I. Introduction
Over the past several years, the U.S. military’s cybersecurity strategy has shifted from focusing primarily on defense to including offensive cyber operations. The 2018 summary of the Department of Defense’s (DoD) Cyber Strategy outlines U.S. policy on engaging in offensive cyber operations to “defend forward” in collaboration with private sector partners, which includes outsourcing the development and operation of offensive tools. The use of offensive cyber tools raises questions about what should be outsourced in compliance with our legal framework of an “inherently governmental function” and international law.
In 2016, U.S. Cyber Command (CYBERCOM) awarded six companies a potential $460 million multiple-award contract to support defensive and offensive cyber operations such as “scuttling an adversary’s air traffic control, nuclear operations and other critical infrastructure systems.” The $460 million project would “outsource to industry all command mission support activities, including ‘cyber fires’ planning, as well as ‘cyberspace joint munitions’ assessments.” The government defines cyber fires as the active use of cyber weapons against opponents.
While contracts for these types of services are usually classified, the contractor companies’ websites provide hints on what the work entails. Tim Maurer, Co-Director and Fellow of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, examined the services the CYBERCOM contract awardees provided and found that the companies “openly advertise [offensive capabilities].” In an interview, Maurer asked an employee of a major defense contractor whether the company offered offensive cyber tools and services to the government, to which the employee replied, “[a]s a company, we generally don’t comment on such questions but obviously we are building this stuff. We are a defense contractor. It’s a natural extension of our business. How else could the government procure this?”
These CYBERCOM contracts demonstrate that the government is actively outsourcing the development of offensive cyber weapons and tasking selected contractors with providing support up to, but not including, the execution of the cyber operation. This new reality raises several concerns addressed throughout this Note, including the prospect that private cyber contractors may be lawfully targeted in self-defense by adversary states. The U.S. government’s outsourcing of the development of offensive cyberweapons to private contractors increasingly puts U.S. defense contractors at risk of harm when they engage in close participation with the military to execute a cyber operation. Moreover, considering that some of these contractors have offices worldwide, including offices in or near areas targeted by U.S. cyber-attacks, such contractors could potentially be geographically convenient targets for cyber-attack victim-states to strike in a lawful acts of self-defense.
This Note therefore proposes that Congress pass legislation to label the preparation and execution of specific offensive cyber operations as “inherently governmental functions.” Contractors would be limited to developing and delivering cyber tools and training military personnel in their use. Contractors would then have enough distance from preparation and execution of offensive cyber operations so as not to be legally targetable, shielding them from potential litigation arising from specific operations. Part II of this Note addresses the current legal framework on outsourcing to military contractors, including defenses against liability, as well as relevant domestic and international laws that are implicated in cyber military contracting. Part III analyzes the implications of outsourcing the development of offensive cyber tools, as well as the potential for contractors to execute operations with those tools, under both the domestic and international law discussed in Part II. Finally, Part IV of this Note discusses the need for extending the Military Extraterritorial Jurisdiction Act (MEJA) to cover cyberspace, defining which tasks are inherently governmental, and extending reporting requirements to Congress to include each cyber contractor’s involvement in executed cyber operations.
II. Domestic and International Law Related to Private Military and Security Contractors
As the U.S. military increasingly relies on cyber operations to shore up our strategic advantage against malignant actors, such as Russia and China, the military’s reliance on private cyber military contractors to support this task will also increase. This section discusses the existing law surrounding private military and security contractors (PMSC) and how it relates to the advent of offensive cyber operations. First, this section discusses current statutes and policies that govern the standard of “inherently governmental function” for PMSCs. Second, it discusses contractor liability and defenses that apply to private contractors. Third, it discusses offensive cyber operations in the context of the Law of Armed Conflict. Fourth, it discusses existing domestic cybersecurity law and how it relates to offensive cyber operations. Finally, it discusses executive branch authorities for offensive cyber operations.
A. Inherently Governmental Function
The term “Inherently Governmental Function” is defined by federal statute as a “function is so intimately related to the public interest as to require performance by Federal Government employees.” The Office of Management and Budget (OMB) in Circular A-76 expands on this definition, stating that these “activities require the exercise of substantial discretion in applying government authority and/or in making decisions for the government.” The Federal Acquisition Regulation (FAR) 7.503 provides a non-exhaustive list of activities considered inherently governmental, including “the command of military forces, especially the leadership of military personnel who are members of the combat, combat support, or combat service role.”
While there is no single federal definition of an “inherently governmental function,” various types of functions falling into this category are defined by federal law. The Congressional Research Service provides examples of such functions, including the “preparation of agency strategic plans” and “functions associated with the operation and maintenance of certain hydroelectric power-generating facilities,” among others.
OMB Circular A-76 requires agencies to list all activities they perform and categorize them as either commercial or inherently governmental. The Circular defines an “inherently governmental function,” using a four-part analysis, as one that involves:
(1) Binding the United States to take or not take some action by contract, policy, regulation, authorization, order, or otherwise; (2) Determining, protecting, and advancing economic, political, territorial property, or other interests by military or diplomatic action, civil or criminal judicial proceedings, contract management, or otherwise; (3) Significantly affecting the life, liberty or property or private persons; or (4) Exerting ultimate control over the acquisition, use, or disposition of United States property including establishing policies or procedures for the collection, control, or disbursement of appropriated and other federal funds.
The Office of Federal Procurement Policy (OFPP) Policy Letter 11-01 (OFPP Letter) represents the most recent guidance for federal agencies on “inherently governmental functions,” adopting the Federal Activities Inventory Reform Act’s definition. The OFPP Letter builds on existing authorities by adding two new tests for identifying whether a function is “inherently governmental.” The first is the “nature of the function” test, which states that a function involving the exercise of U.S. sovereign power is inherently governmental. The second is the “exercise of discretion” test, which prohibits agencies from contracting out functions that would:
commit[] the government to a course of action where two or more alternative courses of action exist and decision making is not already limited or guided by existing policies, procedures, directions, orders, and other guidance that: (I) identify specified ranges of acceptable decisions or conduct concerning the overall policy or direction of the action; and (II) subject the discretionary decisions or conduct to meaningful oversight and, whenever necessary, final approval by agency officials.
If a contracted function is determined after award to be inherently governmental, the OFPP Letter recommends that an agency exerts more oversight or terminates all or part of the contract for convenience, among other options.
Because it is unclear exactly which functions fall under the “inherently governmental” restriction, the DoD in 2018 issued guidance with a list of thirty-four questions to help contracting officers determine whether functions can be contracted out. Notably, the guidance instructed PMSCs to consider whether a task or function would (4) “involve the command of military forces, especially the leadership of military personnel who are members of the combat, combat support, or combat service support role”; (9) “involve the direction and control of intelligence and counter-intelligence operations”; (30) “involve security operations performed in direct support of combat as part of a larger integrated combat force, or performed in environments where there is significant potential for the security operations to evolve into combat” or (32) “involve combat[.]” If the task at issue is expected to involve any of these functions, it cannot be contracted. While PMSCs may perform security functions, they may not be hired to engage in offensive combat.
The Government Accountability Office (GAO) has offered little guidance on what constitutes an “inherently governmental function” in the context of national security, but has stated that certain “warfighting, judicial, enforcement, regulatory, and policymaking functions” may need to “retain an in-house capability even in functions that are largely outsourced.” Even so, those functions that are “directly linked to national security” must be “retained in-house to help ensure effective mission execution.” While no statute prohibits PMSCs from performing warfighting functions in a warzone, the 2009 National Defense Authorization Act mandated that private security contractors cannot perform inherently governmental functions in areas of combat operations. They are also explicitly prohibited from conducting interrogations, which cannot be outsourced.
Despite these restrictions, the government may contract out functions “closely associated with inherently governmental functions” if: (1) there are no appropriate DoD personnel that can perform the function, (2) government personnel supervise the contractor’s performance, and (3) government personnel perform all the inherently governmental functions associated with the contract.
B. Private Military and Security Contractors and Combatant Immunity
No law in the United States explicitly governs PMSCs. Instead, the government is bound by policy directives that prohibit the outsourcing of “inherently governmental functions,” including combat, to those contractors. PMSCs are also subject to domestic criminal statutes when outside the United States under the MEJA, the Special Maritime and Territorial Jurisdiction Statute (SMTJ), and the Uniform Code of Military Justice (UCMJ). The primary legal uncertainty surrounding military contractors is whether, and under what circumstances, they may invoke the combatant activities immunity under the Federal Tort Claims Act (FTCA). The combatant activities immunity prevents a nongovernmental actor from bringing suit under the FTCA for “any claim arising out of the combatant activities of the military or naval forces, or the Coast Guard, during time of war.” “Time of war” has been construed to include situations when a formal declaration of war does not exist. The Ninth Circuit found that the exception applies “whether U.S. military forces hit a prescribed or an unintended target.” Another district court defined the exception as applicable “only to tortious conduct undertaken in the course of or in direct connection with combatant activities.”
As the government has carved out an exception for itself with “combatant immunity” in the FTCA, the question that remains is whether PMSCs can claim this immunity for their own conduct. Notably, the Ninth Circuit has held that “combatant activities” include “not only physical violence, but activities both necessary to and in direct connection with actual hostilities.” The court cited the example of “supplying ammunition to fighting vessels in a combat area during war” as a combatant activity.” The D.C. Court of Appeals, on the other hand, created the doctrine of “battlefield preemption” in Saleh v. Titan Corp, holding that“where a private service contractor is integrated into combatant activities over which the military retains command authority, a tort claim arising out of the contractor’s engagement in such activities shall be preempted.”
Another major uncertainty associated with outsourcing to PMSCs is when and whether derivative sovereign immunity applies. The doctrine of derivative sovereign immunity “immunizes government contractors from suit when the government authorized the contractor’s actions and the government validly conferred that authorization.” In 2016, the Supreme Court clarified this doctrine, stating that the immunity covers the “contractor’s performance in compliance with all federal directions.” However, the Court noted that if a “contractor violates both federal law and the Government’s explicit instructions,” no derivative immunity will apply. Most importantly, the Fourth Circuit in Cunningham v. General Dynamics Information Technology, Inc. clarified that derivative sovereign immunity also applies to federal claims, rather than just state-law claims. The Cunningham court also clarified that authorization is “validly conferred” on a contractor when “Congress authorized the government agency to perform a task and empowered the agency to delegate that task to the contractor, provided it was within the power of Congress to grant the authorization.”
The United States’ history of accountability and oversight problems over PMSCs is well documented. In the Iraq War, the United States outsourced functions that arguably conflicted with the OMB A-76 Circular, notoriously including torture at Abu Ghraib. The Supreme Court effectively affirmed private contractor immunity when it refused to hear an appeal in Saleh, in which victims of torture at Abu Ghraib sued U.S. PMSCs for allegedly participating in torture and other war crimes. In the two recent cases of Al-Quraishi v. L-3 Services, Inc.and Al Shimari v. CACI International, Inc.,the Fourth Circuit applied battlefield preemption, a form of derivative sovereign immunity, and reduced the standard for applying it to situations in which the military merely “broadly” retained command authority. While the decisions in both cases were later vacated and granted en banc review, the Fourth Circuit dismissed the cases for lack of jurisdiction because they were improper interlocutory appeals. In those cases, the court found that Saleh immunity is a “defense to liability and not an immunity from suit,” making Al-Quraishi and Al Shimari non-reviewable at the time. Accordingly, while the Fourth Circuit’s initial discussion on battlefield preemption remains dicta, the en banc court did not shed any light on when the preemption applies.
1. Limited Criminal Jurisdiction over PMSCs
A de factoexception to derivative sovereign immunity is the MEJA, which makes it a federal crime for a military contractor to engage in “conduct outside of the United States that would constitute an offense . . . if the conduct had been engaged within the special maritime and territorial jurisdiction of the United States.” This Act has seldom been used. Moreover, the MEJA does not apply to contractors who work for non-DoD departments or agencies and does not apply to cyber contractors, as they work within the United States.
The SMTJ defines the phrase “within the special maritime and territorial jurisdiction of the United States” when used within the context of Title 18 criminal offenses. The USA PATRIOT Act (PATRIOT Act) expanded SMTJ by adding § 7(9), which extends jurisdiction to “any place or residence in a foreign state used by missions or entities of the U.S. government with respect to offenses committed by or against a national of the United States.” In effect, this provision extends federal criminal jurisdiction over PMSCs operating in U.S. facilities around the world. However, like the MEJA, it does not apply to private contractor activity in cyberspace.
C. Offensive Cyber Operations and the Law of Armed Conflict
Determining whether a function may be contracted out to a commercial entity in the context of offensive military operations depends, in part, on whether it is a combat function. According to the DoD Law of War Manual, “cyberspace operations may be understood to be those operations that involve the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.” Examples of offensive cyber operations include “those operations that use computers to disrupt, deny, degrade, or destroy information resident in computer and computer networks, or the computers and networks themselves.” Examples of activities that would not be considered offensive cyber operations include those that use computers “without a primary purpose of achieving objectives or effects in or through cyberspace,” such as using “computer networks to facilitate command and control, operations that use air traffic control systems, and operations to distribute information . . . .”
While the Law of Armed Conflict does not address offensive cyber operations, it provides general guiding principles that arguably apply to cyber operations. Harold Koh, former Legal Adviser at the U.S. Department of State (DoS), argued that a cyber-attack that caused the same type of damage that would result from dropping a bomb would be equally subject to principles under the Law of Armed Conflict that apply to traditional weapons. Moreover, cyber operations that result in physical damage are likely to be illegal under Article 2(4) of the United Nations (U.N.) Charter, which forbids unlawful uses of force. Examples of such attacks include triggering a “nuclear meltdown . . . opening a dam above a populated area . . . or disabling air traffic control, resulting in airplane crashes.” Thus, a state’s right to self-defense as codified in Article 51 of the U.N. Charter may be implicated by offensive cyber operations when they amount to an armed attack or imminent threat of an armed attack, the standard employed when such attacks cause a kinetic effect. Moreover, there is no legal requirement that a response to a cyber-attack be another cyber-attack, and so any response that meets the principles of necessity and proportionality would be legal. Unfortunately, self-defense in cyberspace becomes difficult when adversaries can mask their activities and identities.
Unlike kinetic operations where proportionality and distinction are more easily determined, the cyber domain presents a heightened challenge in ensuring that civilian or friendly targets are not compromised. Due to the nature of computer networks, it is likely that a private civilian computer network will be affected in a cyber-attack on a military target.
D. U.S. CYBERCOM Authorities
The Trump administration issued a new cyber warfare directive called the National Security Presidential Memorandum 13 (NSPM 13), which outlined newly expanded authorities used by the DoD to conduct cyber warfare. Unfortunately, that document remains hidden from both the public and Congress. However, U.S. officials familiar with the language suggest that it allows for offensive cyber operations outside armed conflict and loosens the inter-agency approval process. With this new directive, we will likely see increased use of private contractors to fulfill these goals, leading to an increase in the cyber privatization problem, as discussed in the next Part of this Note.
III. The Cyber Privatization Problem
As a result of the history with accountability and oversight problems related to PMSCs, the United States faces a legal quagmire in outsourcing offensive cyber operations. Problems include existing oversight concerns and the risk of collateral damage in cyber operations, ambiguous definitions of what constitutes an “inherently governmental function,” uncertain combatant immunity applications, and Law of Armed Conflictimplications. This section discusses each issue below.
A. Existing Oversight Concerns and the Risk of Collateral Damage in Cyber Operations
Before proceeding with a discussion of oversight concerns involving cyber contractors, it is important to highlight existing oversight concerns involving traditional PMSCs, as the same problems apply to cyber contractors. For example, the Commission on Wartime Contracting (CWC) found in 2011 that between $31 billion and $60 billion were lost to contract waste and fraud from FY 2002 through the end of FY 2011. Apart from the hearings that led to this CWC report, there were no other hearings focused on U.S. contractor responsibilities in U.S. military activities in the period from 2006 until 2016.
The 2011 report highlighted the existing problems with contracting operations out to traditional military contractors, including operational, political, and financial risks. An example of operational risk is that during a contract- performance period, “oversight and management may have been passed between multiple contracting officers and contracting officer representatives without a thorough transfer of knowledge.” As a result, the contractors may become the keepers of institutional knowledge, and in some cases, government officials “gradually cede de facto control over defense, diplomatic, and development activities to them.” A significant political risk involves “public- opinion backlash” when contractors are accused of committing crimes when deployed in the field. Financial concerns highlighted in the report include inadequate oversight and contract management, which leads to contract waste and fraud. While cyber contractors differ in that they are not meant to be deployed to the field in a conflict zone, the same oversight concerns apply to contract management.
The outsourcing of offensive cyber operations would involve the government would entrusting private contractors with conducting operations that track the principle of distinction, or duty to differentiate between combatants and civilians as targets of attack, but have a heightened risk of violating that same principle due to the nature of cyberspace. Moreover, collateral damage in cyberspace is much harder to predict. The DoD defines collateral damage as “unintentional or incidental injury or damage to persons or objects that would not be lawful military targets in the circumstances ruling at the time.” Unlike traditional kinetic attacks, there is some debate about what constitutes “harm” in the context of cyber operations. As for the kinetic effect doctrine, offensive cyber operations that cause collateral damage with a kinetic analog will follow traditional collateral damage assessments.
The August 2018 attack on a Saudi petrochemical company highlighted the potential kinetic harm caused by cyber operations, as the attack was designed to not only to destroy data or shut down the plant but to “sabotage the firm’s operations and trigger an explosion.” While an error in the malicious code meant that the plant did not actually explode, the damage dealt took months to remedy. Because of the interconnectedness of cyberspace, it is plausible that such malicious code used in an attack could spread far beyond the intended target. This occurred with the WannaCry malware, which spread to around 200,000 computers across 150 countries in one weekend. One of the most significant victims of WannaCry were the National Health Service hospitals in England and Scotland, the attack ultimately costing them around £92 million. The attack is believed to have been perpetrated by the “Lazarus Group,” operating out of, and with the support, of North Korea. Given the existing oversight problems over PMSCs, and the government’s recent history of malicious hacking tools falling into the wrong hands, the prospect of outsourcing offensive cyber operations presents a considerable risk.
B. The Current Definition of “Inherently Governmental Function” Is Ambiguous and Does Not Guide the Appropriate Use of Military Contractors.
The bipartisan CWC found that the United States used “too many contractors for too many functions with too little forethought and control” in Iraq and Afghanistan. It called the hypothetical idea that every instance of military contracting satisfied the “inherently governmental” standard a “dubious proposition at best.” It also refers to published guidance on what is “inherently governmental” as “muddled and unclear” because it is “riddled with exceptions, ambiguities, and ad hoc legislated interventions.”
The CWC attributes military contractors performing inherently governmental functions to federal agencies’ decline in their “ability to perform many functions related to their core missions[.]” As a result, the reliance on military contractors went from being optional to effectively mandatory for the DoD and DoS in Iraq and Afghanistan because “it was the only realistic option.” In one example, the report cites a 2009 Army base-budget survey of service contracts, which found that around 2,000 contractors were performing inherently governmental functions. The report found that if this was happening in base-budget activities, then “a reasonable assumption is that it also occurs in supplemental-funded activities supporting contingency operations, perhaps to a greater extent.” For these reasons, contracting out cyber support and operations needs to be carefully evaluated so as not to lead to the same.
There are also unique concerns about the “inherently governmental” standard when applied to cyber operations, such as those related to executing the operation itself. In an offensive cyber operation, there can be an intentional delay between execution and the intended harm. Unlike traditional kinetic operations, offensive cyber operations may include effects that do not manifest for months or years. In one example, U.S. officials reported in 2019 that CYBERCOM deployed potentially crippling malware into Russia’s electrical grid, among other targets, in a warning to Russia to not interfere in future U.S. elections. The malicious code was designed to be dormant unless specifically activated, with the goal being to send a message to Moscow rather than to cause immediate harm.
The ability to delay the harm from cyber attacks complicates the analysis of where to draw the “inherently governmental function” line. Should the line be drawn at the deployment of the malware, or at its activation? The deployment of dormant malicious code into an adversary’s network has no “offensive” effect until that code is activated. The DoD’s Instruction on workforce mix states that actions involving “deliberate, offensive action against a hostile force on behalf of the United States” are inherently governmental. Accordingly, it is conceivable that the “inherently governmental” line can be extended to when the malware is activated rather than installed. In this scenario, this results in virtually every task associated with installing malicious code, including the installation itself, falling outside the definition of an “inherently governmental function.” As this conflicts with the policy objectives of having inherently governmental functions, a definitive rule should be established on where to draw the line, discussed in Part IV.
A corollary concern is the close integration of the contractors and government personnel throughout the cyber operation process. Under the $460 million CYBERCOM contract, for example, the contractors aiding in offensive cyber operations work physically alongside their government counterparts at Fort Meade as their “primary place of performance.” In some cases, the contractors are considered so critical that the task order states that the contractor may need to work from an alternate site if the Continuity of Operations Plan is activated. Because government personnel and contractors are closely integrated when working on different stages of an offensive cyber operation, from planning to execution, the task of distinguishing functions between the two groups becomes exceedingly difficult. For example, a 2009 report produced by Northrop Grumman suggested that at the various stages of an offensive cyber operation, the tasks are “sometimes split among different groups, including ‘a mix of uniformed officers, military personnel, civilian intelligence operatives, and freelance high-end hackers.’” While the government may seek assistance with tasks necessary to execute an offensive cyber operation, the line at which tasks become “inherently governmental” is unclear.
C. Uncertain Combatant Immunity Applications
Existing authorities on military activities in cyberspace only explicitly immunize contractors against causes of action for complying with DoD reporting requirements involving cyber incidents and network penetrations of such contractors’ network or information systems. While case law suggests that contractors are immune when exercising a combatant activity directed by the U.S. military, it is unclear whether that applies to cyberspace. The FTCA combatant activities exception was construed by the Koohi court to require “hostile encounters on a significant scale with the military forces of another nation” to apply. The very nature of offensive cyber operations means that there does not have to be any encounter with a military force of another nation, significant or otherwise. For example, by injecting malware into an adversary’s electrical grid within a specific geographic region, the cyber contractor performs a combatant activity, but there is no analogous hostile encounter with the adversary’s own military forces. Nor are cyber operations limited to just those countries where the United States has other active kinetic operations, meaning that cyber operations could fall outside the Koohi interpretation.
One district court applied the broader interpretation promulgated by Saleh, finding that any activity on a battlefield performed by a contractor is preempted as long as the contractor is integrated into the military and the military retains command authority. The Aiello court extended the broad Saleh interpretation in finding the contractor’s negligent maintenance of a bathroom on a military base, which caused the plaintiff to fall and injure himself, to be preempted: “any claim arising out of combatant activities is preempted.” The Aiello court applied the Johnson test of “active logistical support of combat operations” to find that the contractor’s “creation and maintenance” of toilets to be “both necessary to and in direct connection with actual combat,” and thereby preempted as a combatant activity.
Not all courts share this broad view, such as the Third Circuit in Harris v. Kellogg Brown & Root Services, Inc., which reversed and remanded a case from the Western District of Pennsylvania that cited Aiello’s reasoning. The district court held that the wrongful death and survival claim under the FTCA against a military contractor for negligent maintenance of electrical systems on a military base causing a soldier’s death was preempted because the contractor’s services were directly connected to the military’s combatant activities. In so holding, the court found that the contractor was “fully integrated” with the military. The district court then cited the Aiello court in finding the claim was preempted because the contractor’s services were “integral to sustaining combat functions.” Subsequently, the Third Circuit disagreed, finding that the military did not retain command authority over the contractor’s performance because the contracts did not prescribe how the contractor was to perform the work. The Third Circuit also cited Saleh: “the military [cannot] retain authority nor operational control over contractors working [under performance-based contracts] and thus tort suits against such contractors [are] not . . . preempted.” The court held that because “performance-based” contracts describe the work in terms of results, the contractor’s discretion in how to achieve those results means “by definition” that the military does not retain command authority over that work. Thus, the court held that the Saleh test was not met, and the case was reversed and remanded.
If cybersecurity contracts are performance-based, wherein the government tells the contractors only what the tools must do and not exactly how they should operate, “combatant immunity” may be inapplicable because the contractors have discretion over how their tools are designed. Unlike Boyle, in which the contractor was immune if the government provides design specifications, a case in the Third Circuit, for example, may lead to liability for the contractor if the military does not retain authority or operational control over how contractors design their offensive cyber weapons.
D. Law of Armed Conflict Implications for PMSCs Conducting Offensive Cyber Operations
The Law of Armed Conflict problem arises when the U.S. government contracts out offensive cyber operations to private companies that, in turn, conduct operations that may implicate Article 2(4) of the U.N. Charter and run the risk of causing collateral damage. The possibility of a contractor conducting a cyber “armed attack” risks the contractor, and its employees, becoming combatants themselves by directly participating in hostilities as active participants in the conflict. Even if the individual civilian contractors do not execute the attack themselves and only work on adjusting the code up until the moment of the attack, they may still become lawful targets of a counterattack. This is because the contractors assume a “continuous combat function,” which involves the “preparation, execution, or command of acts or operations amounting to direct participation in hostilities.” The Tallinn Manual, a non-binding academic study on the applicability of international law to cyber operations, contends that a private company engaging in offensive cyber operations qualifies as an “organized armed group belonging to a party,” and thus may be lawfully targeted. By being classified as an “organized armed group” and effectively being given a continuous combat function, members of the private company would no longer be classified as “civilians” under international law. In so doing, the victim-state could invoke U.N. Article 51 self-defense and respond in a way not limited to a cyber-attack or limited to just those who conducted the cyber-attack. Counterattacks may be kinetic, including bombing the contractor’s facilities, as long as it meets the principle of proportionality.
The problematic issue is in determining whether a contractor’s activities amount to a “continuous combat function” based on their level of preparation for an offensive cyber operation. While the execution of the operation is a “combat function” and cannot be lawfully contracted, the development and preparation of tools used in such an operation can be contracted for because they do not involve combat. However, unlike traditional military contracts where the contractor builds weapons and delivers them to the government, integrating cyber contractors with government personnel blurs the line. By having contractors participate in everything but execution of a cyber attack, they are likely to be considered as performing a “continuous combat function.” Moreover, given the oversight concerns outlined in Subpart A of this section, cyber contractors may end up executing offensive operations, although this is speculation based on the evidence available.
For example, in the case of the CYBERCOM contracts, one of which weas awarded to Booz Allen Hamilton, the question remains whether Booz Allen facilities in Qatar, the United Arab Emirates, and Lebanon, among other countries, may become valid kinetic targets in a self-defense operation. A corollary issue is that, while international law forbids reprisals and requires necessity and proportionality in self-defense operations, cyber-attacks’ attributional problem makes pinpointing the specific attacker(s) difficult. As a result, if State X knows they were attacked under a CYBERCOM operation outsourced to Booz Allen that led to casualties, and Booz Allen is considered an “organized armed group belonging to a party,” State X may opt to launch a cyber or kinetic attack in self-defense against any of Booz Allen’s offices provided the target meets the requirements of necessity and proportionality. Even though the contractors under this CYBERCOM contract, such as Booz Allen, are based at Fort Meade alongside their government counterparts, if the victim-state manages to attribute the cyber-attack to the contractor based on the “tools, techniques, and procedures” used in the attack, it may exercise self-defense accordingly.
While the responding attack would have to follow principles of jus in bello, namely that civilians are not targeted, the attributional problem of offensive cyber-attacks leaves the victim with two choices: attack what they know or do nothing at all. The anonymous nature of the internet often leaves the victim with no ability to exercise self-defense because they cannot pinpoint the source of the attack. By outsourcing offensive cyber operations, the government can exercise plausible deniability by introducing attributional doubt. However, responsibility is attributed to the state if it “either acknowledges and adopts the conduct of the non-state actor as its own, or the state directs or controls the non-state actor.” Moreover, the International Court of Justice held that the actions of a non-state actor would only be attributable to the state when it exercises “effective control” over the non-state actor.
The problem of attribution then raises another concern that the victim- state may be able to identify the contractor responsible for a cyber-attack but may not have enough evidence to attribute the attack to the sponsor-state. For example, if CYBERCOM, through Booz Allen, conducts a cyber operation against the Iranian military, thereby causing casualties using a Booz Allen developed tool, Iran could invoke the jus ad bellum justification in self-defense.
However, suppose Iran could only identify that Booz Allen was responsible for the cyber operation by developing the tool used in the attack, but not that the United States ordered it. In that case, Iran is left with few options. Without affirmatively attributing the attack to the United States, Iran would not be justified under international law in launching an attack on the United States in self-defense. That said, as non-state actors who directly participate in hostilities are not immune from attack, Booz Allen would be exposed to a counterattack from Iran. The United States, in turn, could either acknowledge responsibility and give justification for Iran to launch a counterattack on the United States, or deny that it ever ordered the operation. While the United States would be safe from a counterattack under international law, Booz Allen would be a legitimate target in both scenarios.
The United States has already set a precedent for a responsive strike under this theory. In 2018, Russia’s Wagner Group aided pro-Syrian government forces in an attack on a U.S. military position in Deir al-Zour, Syria. The U.S. military called Russian high command in Syria on a deconfliction line to warn them to turn back, and the Russian military denied any involvement. A bloodbath in which roughly 200 Wagner mercenaries were killed followed. While the United States did not have jus ad bellum justification for striking Russian armed forces, Wagner Group was fair game because it attacked U.S. forces. Accordingly, if the United States denied responsibility for the previously discussed hypothetical cyber operation against Iran, Iran could legally attack Booz Allen in self-defense, provided the attack meets the principles of necessity and proportionality.
IV. U.S. Government Solutions to the Cyber Privatization Problem
Because cyber military contractors are here to stay, Congress should address many of these concerns by extending the MEJA to cover cyberspace, defining which tasks are inherently governmental, and extending reporting requirements to Congress to include each cyber contractor’s involvement in executed cyber operations.
A. Congress Should Amend the MEJA and the SMTJ to Include Cyberspace.
By extending the MEJA to cover cyberspace, the government would be able to prosecute rogue contractor activity in cyberspace, aiding government oversight. As many crimes under Title 18, such as the MEJA, define their jurisdiction according to the “special maritime and territorial jurisdiction of the United States,” including cyberspace in this definition would hold cyber contractors responsible for criminal activity. Just as Blackwater contractors were prosecuted under the MEJA for their role in killing fourteen innocent Iraqi civilians, so too will cyber contractors be subject to prosecution if the “kinetic effects” of unlawful cyber operations cause the same.
The purpose of both the MEJA and the expansion of the SMTJ under the PATRIOT Act was to expand U.S. criminal jurisdiction outside the fifty states over particular crimes. When Congress expanded the SMTJ under the PATRIOT Act, it sought to resolve a potential circuit split over jurisdiction involving crimes committed by or against U.S. nationals in facilities used by the U.S. government. Before the enactment of the MEJA, civilian contractors of the DoD who committed crimes outside the United States were not subject to the UCMJ, nor were they subject to the criminal laws of the United States. Following the increased use of military contractors, Congress moved to “close [the] gaping hole in the law by extending Federal criminal jurisdiction to crimes committed by persons employed by and accompanying the U.S. Armed Forces overseas” in enacting the MEJA. The new law effectively placed U.S. PMSCs under domestic criminal law. Together, these two modifications to the United States’ criminal jurisdiction suggest a willingness by Congress to keep the laws current with modern advances, such as the rise of private contractors. Accordingly, just as the rise of private contractors led to legislative measures, so too can the advent of militarized cyberspace lead to an extension of criminal jurisdiction over this new domain.
Opponents of this approach may argue that the SMTJ is not in itself a criminal statute and only defines the boundaries of jurisdiction. While the PATRIOT Act extended the jurisdiction of the SMTJ, Blackwater was prosecuted under the MEJA, a separate statute. However, as the MEJA defines its jurisdictional boundaries according to the SMTJ, amending the SMTJ to include cyberspace would mean that the MEJA would also cover it. Moreover, 18 U.S.C. § 3261(a)(1) of the MEJA covers contractors “while employed by or accompanying the Armed Forces outside the United States,” which would encompass DoD contractors operating in cyberspace. While many of these contractors are subject to domestic criminal jurisdiction by having a physical presence in the United States, it is questionable whether cyber operations resulting in kinetic damage in another country would subject those contractors to criminal jurisdiction. Accordingly, having the SMTJ cover cyberspace introduces the possibility of having contractors be criminally responsible for kinetic attacks through cyberspace.
B. Congress Should Define “Inherently Governmental Function” to Include Tasks Involved in the Preparation or Execution of Combat Operations.
Most of the issues discussed in this Note can be addressed by explicitly defining the boundary of what is considered an “inherently governmental function.” Thus, Congress should define, by statute, “inherently governmental functions” to include the preparation and execution of a targeted offensive cyber operation. Preparation should be defined as those actions taken to enable a specific potential future attack. In other words, while developing a weapon is not inherently governmental, it would be if the contractor set up the weapon for use in a specific attack. This definition would preclude cyber contractors from preparing cyber weapons for such an attack, such as by modifying code meant to execute it. That said, it allows those contractors to develop tools generally that would enable the military to proceed with a targeted attack. Contractors will also be allowed to train U.S. military personnel on how to use those tools. This definition would not preclude contractors from engaging in passive activity, such as reconnaissance, so long as that activity does not involve penetrating adversary networks or any other action that would constitute a “use of force” per Article 2(4) of the U.N. Charter. For example, while the deployment of dormant malicious code into an adversary’s electrical grid would have to be performed by governmental personnel, contractors could identify which network to target, provided they do not engage in network penetration.
Indeed, this approach would require CYBERCOM to restructure its operation and recalibrate its reliance on contractors. While contractors are useful in providing cost-effective solutions, they should not be tasked with functions instead of government personnel. Moreover, this solution would address the problem of DoD’s overreliance on contractors to perform their core functions, demonstrated by the CWC report.
Requiring government personnel to prepare and execute the offensive cyber operation themselves would have the added effect of shielding contractors who developed the tools used in the operation from a counterattack by another state acting in self-defense. By distancing the contractors from active preparation for a targeted attack, they would not be considered lawful combatants under international law because they would not be performing a continuous combat function. While it is true that it may be possible to engage in a “use of force” that does not amount to an “armed attack” and thus does not allow for the victim-state to assert U.N. Article 51 self-defense, this definition provides a buffer by removing the contractor’s involvement in an activity that even would rise to the lower standard of a ‘use of force.’
Domestically, instituting the buffer between government and contractor personnel also reduces the risk of inherently governmental functions being inadvertently performed by non-government personnel. As described in the CWC report, there have been documented instances of inherently governmental functions in the U.S. Army being performed by contractors. Applied here, while execution of an offensive cyber operation is a combat function that could only be legally performed by the military, experience suggests that contractors often do so. Without this solution, contractors executing the operations themselves would still be illegal, and no contract could lawfully task contractors to do so. By instituting the buffer as recommended in this Note, the likelihood of that occurring would be curtailed, if fully not removed. Moreover, with uncertainty over the applicability of combatant immunity if there is litigation against the contractor, instituting the buffer reduces that risk.
Opponents may argue that by enforcing a buffer between government personnel and contractor personnel, contractors’ agility to assist the government would be limited. Contractors are typically awarded single multi-year contracts for many services under a multi-purpose umbrella and can execute specific tasks without having to re-bid on those tasks. Thus, shifting those tasks to government personnel would burden them with tasks that contractors previously handled. While it is undeniable that the private sector can perform more quickly, speed should not be used as an excuse for outsourcing what should be inherently performed by the government, especially combat operations.
It would be difficult for CYBERCOM to function with this solution because of its infant state and as such, change should be implemented gradually. Since this solution requires an act of Congress, there would be no lack of notice, and CYBERCOM has preparation time to separate core functionality from its contractors. The idea behind outsourcing to private contractors stems from expediting the military’s capability in performing offensive cyber operations. Thus, there must be no reduced capability in performing those functions because of this solution, which is why gradual implementation is critical. While one can only speculate that the reasoning behind the CYBERCOM contracts is to quickly build up the military’s cyber capability, doing so should only be a temporary measure. Pushback may stem from the contractors themselves, whose income depends on their personnel working side by side with military personnel beyond the delivery of the product. That said, just as President Eisenhower warned against the military-industrial complex in his farewell address, we should heed that warning in not relying on outsourcing operations to the government’s detriment. It is true that CYBERCOM’s youth requires outside help in quickly developing an effective combatant command. Still, this solution can be implemented with a statutory delay to allow for military personnel to learn how to prepare a targeted attack themselves.
C. Congress Should Extend Reporting Requirements to Include Each Cyber Contractor’s Involvement in Executed Cyber Operations.
Under 10 U.S.C. §§ 391, 393 Congress mandates that the DoD receive reports anytime certain contractors experience cyber incidents, such as a penetration of their networks and information systems. Given that reporting requirements between contractors and DoD current exist, Congress should also require the DoD to report, on a quarterly or annual basis, each contractor’s level of involvement in executed cyber operations. This solution would provide more information to Congress to exercise their oversight functions by ensuring that contractors are not involved in preparing the cyber weapons for targeted attacks. Moreover, this solution will act as a deterrent by making it harder for contractors to sidestep the rules. For example, while the solution as outlined in Part B of this section would not allow contractors to prepare their cyber weapons for a specific attack, it is not inconceivable that contractors could sidestep the issue by “training” the military in performing hypothetical attacks that resemble a real one being planned. Doing so would go against the spirit of separation and be counterintuitive to congressional oversight.
Opponents may argue that the definition of “involvement” is unclear, an issue addressed in this Note. The DoD would have to report contractor activity for all executed cyber operations, if applicable. Such a report would include which contractor developed the tool, when they delivered it, their involvement in training military personnel in using it, and any activity beyond that. The goal is to ensure that contractors maintain some separation from preparations for specific targeting and cease any involvement beyond training military personnel in how to use the contractor’s developed tools. Adding a reporting requirement would be an extra layer of accountability and enforcement through congressional oversight.
V. Conclusion
This Note does not seek to limit the effectiveness of military contractors, without whom the U.S. military would not be as technologically dominant. Yet the advent of offensive cyber operations introduces a host of legal questions that implicate both domestic and international law because existing law does not account for it. While Harold Koh posited that international law allows for introducing new warfare methods, such as cyber, current law still fails to address issues that only arise in cyber operations. For example, the possibility of non-kinetic damage through a cyber operation, such as wiping data from a stock exchange, or the possibility of delaying harm by inserting dormant malicious code, has little existing international law that could apply to it. Moreover, the possible legal exposure under outdated federal laws, and the possibility for adversary states to attack contractors who cross the blurred line and become lawful targets, puts those contractors at greater risk. While physical involvement in overseas operations limits traditional military and security contractors, cyberspace is a global domain where an effect can be achieved from behind a computer anywhere in the world. Thus, while the slow wheels of the legislative process find a solution domestically, and as international law catches up with our new reality, the best solution would be to demarcate the boundary between what is an inherently governmental function and what is not.