By Alan Butler | 62 Am. U. L. Rev. 1203 (2013)

In the summer of 2010, Microsoft reported a new “zero-day” vulnerability in Windows XP that allowed malicious software to be executed from USB drives. Two months later, it was discovered that a sophisticated computer worm called “Stuxnet” had taken advantage of this vulnerability to infect industrial control systems within Iran’s nuclear facilities. Security researchers posited that Stuxnet was “created by a government and [wa]s a prime example of clandestine digital warfare.”

Although Stuxnet initially targeted specific Iranian nuclear facilities, its widespread infection left it “splattered on thousands of computer systems around the world,” including Chevron’s network. Nearly two years after Stuxnet was discovered, a New York Times exposé revealed that the United States and Israel had developed the worm as part of a project codenamed “Olympic Games.” This news clearly signaled the shift in cyberoperations from rogue groups to the nation-state level. Representatives from the United States and other nations have begun discussing frameworks for analyzing cyberoperations under international law. However, discussions of the constitutional limitations and the civil liberties implications of military cyberoperations have been limited. Many recent articles have attempted to provide answers to how traditional legal principles governing military action will apply in cyberspace; this
Article is another along that vein. 

This Article takes a novel approach to cybersecurity policy by considering the implications of the Third Amendment of the U.S. Constitution. While the Third Amendment’s anti-quartering provision has been historically overlooked—in over two hundred years, very few federal cases have reviewed the provision at length—it is the subject of a growing body of academic literature. The Supreme Court has recognized that the Third Amendment creates a “zone of privacy” similar to those in the First and Fourth Amendments. This zone of privacy protects individuals from military intrusions absent consent or special wartime legislative mandate. Given the potential of military cyberoperations to intrude upon innocent domestic systems, as demonstrated by the Stuxnet example, the Third Amendment’s constitutional prohibitions must be taken into account. This Article is intended to supplement existing discussions of cybersecurity policy while considering the principles of the Third Amendment in this new context. Because the history and purpose of the Third Amendment is discussed at length in other literature, it will be summarized only briefly in this Article. 

Part I discusses in detail recent cyberoperations and cyberstrategies that affect civilian networks and hardware. Part II addresses the structure and history of the Third Amendment and its relevance to the division between military and civilian realms. And Part III analyzes the effect of military cyberoperations on civilian devices—such as a server, network router, or personal computer—under the Third Amendment. Finally, Part IV discusses the implications of the Third Amendment’s consent and wartime proscription requirements on the current cybersecurity policy debate. This Article concludes that there are strict constitutional limitations to the cyberspace actions that the President can authorize, including in the recently-proposed cybersecurity Executive Order. The President cannot authorize military actions in cyberspace that affect private domestic systems without the safeguards of congressional approval or a public private partnership. These safeguards require increased public engagement in and knowledge of the decisionmaking process related to cyberoperations.

Click here to read this Article