By Ian Whitehurst, barrister at Exchange Chambers
In the chaotic and sometimes lawless world of cyber, a new risk is arising as commercial or private entities realise the potential to weaponise cyber to further their own financial and geo – political interests on the national and international stage.
It is not only governments that are nowadays engaged in acts of cyber war and espionage, there is a growing tendency for businesses and corporations [whether with formal links to their respective States or not] who are keen to be involved in obtaining State and commercial competitors secrets through sophisticated means of hacking, the deployment of malware into systems or even disrupting the financial and economic activities of more dominant players in the market place to their advantage.
Running in parallel with ‘legitimate’ corporations and their misuse of cyber, is the growing threat by organised crime groups (OCGs) in using cyber not only to avoid detection and investigation in the first instance, for example by the use of military standard encrypted devices but also by the laundering of vast profits from a myriad of criminal activities through crypto currencies and the digital financial system.
The scenarios identified above are exacerbated and taken to a new level when former government agents decide to enter the private sector deploying their skill sets, knowledge and contacts to the highest bidder – these “privateers” or “digital mercenaries” pose a significant risk not only to government interests but also to society and democracy as a whole.
The recent case of three former US intelligence operatives being charged with criminal charges arising from breaches of US hacking laws and military export regulations, demonstrates the concerns that exist with former government agents plying their trade in the private and international sector and the potential conflict that arises to for western governments with former agents being allowed to work independently.
The traditional approach of deploying law enforcement and the threat of criminal sanction is understandable but in some respects this model is outdated and unlikely to be able to keep pace in such a dynamic field as cyber.
A successful investigation and prosecution is dependent on a number of factors – resources, skill sets, evidence and jurisdictional remit to name but a few – all factors that in some respects give a marked advantage to the digital mercenaries and their employers who can control and limit the remit of the investigative powers of the State in a world where the ability to deploy significant resources is a key advantage in the avoidance of detection and enforcement.
An alternative approach to addressing the risk of digital mercenaries to national security and economic interests is to approach this from a private law perspective and “front load” the restraints upon government agents at the outset and thus be pro – active and not reactive in dealing with an issue that is always going to be present in such an evolving and lucrative field such as cyber.
By imposing stronger contractual terms, principally “restrictive covenants” on state employees, stronger and better remunerated severance packages or by even placing a moratorium on them once they exit government service, is a far more pragmatic approach than trying to “bolt the stable door” after the horse has left by adopting a traditional prosecutorial approach towards misconduct by former government agents.
Factor in effective civil asset recovery measures to the process in order to recoup monies and fees taken from third party states and organisations and you have a more effective deterrence based system to ensure the control of the “privateers”.
This approach is of course an alternative proposal to deal with a field of activity which is notoriously difficult to regulate. But in the interim and in the present absence of effective statutory law reform dealing with this issue, this more nuanced approach may be the way forward.
Ian Whitehurst, barrister at Exchange Chambers