Cryptocurrency as a Funding Source
Money, it’s a crime/Share it fairly/But don’t take a slice of my pie1
To spend money, elements of the Federal Government, including the Department of Defense (DoD), must have a positive grant of authority based in legislation from Congress.2 Further, without a specific statutory exception, federal entities cannot augment funds appropriated by Congress with outside funds.3 What should happen when otherwise-authorized DoD cyber activities result in control, or potential control, of a malicious actor’s cryptocurrency?4 Currently, the Miscellaneous Receipts Statute likely would require the DoD to deposit it into the Treasury—after converting it to legal currency.5 However, the general rule established by the Miscellaneous Receipts Statute has several exceptions.6 One exception specific to the DoD relates to counterintelligence activities and is found at 10 U.S.C. § 423, Authority to Use Proceeds from Counterintelligence Operations of the Military Departments or the Defense Intelligence Agency.7
In 10 U.S.C. § 423, Congress authorized the Secretary of Defense to use proceeds of authorized counterintelligence activities to offset expenses.8 This relatively short section of Title 10 contains three main parts, each only a sentence long. Part (a) of § 423 provides the operative language that permits the Secretary of Defense to authorize the “use of proceeds from counterintelligence operations . . . to offset necessary and reasonable expenses.”9 Next, part (b) invokes the concept of miscellaneous receipts to, in effect, prevent the creation of a slush fund by requiring the DoD to deposit “the net proceeds” into “the Treasury as miscellaneous receipts” when “no longer necessary for the conduct of those operations.”10 Finally, part (c) of § 423 directs the Secretary of Defense to establish implementing “policies and procedures” to provide oversight, control, and accountability over the use of proceeds to offset expenses.11 Overall, 10 U.S.C. § 423 provides the DoD flexibility to conduct counterintelligence operations, which are inherently secretive and sensitive by their nature.
Congress should enact a statute similar to 10 U.S.C. § 423 that permits the DoD to use cryptocurrency proceeds from otherwise-authorized cyber activities to offset expenses incurred during such activities.12 By providing this authority, and proper oversight to control such actions, Congress would enhance the DoD’s freedom of maneuver in a contested cyber domain within the bounds of law. The remainder of this article provides draft language for the proposed statute, highlights the benefits, and identifies potential challenges that this authority may present.
The operative language of 10 U.S.C. § 423 permits the Secretary of Defense to authorize the use of proceeds from counterintelligence operations to offset expenses related to such operations.13 Likewise, in the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019, Congress emphasized that “clandestine military activity or operation in cyberspace” is traditional military activity, which fall outside the requirements of 50 U.S.C. § 3093, the Covert Action Statute.14 This sets up the potential (but highly likely) practical result that, during some authorized DoD cyber activity, cryptocurrency may be brought under the control (or potential control) of a DoD organization.15
Take the Democratic People’s Republic of Korea (DPRK) as an example. The DPRK is reliant on cryptocurrency to get around financial sanctions.16 Likewise, U.S. Cyber Command (USCYBERCOM) is able to scan for and identify DPRK malware that facilitates illegal activities, which implies a level of access and knowledge of DPRK cyber capabilities.17 Finally, unidentified actors have demonstrated the ability to take control of someone else’s cryptocurrency without the owner’s knowledge by using a person-in-the-middle technique.18 Given these facts, it is plausible to posit that the DoD may have the ability to exert control over DPRK cryptocurrency if required and authorized.
Therefore, a need exists for a new statute similar to 10 U.S.C. § 423 to authorize and set the legal boundaries for what can be done with cryptocurrency potentially obtained during DoD cyber activities. Without specific authorization from Congress, the remaining alternative would be to deposit the funds into the Treasury.19 Depositing the funds in the Treasury is less than ideal because it severs the link between the proceeds and the malicious activity while at the same time depriving the DoD from utilizing the funds to offset operational expenses.
Similar to 10 U.S.C. § 423, the proposed new legislation would have three main parts: (1) authorization and approval guidance; (2) limitations on excess proceeds; and (3) direction to establish implementing policy.20 Specifically, the new legislation would differ from 10 U.S.C. § 423 in three substantive ways.21 First, the word “cryptocurrency” is added to modify “proceeds.”22 The addition scopes the statute to address the relatively novel issue created by cryptocurrency. Second, the phrase “counterintelligence operations” is replaced by “otherwise authorized cyber activities.”23 The purpose of changing this language is two-fold: to update the wording to reflect the nature of activity covered and to clarify that the new statute does not create a stand-alone grant of authority for conducting cyber activities.
Finally, because joint organizations—and other agencies within DoD, but outside of the “military departments or the Defense Intelligence Agency”—may take part in cyber activities, the wording is revised to “elements of the Department of Defense.”24 While 10 U.S.C. § 423 falls within Chapter 21 of Title 10 (DoD Intelligence Matters), due to its subject matter, the proposed statute should more likely fall within Chapter 19 of Title 10 (Cyber and Information Operations Matters).25 Collectively, these proposed changes would create new legislation modeled after 10 U.S.C. § 423 to provide the necessary authority for DoD to use cryptocurrency proceeds from otherwise authorized cyber activities to offset expenses related to such activities.
Several benefits would follow from the enactment of a statute that permits the DoD to use cryptocurrency to offset expenses, including the establishment of clear guidance, the creation of a lawful source of funds, and the expansion of operational flexibility within the bounds of the law. Clear guidance from Congress on the use of cryptocurrency acquired during cyber activities would not only provide guidance to DoD, but also have a secondary benefit of reducing “interagency friction” in the executive branch by unambiguously assigning a function to a particular agency—in this instance, the DoD.26 This particular assignment of a function would not have to be exclusive to provide clarity and reduce friction.
Additionally, the DoD’s ability to use cryptocurrency acquired during otherwise authorized activities to offset costs is fiscally responsible. The current U.S. “[g]ross Federal debt is now more than $23 trillion,”27 and national defense spending is projected to contribute $758.5 billion towards that debt in FY 2021.28 Included in that FY 2021 defense budget amount, the President requested “nearly $10 billion” to specifically support military cyber capabilities.29 While clear, unambiguous fiscal policy is generally a positive, a potential risk of inappropriate cryptocurrency speculation exists within the new grant of authority. However, Congress and the President can manage and minimize the risk of inappropriate speculation through implementing effective policy and oversight. Considering the risks versus the benefits, the ability to offset even a portion of operating expenses using an adversary’s funds would be a net positive for the DoD and U.S. Government.
Ultimately, this new authority would provide freedom of maneuver for cyber activities that would support both civilian and military policy guidance. The 2018 National Defense Strategy emphasizes “[f]ostering a competitive mindset.”30 Innovation in areas of emerging technology, such as those related to cyberspace, fit within this competitive mindset.31 Similarly, the USCYBERCOM’s Command Vision specifically states that “seizing and maintaining the tactical and operational initiative in cyberspace” will “increase our freedom of maneuver.”32 Together, the benefits of the proposed new legislation—which would allow the DoD to use acquired cryptocurrency to offset otherwise related expenses—would effectively support the nation’s shift toward strategic competition.33
Even though the proposed legislation related to cryptocurrency would bring a number of benefits, its enactment may present some challenges, including technical issues, oversight questions, and transparency concerns. First, while the ability to attribute actions in cyberspace continues to improve, issues related to attributing specific acts to particular actors in a timely manner remain.34 This is especially true for state-sponsored malicious activities, which may include false flag operations that take time to trace.35 Further, state governments may be reluctant to disclose information publicly due to concerns about disclosing sensitive capabilities.36 This keeps “[s]ome of the most significant attribution work  hidden and classified.”37
Second, the proposed legislation, like any grant of authority from the legislative branch to the executive branch, raises concerns about whether appropriate oversight exists.38 However, in the area of DoD cyber authorities, Congress has established significant requirements for notification and reporting—including FY18 NDAA §§ ١٦٣١ and ١٦٣٢, which address “sensitive military cyber operations and cyber weapons,” as well as modify “quarterly cyber operations briefings.”39 Under these provisions, the DoD must report all sensitive military cyber operations (SMCO) within twenty-four hours while, for cyber operations that fall below the threshold of a SMCO, DoD must still make quarterly notifications to Congress.40 Likewise, Congress has several committees dedicated to providing oversight to the armed services and intelligence activities of the government.41
Last, the implementation of the proposed authority is likely to create transparency concerns because cyber activities by the DoD potentially involve sources and methods that are classified. One possible option to improve transparency would be to expand the U.S. Privacy and Civil Liberties Oversight Board’s mandate to include review and advice related to cyber activities in addition to counterterrorism.42 Challenges exist related to the proposed legislation, but mechanisms are available to address these risks that make the legislation a net positive as it relates to nation-state competition.
Conclusion—The Beginning, Not the End
By passing new legislation similar to 10 U.S.C. § 423 that permits the DoD to use cryptocurrency proceeds from otherwise authorized cyber activities to offset expenses, Congress would improve the DoD’s freedom to maneuver and its ability to compete with other states in cyberspace. The proposed language for the statute is not meant to be the final version, but instead the purpose of the draft is to provide a starting point towards a solution. Further refinement could eliminate some of the potential challenges associated with creating this new authority. However, the requirement to provide fiscal authority to leverage capabilities in cyberspace, outside of just appropriating additional funds, is an issue that Congress needs to address. The proposed statute provides a way. TAL
10 U.S.C. § 423, Authority to Use Proceeds from Counterintelligence Operations of the Military Departments or the Defense Intelligence Agency.
(a) The Secretary of Defense may authorize, without regard to the provisions of section 3302 of title 31, use of proceeds from counterintelligence operations conducted by components of the military departments or the Defense Intelligence Agency to offset necessary and reasonable expenses, not otherwise prohibited by law, incurred in such operations, and to make exceptional performance awards to personnel involved in such operations, if use of appropriated funds to meet such expenses or to make such awards would not be practicable.
(b) As soon as the net proceeds from such counterintelligence operations are no longer necessary for the conduct of those operations, such proceeds shall be deposited into the Treasury as miscellaneous receipts.
(c) The Secretary of Defense shall establish policies and procedures to govern acquisition, use, management, and disposition of proceeds from counterintelligence operations conducted by components of the military departments or the Defense Intelligence Agency, including effective internal systems of accounting and administrative controls.
Proposed New Legislation: Authority to Use Cryptocurrency Proceeds from Department of Defense Cyber Activities.
(changes from the original text of 10 U.S.C. § 423 are underlined)
(a) The Secretary of Defense may authorize, without regard to the provisions of section 3302 of title 31, use of cryptocurrency proceeds from otherwise authorized cyber activities conducted by elements of the Department of Defense to offset necessary and reasonable expenses, not otherwise prohibited by law, incurred in such operations, and to make exceptional performance awards to personnel involved in such operations, if use of appropriated funds to meet such expenses or to make such awards would not be practicable.
(b) As soon as the net cryptocurrency proceeds from such cyber activities are no longer necessary for the conduct of those activities, such proceeds shall be deposited into the Treasury as miscellaneous receipts.
(c) The Secretary of Defense shall establish policies and procedures to govern acquisition, use, management, and disposition of cryptocurrency proceeds from cyber activities conducted by elements of the Department of Defense, including effective internal systems of accounting and administrative controls.
1. Pink Floyd, Money, on Dark Side of the Moon (Harvest 1973).
2. U.S. Const. art. I, § 9, cl. 7. See also United States v. MacCollum, 426 U.S. 317 (1976) (“The established rule is that the expenditure of public funds is proper only when authorized by Congress, not that public funds may be expended unless prohibited by Congress.”).
3. See U.S. Const. art. I, § 9, cl. 7; Purpose Statute, 31 U.S.C. § 1301(a); Miscellaneous Receipts Statute, 31 U.S.C. § 3302(b) (supporting the general rule against augmentation of appropriations). See generally Contract & Fiscal Law Dep’t, The Judge Advocate Gen.’s Legal Ctr. & Sch., Fiscal Law Deskbook 55 (2020) (explaining the prohibition against augmentation and the concept of miscellaneous receipts).
4. See generally Aleksander Berentsen & Fabian Schär, A Short Introduction to the World of Cryptocurrencies, 100 Fed. Rsrv. Bank St. Louis Rev. 1 (2018), https://files.stlouisfed.org/files/htdocs/publications/review/2018/01/10/a-short-introduction-to-the-world-of-cryptocurrencies.pdf; Zack Gold & Megan McBride, Cryptocurrency: A Primer for Policy-Makers, CNA: Analysis & Solutions (Aug. 2019), https://www.cna.org/CNA_files/PDF/CRM-2019-U-020185-Final.pdf (introducing cryptocurrencies and blockchain technology).
5. Miscellaneous Receipts Statute, 31 U.S.C. § 3302(b). See Jason Brett, Crypto Legislation 2020: Analysis of 21 Cryptocurrency and Blockchain Bills in Congress, Forbes (Dec. 21, 2019, 1:05 PM), https://www.forbes.com/sites/jasonbrett/ 2019/12/21/crypto-legislation-2020-analysis-of-21-cryptocurrency-and-blockchain-bills-in-congress/#6cf56d356c1b (discussing proposed bills related to cryptocurrency that could have an effect in the future if passed into law. However, very few of the proposed bills relate to national defense.). While a person might presume that cryptocurrency is considered currency, the IRS considers virtual currency to be property for the purposes of tax implications. See generally I.R.S. Notice 2014-21, 2014-16 I.R.B. (Apr. 14, 2014). The purpose of noting this is to highlight that, at some point in time, the cryptocurrency will likely have to be converted into some form of legal currency (e.g., U.S. dollars) for final disposition within the government. The details of when and how this should occur is beyond the scope of this article.
6. See, e.g., Authority to Use Proceeds from Counterintelligence Operations of the Military Departments or the Defense Intelligence Agency, 10 U.S.C. § 423. See infra Appendix A (providing the full text of 10 U.S.C. § 423). See also Department of the Treasury Forfeiture Fund, 31 U.S.C § 9705 (allowing for funds from lawful seizures or forfeitures to be used for other enumerated purposes as administered by the Department of Treasury or U.S. Coast Guard); Civil Forfeiture, 18 U.S.C. § 981 (permitting funds obtained from violations of specific federal laws to be used to reimburse expenses, among other things). These statutes serve as examples of the executive branch repurposing acquired funds. Id.
7. Authority to Use Proceeds from Counterintelligence Operations of the Military Departments or the Defense Intelligence Agency, 10 U.S.C. § 423. See infra Appendix A (providing the full text of 10 U.S.C. § 423).
8. Id. “Proceeds” are not defined in the definitions section of title 10 (section 101). However, the cross-reference in 10 U.S.C. § 423 to 21 U.S.C. § 3302 is informative because it discusses the rules related to “money.” While not settled, cryptocurrency has been considered property, not money, by the IRS. Therefore, 10 U.S.C. § 423 would at best be unclear on its application to cryptocurrency and more likely cryptocurrency would not qualify as money (it would be considered property) that would fall outside of 10 U.S.C. § 423 and not be covered. For more information, references, and a brief discussion of the meaning of proceeds, see supra note 5.
9. 10 U.S.C. § 423(a).
10. 10 U.S.C. § 423(b).
11. 10 U.S.C. § 423(c).
12. The term “activities” as used in this article refers to all otherwise lawful and authorized actions by DoD elements and is intended to be broader than the term “operations.”
13. 10 U.S.C. § 423. Arguably, 10 U.S.C. § 423 permits offset of expenses for cyber activities when they are incurred for counterintelligence purposes. The proposed new statute would expand the offset beyond counterintelligence.
14. John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 1632, 132 Stat. 1636, 2123 (2018) [hereinafter NDAA 2019]; Presidential Approval and Reporting of Covert Actions, 50 U.S.C. § 3093 (defining covert action and its exceptions). See also Robert Chesney, The Domestic Framework for US Military Cyber Operations, Hoover Inst. Aegis Paper Series (July 29, 2020), https://www.hoover.org/research/domestic-legal-framework-us-military-cyber-operations (explaining the role of NDAA 2019, § 1632, as a domestic legal basis for U.S. military cyber operations).
15. See, e.g., Alex Ward, How North Korea Uses Bitcoin to Get Around U.S. Sanctions, Vox (Feb. 28, 2018, 11:40 AM), https:// www.vox.com/world/2018/2/28/17055762/north-korea-sanctions-bitcoin-nuclear-weapons; Ionut Arghire, USCYBERCOM Shares More North Korean Malware Samples, Sec. Week (Feb. 15, 2020), https://www. securityweek.com/uscybercom-shares-more-north-korean-malware-samples; Catalin Cimpanu, A Mysterious Group Has Hijacked Tor Exit Nodes to Perform SSL Stripping Attacks, ZDNet (Aug. 10, 2020, 12:18 PM), https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/. For how these articles potentially connect and why this hypothetical example could occur, see the DPRK example in the remainder of the section The Proposal.
16. See Ward, supra note 15 (explaining how North Korea uses cryptocurrency to avoid the effects of U.S. sanctions).
17. See Arghire, supra note 15 (highlighting USCYBERCOM activities related to North Korea).
18. See Cimpanu, supra note 15 (explaining one method—a person-in-the-middle attack—by which what appears to be a profit-motivated group “effectively hijacked the user’s funds without the users or the Bitcoin mixer’s knowledge”).
19. Custodians of Money, 31 U.S.C. § 3302(b). This likely would require a conversion to legal currency. See supra note 5.
20. See Authority to Use Proceeds from Counterintelligence Operations of the Military Departments or the Defense Intelligence Agency, 10 U.S.C. § 423(a)-(c) (identifying the three main parts).
21. For the full text of 10 U.S.C. § 423 and the new legislation proposed in this article, see infra Appendices A and B, respectively.
22. Compare 10 U.S.C. § 423(a)-(c) infra Appendix A, with Proposed New Legislation infra Appendix B (changes are underlined).
24. Id. United States Cyber Command and the National Security Agency are examples of DoD elements that could be covered by the proposed language.
25. Compare 10 U.S.C. ch. 21, Department of Defense Intelligence Matters, with 10 U.S.C. ch. 19, Cyber and Information Operations Matters (supporting that chapter 19 better relates to the new proposed statute because it encompasses cyber related matters).
26. See, e.g., Robert Chesney, The Law of Military Cyber Operations and the New NDAA, Lawfare (July 26, 2018, 2:07 PM), https://www.lawfareblog.com/law-military-cyber-operations-and-new-ndaa (explaining how Congressional legislation clarifying DoD’s authority to conduct cyber operations attempts to remove “interagency friction”).
27. Off. of Mgmt & Budget, A Budget For America’s Future: Budget of the U.S. Government 6 (2020), https://www.govinfo.gov/content/pkg/BUDGET-2021-BUD/pdf/BUDGET-2021-BUD.pdf [herienafter Budget of U.S. Gov’t].
28. Off. of the Under Sec’y of Def. (Comptroller), National Defense Budget Estimates for FY 2020 tbl.1-4 (2019), https://comptroller.defense.gov/Portals/45/Documents/defbudget/fy2020/FY20_Green_Book.pdf.
29. Budget of U.S. Govt, supra note 27, at 35.
30. U.S. Dep’t of Def., Summary of the 2018 National Defense Strategy of the United States of America 5 (Jan. 19, 2018), https://dod.defense.gov/Portals/1/Documents/pubs/2018-National-Defense-Strategy-Summary.pdf.
31. See id. (explaining that we must “out-innovate revisionist powers, rogue regimes, terrorists, and other threat actors”).
32. U.S. Cyber Command, Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command 7 (2018), https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010.
33. See Donald J. Trump, U.S. President, National Security Strategy of the United States of America 2 (2017), https://trumpwhitehouse.archives.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf (discussing “A Competitive World”).
34. See Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers 5 (2019) (describing the “so-called attribution problem” and identifying challenges to attribution that include routing internet traffic through proxies and false flag operations that use planted evidence and false narratives to obscure the actual actor conducting the cyber activity).
35. Id. In the cyber context, a “false flag” is “[a]n operation designed to deflect attribution to an uninvolved party.” False Flag, Cyberwire, https://thecyberwire.com/glossary/false-flag (last visited June 1, 2021). “A cyber operation would be a false flag if the threat actor behind it took steps to impersonate or use the distinctive infrastructure, tactics, techniques, or procedures of some other threat actor. The Olympic Destroyer cyberattack against the 2018 Pyeongchang Winter Olympic Games is widely regarded as having been a false flag operation in which Russia’s GRU designed its attack to appear as if had been the work of North Korea.” Id.
36. See Greenberg, supra note 34 (describing challenges of attribution related to the Olympic Destroyer cyberattack); Brian J. Egan, Legal Adviser, Dep’t of State, Remarks on International Law and Stability in Cyberspace at Berkeley Law School (Nov. 10, 2016), https://www.law.berkeley.edu/wp-content/uploads/2016/12/egan-talk-transcript-111016.pdf (examining issues and challenges surrounding attribution); Kristen Eichensehr, Cyberattack Attribution and International Law, Just Sec. (July 24, 2020), https://www.justsecurity.org/71640/cyberattack-attribution-and-international-law/ (analyzing issues and challenges surrounding attribution).
37. Thomas Rid & Ben Buchanan, Attributing Cyber Attacks, 38 J. Strat. Stud. 4, 33 (2015) (discussing the technical aspects of attribution in cyberspace).
38. For example, inappropriate cryptocurrency speculation could occur if policies are not implemented to manage the potential risk or if there is not appropriate oversight.
39. National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, §§ 1631–1632, 131 Stat. 1283, 1736–1738 (2017).
40. Id. See also Robert Chesney, The NDAA FY’18’s Cyber Provisions: What Emerged from Conference?, Lawfare, (Nov. 14, 2017, 1:10 AM), https://www.lawfareblog.com/ndaa-fy18s-cyber-provisions-what-emerged-conference (explaining the definition of SMCO, as well as the various reporting requirements found in §§ 1631–1632 of the FY18 NDAA).
41. For example, the U.S. House of Representatives and Senate Armed Services Committees exercise Congressional oversight for the armed forces, and the U.S. House of Representatives and Senate Permanent Select Committees on Intelligence exercise Congressional oversight for intelligence activities of the U.S. Government. Additionally, there are internal oversight controls within the executive branch, such as inspector generals and intelligence oversight officials.
42. See History and Mission, U.S. Priv. & Civ. Liberties Oversight Bd., https://www.pclob.gov/About/HistoryMission (last visited June 1, 2021) (select the subsection “What are the Board’s Responsibilities?”). While beyond the scope of this article, the U.S. Privacy & Civil Liberties Oversight Board is one possible external organization that could review cyber policy and provide advice. The question of which organization is best situated to provide third-party review of U.S. Government cyber law and policy would benefit from further inquiry.