National security experts have discussed the threat of cyberwarfare for more than twenty years, and there have been a number of high profile cyber attacks over that period. The recent escalation of cyberconflict became clear last year when the New York Times discovered that the United States and Israel had developed and used a worm, known as “Stuxnet,” to destroy Iranian nuclear facilities. This shot across the bow, along with the recent creation of the U.S. Cybercommand, indicates that the United States has the capability to conduct sophisticated offensive and defensive cyberoperations. Scholars in international law, national security law, and privacy law are now attempting to define the legal rules and boundaries of cyberwarfare. The Obama Administration has also made clear that protecting privacy and civil liberties is a critical component of the U.S. cybersecurity plan. But so far it is unclear what protections will be included in the cybersecurity plan.
This article takes a novel approach to identifying necessary civil liberties protections by analyzing U.S. cyberoperations under the Third Amendment. Three types of cyberoperations implicate Third Amendment interests: malware designed to disrupt industrial control systems, cyberespionage tools, and active defense (or “hack-back”) systems. All of these may affect innocent civilian systems, and the Third Amendment prohibits military intrusion into civilian spaces absent consent or legal authorization by Congress.
Based on the principles of the Third Amendment, this article identifies three issues that must be addressed regarding cybersecurity policy: authority, cooperation, and transparency. It concludes that Congress must establish the framework for authorization of cyberoperations that could affect civilian networks; that the private sector has an interest in a public-private collaberation to establish security standards and processes; and that any comprehensive cybersecurity strategy must provide for a transparent, public accountability system to address civil liberties impacts. The Cybersecurity Executive Order is a step in the right direction, but Congress must still establish clear rules governing executive action in this area.