. I don't know what it would look like if the U.S. tried to do these types of operations in less friendly states because there might be a breach of sovereignty involved in that. And those informal channels that we've talked about haven't been established with the rest of the world. We have to figure out how to create policy scaffolding, like Gavin said, for doing these takedowns with like-minded states, and then, also, would we be okay if another state did this to us without those informal channels in place?

Gavin Wilde

Yeah, the degree to which—I don't know that Moscow, for instance, would perceive any difference whether it was the FBI knocking over a server on Russian territory versus U.S. Cyber Command. I would hope they would. But managing those escalation dynamics and managing those diplomatic tensions is difficult enough with friends in gray space, as it were, or red space, in particular. What that looks like kind of remains to be seen.

Stephanie Pell

Any other thoughts that either of you would like to share with our listeners?

Gavin Wilde

I think I would just again tip the hat to a lot of the folks that we spoke with. We spoke with a broad range of folks that are both public servants here and abroad, folks in industry, in the commercial space. I think we both came away with an appreciation for how seriously all these stakeholders are taking this and trying in their own way, under their own incentive structures, to tackle this problem. And so I came away with a greater appreciation for how much amazing work is done and for how extraordinarily difficult this work is. And so a tip of the hat to the folks that we spoke to and the folks that are chipping away at this every day.

Stephanie Pell

We'll have to leave it there for today. Thank you both so much for joining me.

Gavin Wilde

Always a pleasure. Thank you so much, Stephanie.

Emma Landi

Thank you.

Stephanie Pell

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja, and your audio engineer this episode was Noam Osband of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.


Stephanie Pell is a Fellow in Governance Studies at the Brookings Institution and a Senior Editor at Lawfare. Prior to joining Brookings, she was an Associate Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute, with a joint appointment to the Department of English and Philosophy. Prior to joining West Point’s faculty, Stephanie served as a Majority Counsel to the House Judiciary Committee. She was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida.
Gavin Wilde is a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace. He previously served as director for Russia, Baltic, and Caucasus Affairs at the National Security Council from 2018 to 2019, where his focus areas included election security and countering foreign malign influence and disinformation.
Emma Landi is a research assistant in the Technology and International Affairs Program at the Carnegie Endowment for International Peace.

Subscribe to Lawfare