I’m reading Jane Mayer’s book, The Dark Side, which is about how the U.S. went seriously off-track in its efforts to pursue Al-Qaeda. I recommend it very highly; it’s revelatory, depressing and infuriating.
But this is a blog about cybercrime, not about the so far pretty unimpressive War on Terror. This post was prompted by something I read in the book, early on.
People in various federal government departments and divisions (e.g., CIA, Department of State, Department of Defense, White House) were trying to figure out the conceptual basis on which U.S. personnel would pursue and deal with members of Al-Qaeda and others who fell into the category of anti-American terrorists.
At first, the FBI was investigating the 9/11 attacks, just as they investigated the 1998 Al-Qaeda attacks on U.S. embassies in Kenya and Tanzania. That was the presumptive approach because terrorism has been approached as a crime since 1937, when the League of Nations promulgated a Convention on terrorism that called for countries to make it a crime and prosecute it as such. The League promulgated the Convention in response to a terrorist assassination of a Yugoslavian king and French foreign minister.
So, as I’ve noted before, terrorism became, and essentially remains, a type of crime. And that’s how the FBI, anyway, was proceeding after 9/11, until things went awry. In Mayer’s book, she quotes someone (I’ve forgotten who) as saying the U.S. government had to come up with a different approach to Al-Qaeda style terrorism because the law enforcement approach didn’t work.
It didn’t work, this person-whose-name-I-can’t-recall-and-am-too-lazy-to-look-up said, because law enforcement is retroactive – it responds to what has already happened. This person said the U.S. needed to move to a proactive approach that emphasized preventing future attacks. And he said the different approach had to be the military approach (think “enemy combatants”) because there were only two choices: law enforcement or the military.
That comment sparked this post. I want to write about the notion that there are two and only two choices, though not in terms of dealing with Al-Qaeda style terrorism. I want to talk about the notion in the context of different threats – cyberthreats.
As I explained at length in an earlier post, cybercrime challenges the law enforcement model because it deviates from the real-world crime the model assumes in several ways. Cybercrime is often transborder, transnational or trans-state in federal systems like the United States. That frustrates law enforcement because law enforcement is set up to work effectively within a particular territorial area. Once conduct leaks outside that area into one or more other areas, then law enforcement has to deal with often cumbersome legal procedures (and practical constraints) that impede officers’ ability to do their job. Another different is scale: As I’ve written in law review articles, real-world crime tends to be one-to-one crime. A perpetrator burglarizes a house, then another house, and so on; a rapist attacks one victim, then another, and so on; and that pattern operates as the default for most real world crime.
A third difference is physical proximity between perpetrator and victim, which is required in traditional crimes. To rob, rape or kill someone, I have to be close to them; and the same was historically true for crimes like fraud. Fraud was face to face crime, until the invention of the telephone. (There was, of course, some mail fraud prior to the invention of the telephone, but historically the mails were to so unreliable that this was not a good way to go.) And, finally, law enforcement has a pretty good handle on the incidence of crime in the real world; there’s a science called crime mapping that can track where crime (of particular types) is most likely to occur, and I suspect most police departments can do the same, pretty effectively. That means police have a way to allocate their very scarce resources in a way to maximize their ability to do their job.
Their job, of course, is to control crime by discouraging its commission. They do that by finding people who have already committed crimes, having them prosecuted, convicted and then sanctioned for what they did. The empirical premise of the twentieth century criminal justice system is that law enforcement officers will capture enough of the people who commit crimes (they can’t possibly catch all of them) to deter them and deter others from following their lead.
Cybercrime, as I explained in that earlier post, erodes the efficacy of this model because it can be committed from halfway around the world as easily as it can be committed next door, because it can be committed on a scale vastly exceeding the one to one default of traditional crime, because physical proximity is irrelevant and because we so far do not have accurate statistics on its incidence and authorship. The crimes themselves are for the most part the same old stuff (theft, fraud, trespass, burglary, etc.) but the medium is new and operationally problematic for law enforcement.
So the comment about needing to move from a law enforcement model in dealing with terrorism also has application to cybercrime or, more broadly, to cyberthreats. As I explained in another post, there are three cyberthreats: cybercrime, cyberterrorism and cyberwarfare.
Cyberterrorism is really a subset of cybercrime, but since it’s usually broken out in discussions I’ll make it a third category.
Three categories, two models. As with transnational terrorism, we have, if we go with the comment noted earlier, two and only two models to choose from in dealing with cybercrime, cyberterrorism and cyberwarfare. If we follow the real-world approach, then law enforcement will deal with the first two and the military will deal with the third.
The problem with that, as I noted in an earlier post and in an article cited in that post, is that the difference between the first two and the third one may not be apparent, at all. With cyberwarfare, the attacker doesn’t bomb Pearl Harbor, or London, thereby making it pretty easy to tell that this is “war,” not “crime.” We haven’t had a definitive cyberwar attacks so far (to my knowledge . . . sorties, but not an attack), so we don’t really know what one will look like. But we do know it’ll use tools essentially indistinguishable from those used by criminals, cybercriminals and cyberterrorists.
My point here is that in dealing with cyberthreats we face the same problem U.S. officials thought the United States faced in dealing with Al-Qaeda-style transnational terrorism. (I think they were wrong there, but that is irrelevant here.). The law enforcement model is not effective against anonymous, extraterritorial opponents who leave no physical crime scene and can inflict damage on a scale that is yet to be determined. (For more on that, I refer you to my post on cyberwarfare.)
So, does that leave us with only two choices in dealing with cyberthreats – keep the law enforcement model or move to a military model? First of all, in the U.S. there is a federal statute – the Posse Comitatus Act – that says the military cannot be involved in civilian law enforcement. It is only a statute, which means it could be repealed; but it rests on legal principles that go back to English common law, as well as other principles, all of which dictate that it’s a very bad idea to mix civilian and military metaphors when it comes to keeping order inside a country. I don’t think we should do that, and I suspect most military officers don’t want to do that, either.
Are there only two choices? If so, why? As I’ve written in law review articles, the dichotomy between military and civilian law enforcement evolved over time: The military deals with external threats (e.g., Nazi Germany), while civilian law enforcement deals with internal threats (e.g., the Mafia). By “threat,” I mean activity that can undermine a nation-state’s ability to maintain the internal (crime) and external (war) order it needs to survive and prosper.
We have two categories because modern nation-states are the product of and defined by the territory they control. Think about it: One of the common terms we use for a nation-state is “country.” A state’s “country” is its defining characteristic in a binary definitional system: Territory either belongs to Country A or to Country B. If it belongs to Country A, then Country A’s army will protect it from encroachment by Country B and Country A’s police will keep order within the territory.
As we all know, cyberspace is increasingly making territory irrelevant, just as modern transportation made it less of an obstacle for real-world terrorist groups like Al-Qaeda. The distinction between “inside” (law enforcement) and “outside” (the military) erodes, leaving us with an apparent conundrum: If our only options are law enforcement OR the military, then we presumably have to keep going as we are, even though we know law enforcement’s ability to deal with cyberthreats has eroded in ways we are not likely to be able to remediate (at least, not if we intend to maintain something other than a garrison state).
I’ve been wondering for some time if we don’t need to think about the inevitability of this dichotomy. I certainly don’t want it collapsed into a single system (the U.S. Military and Law Enforcement Agency) – bad, bad idea. But why can’t we expand it? Why can’t we come with a third option (not considered in developing the response to 9/11)? After World War II, the U.S. in a sense did this by creating the Central Intelligence Agency. The CIA was created as a response to the new realities of the Cold War, which was in a way analogous to cyberthreats or Al-Qaeda-style terrorism. Since it was “cold,” the cold war didn’t fit into the traditional category of war, and it wasn’t crime because it was about dealing with an external, nation-state threat. So we created a new agency and a new approach . . . not a free-standing approach, not a third option, but a new way of dealing with a new kind of threat.
I don’t see why we can’t do something similar with cyberthreats.