Steven Bradbury on Cybersecurity

The Harvard National Security Journal has just posted a very interesting essay by Steven Bradbury entitled The Developing Legal Framework for Defensive and Offensive Cyber Operations. (Steve was my successor in running the Office of Legal Counsel for the last four and a half years of the Bush administration.)  Steve says he is “not a noted expert on cybersecurity,” but then adds that he “did have occasion to advise on cybersecurity issues” while in OLC.  As the head of OLC he wrote an important opinion on the legality of the EINSTEIN 2.0 intrusion detection system for government networks (a decision affirmed and elaborated upon by my colleague David Barron when he was running OLC for the Obama administration.)  Part of Steve’s essay tracks his OLC opinion in explaining why EINSTEIN 2.0 is consistent with the Fourth Amendment and relevant statutes.  But Steve goes beyond that opinion and addresses several further issues.  He emphasizes that he is “speaking only for [himself] — not for my law firm and not for any current or former client.”  Nonetheless, the issues he addresses, and the tentative answers he gives, shed more light on the cybersecurity legal issues facing the government, and how the government might be thinking about them, than any source I know. For example, Steve argues that EINSTEIN 2.0 can be expanded to private entities like Defense contractors.  “It should be pretty straightforward to do so,” he maintains, “provided the network is owned or operated by a single entity or group of entities and is set up like an intranet with a limited set of authorized users, and provided the operator can agree by contract or can be required by regulation to use log-on banners and user agreements like those employed by the federal agencies participating in EINSTEIN.”  But Steve is skeptical that EINSTEIN 2.0 can be extended to “the public Internet itself.”  He reasons:

I don’t see an easy way to dispel the legitimate privacy interests of the millions of users of the public Internet.  We can’t insist that they all consent to having their communications monitored, and I don’t think the public would support such a policy.  Even if Congress in theory could enact some kind of sweeping legislation to impose such a regime — for example, by requiring that all ISPs be licensed and making EINSTEIN-like user agreements a condition of licensing — that’s not realistic. The Internet culture would rise up in revolt, and Congress won’t want to suppress the freedom and vibrancy of the Internet and risk squelching the golden goose of e-commerce.

More interesting than Steve’s comments on EINSTEIN 2.0 are what he says about offensive cyber operations, including covert cyber operations, the Title 10 v. 50 debate as it applies to cyber, customary law limitations on cyber operations, and legal issues related to “using offensive cyber capabilities to block or disrupt the servers overseas where WikiLeaks is holding the sensitive U.S. information.”  The essay is a must-read for those interested in legal issues related to cybersecurity.