Wednesday, September 22, 2021

Review - Posse Comitatus and Cybersecurity

Last night during the consideration of HR 4350 in the House, Rep Schiff (D,CA) offered amendment #24 which was adopted by a voice vote. That amendment (see page 217 for the text) added a new section to subtitle C of title V of the bill which would prohibit information received in violation of the Posse Comitatus Act from being used as evidence in a court of law. While posse comitatus actions by the US military (including federalized National Guard forces) is a very nuanced part of federal law, this amendment could have unintended consequences when it comes to the use of military cyber-assets in support of critical infrastructure facilities.

No one is going to scream ‘Posse Comitatus’ when DOD cyber forces protect critical infrastructure against cyber-attacks from a foreign adversary, whether it be a country, terrorist organization or even a foreign controlled criminal organization. But, if DOD units, in the conduct of their cyber-protective role, undercover a domestic cyber-attack, provisions of both 18 USC 1385 and §275 are going to come into consideration. As long as DOD undertakes no action against the attacker and simply reports it to civilian police authorities (like the FBI) or federal cybersecurity agencies (like CISA), under the aerial photographic and visual search and surveillance doctrine, courts would probably not accept posse comitatus claims by defendants.

However, yesterday’s Schiff amendment, may open the door for such claims. Whether they would be accepted by the courts is less certain.

Both §1385 and §275 contain similar exception language for ‘unless authorized by law’ or ‘act of Congress’. Thus Congress, in authorizing the use of military cyber forces (including National Guard units) to protect critical infrastructure against cyber-attacks, could exempt such actions from the restrictions of both sections. Such authorization, for example could be proceeded in the applicable legislative authorization by the phrase “Notwithstanding 18 USC 1385…”. Such language would then insure that Schiff’s new language added to 10 USC 271 would no longer apply to information obtained by the authorized actions of the cyber-forces.

For a more detailed look at the provisions of §1385 and §275, and how they could impact the use of cybersecurity forces of the military in protecting critical infrastructure from cyber attacks, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */