Untold Benefits of the “Whole of Government Approach” to Cyber Threats

By: Joe Schottenfeld, JD ‘19

In January, the National Security Division (NSD) of the Department of Justice announced the newest development in its efforts to combat cyber-attacks. Building off of its indictment of a North Korean man in 2018, the Division had started to help identify and alert individuals affected by a longstanding botnet attack. The press release was the latest in a steady stream of cyber-related moves: Since 2014, when NSD indicted five members of the People’s Liberation Army, the Division and DOJ more generally have gone after a growing stream of bad actors around the globe, like the North Korean hackers behind the Sony attack. These prosecutions have come to represent one of the US Government’s most significant responses to cyber threats.

So far, however, the federal government’s use of prosecutions has received mixed reviews. As Jack Goldsmith and others have pointed out, the deterrence value of prosecutions may be questionable. NSD’s indictments have rarely actually lead to prosecutions and convictions; while there are other costs for named perpetrators, such as losing the ability to travel, those costs probably pale in comparison to the very real benefits that a state or non-state actor can achieve from a cyber-attack. As a result, prosecutions without more—e.g. sanctions—may make the US look feckless. And, as private sector panelists and participants at Yale’s recent Cyber Leadership Forum made clear, the slow pace of indictments can take a toll on businesses, which have to worry about preserving evidence, rather than being able to clean up immediately after a hack.

Rather than replay the argument over the value of prosecutions to cyber-deterrence, I’m curious about a component that’s less frequently discussed: The way in which indictments and prosecutions contribute to the U.S. government’s emergency preparedness for a cyber-attack. It’s still too early to say, but, unfulfilling as they may be right now, indictments could play a formative role in shaping how the bureaucracy works to prevent and respond to cyber-threats over time. In the short term, this would likely be cold-comfort to private sector leaders who face a nearly omnipresent threat of a debilitating attack. But it might reassure the rest of us, who should also probably be more aware of the possibility of a devastating attack, at least according to Dan Coats, the Director of National Intelligence.

In theory, prosecutions help an array of actors within our sprawling national security bureaucracy—from investigators to prosecutors to members of the IC—to become better prepared and more adroit, both in anticipating and responding to an attack. Prosecutions are, of course, much more than practice. But they push these actors to get used to working collaboratively across agencies; to investigating, sharing, and declassifying information; and to deploying their capabilities against a variety of different threats.

There’s at least one potential precedent for this view of the bureaucratic effect of prosecutions, both in terms of the mechanism they may serve and that mechanism’s importance: the more lawful aspects of counter-terrorism following September 11th. Following 9/11, laws like the Patriot Act—now known more for the breathtaking surveillance it was used to justify—eliminated formal information-sharing blocks that prevented crucial intelligence from moving between and even within agencies. But it took bureaucratic reform—the creation of NSD (and ODNI)—to improve information sharing and collaboration in practice. According to those at the helm of the Division, bringing conventional law enforcement practices to bear helped create a governmental response system that “disrupt[s] plots, incapacitate[s] terrorists, and gather[s] intelligence.” As Jen Easterly, Joshua Geltzer, and Luke Hartig described recently, in a piece noting the similarities between the terrorist threat pre-9/11 and the cyber threat today, “[w]e’ve seen firsthand that information on terrorist threats now travels rapidly across the parts of the federal government that analyze and address such threats.”

My bureaucratic aspiration for indictments and prosecutions may read like a variation of a point made by a number of current and former NSD officials—that prosecutions can serve as the glue of our cyber-response toolkit. While he was the Assistant Attorney General for NSD, John Carlin, for example, spoke and wrote of the need for a “‘whole-of-government’ approach” to cybersecurity: “success requires drawing upon each agency’s unique expertise, resources, and legal authorities, and using whichever tool or combination of tools will be most effective in disrupting a particular threat.” (“Whole of government” has stuck: The Rod Rosenstein-led Cyber-Digital Task Force used the phrase in their 2018 report, as did John Demers, the current AAG, in prepared testimony late last year before the Senate Judiciary Committee.) NSD’s FY 2019 budget request makes clear that it’s not interested in prosecutions alone. The Division will “[c]ombat national security cyber-based threats and attacks through the use of all available tools, strong public-private partnerships, and by investigating and prosecuting cyber threat actors.”

I’d argue that there’s even more at issue, though, than maximizing our responsiveness and readiness from a pure capacity standpoint. Hopefully, in the context of cyber-attacks, prosecutions can help shape the way that we respond. As a part of the bureaucratic process, prosecutions may stabilize and delimit our response. In particular, from an early stage, they may prepare the bureaucracy to rely on the judiciary.

By way of contrast, after 9/11, the Bush Administration expertly exploited its knowledge of the bureaucracy and the state of emergency to broaden its power and generate an, at the time, nearly unimaginable response to the terrorist threat. To patch intelligence gaps, it instituted illegal surveillance programs, among a variety of other unlawful practices. It purposefully walled the programs off from judicial review. The Terrorist Surveillance Program, for instance, which allowed the NSA to sweep up American phone records without a warrant, only first received limited judicial scrutiny in 2007 from the FISC. We’re still grappling today with the extent and legality of our surveillance programs more broadly.

Priming the bureaucracy now may diminish the ability of the executive to overreach in times of greater emergency. Prosecutors with years of working to secure warrants and indictments from both FISA and non-FISA courts over cyber security may feel comfortable sticking with those practices, even in the face of a potential series of attacks by cyber-terrorists. And, given their expertise and connection to the broader IC, it would be harder for the executive to keep them completely out of the loop.

In other contexts, prosecutions invite abuse. But the process used this January for a low-level but still destructive, North Korea-sponsored botnet attack may—with tweaks for efficiency and to invite greater judicial oversight—work in the face of far more harmful attacks. If that’s the case, strange as it is, prosecutions could help check some of our executive’s worst national security impulses.