Back in 2010’s, I recall a legal challenge of Posse-Comitatus [1], an act designed to limit the use of military personnel in civil law enforcement efforts. During this time, a few military service members were part of a small defensive cyber team tasked with performing local security assessments within a corporation, while attached to a group of government civilians.

What they discovered was a remote intrusion with strong indicators of compromise that arguably could have been detected had the corporation implemented basic cyber-hygiene. The corporation acted…

Given the severity of the findings, they executed a damaging CYA maneuver which I can only describe as “the negligent Posse-Comitatus escape clause”, or Posse-Comitatus flex (PC flex). In this case, PC flex resulted in setting back defensive cyber forces for years behind where they could have been, thanks to legal eagles at said dumpster fire corporation.

To reduce penalties, the corporation allegedly threatened a lawsuit against the US government since the individuals that discovered the breach, which included uniformed service members, had suddenly violated Posse-Comitatus, by simply being inside the facility after the possibility of civil penalties became apparent to the corporation. The breach made headlines, was settled, and please don’t ask or state which dumpster fire corporation was guilty here since the real heroes are the legal eagles that invented this interpretation of PC flex. This may not be the only case where this has occurred, but it certainly is to me as it pertains to cyber, and the military.

 

We have policies, mission needs, and even executive orders to defend the nation; how the hell is anyone supposed to do that in uniform if we permit PC flex to impede the future warfighter? The Department of State currently has multi-million-dollar bounties [2] for threat actors, hacking, and ransomware groups similar to FBI wanted posters [3], and I can’t really imagine anyone in service ever being eligible for these payouts. Instead, talented individuals with free time may join private bug-bounties and some might even make some money while in service while circumventing future legal interpretations of PC flex, because they do not identify as individuals that belong to armed military forces and mum’s the word.

 

Can you imagine a world where our top talent including the best hackers, programmers, analysts, and linguists all came together in the realistic cyber landscape, not some simulated BS range, and hunted down real-world threats during their off time? I sure can. But our current policies prevent that since this group could be considered a posse attempting to engage or facilitate assistance to law enforcement. Instead, they help private businesses, and bug bounty programs operated by private businesses, by getting a percentage of the bounty off the fruits of their labor. It is a small step, but eventually, we want to change and challenge legislation to help the warfighter and the surrounding policies that hold them back.

 

If you ever needed a call to action, this is it! Join the AUSCF and help us change the policies so the next time a contractor tries a creative interpretation of PC flex, an exception, or clarification could exist to prevent this. We cannot do this alone; join us.

 

 

[1] https://www.ojp.gov/ncjrs/virtual-library/abstracts/posse-comitatus-act-what-does-it-mean-local-law-enforcement

[2] https://rewardsforjustice.net/

[3] https://www.fbi.gov/wanted/cyber