Faculty Bibliography

U.S. states traditionally play a minor role in establishing national security policies, which generally fall within the federal government’s remit. But the return of great power competition with China and Russia and the accompanying proliferation of threats have spurred states to act on national security concerns. With unprecedented speed, breadth, and frequency, U.S. states have taken it upon themselves to address perceived security concerns with TikTok, foreign purchases of real estate, and foreign-made drones, as well as commercial dealings with Russian firms. Drawing on their police powers, they have enacted security-related laws that sometimes parallel and sometimes go beyond the federal government’s actions. We term this phenomenon “entrepreneurial federalism” and explain its unique features. The increasing frequency and breadth of states’ national security-focused actions have set U.S. states and the federal government on a collision course. Private parties have launched a range of legal challenges to state laws, arguing that courts should hold that those laws are preempted based on existing federal statutes or on broader doctrines that disable states from acting in foreign relations. Courts may be tempted to do so, especially because China and Russia are near-peer threats that require careful federal management. But if the courts adopt broad preemption doctrines in this space, they may inadvertently foreclose two constructive phenomena that can arise from acts of entrepreneurial federalism: useful supplementation by the states of federal efforts to address national security threats and the productive friction that states can introduce into policymaking to improve the quality of U.S. national security policies. Even when there are good reasons for courts to hold that state actions that implicate the U.S. relationship with China or Russia are preempted, judicial decisions that reach that result too readily – or that use a broader form of preemption than necessary – may unintentionally impose longer-term costs on U.S. national security. This Article documents the rise of states’ national security actions, distinguishes them from earlier academic models of federalism, and proposes ways that the courts, Congress, the Executive, and the states can foster a positive role for states while minimizing the downsides that could flow from state actions in the national security space.

In an era defined by partisan rifts and government gridlock, many celebrate the rare issues that prompt bipartisan consensus. But extreme consensus should sometimes trigger concern, not celebration. We call these worrisome situations “frictionless government.” Frictionless government occurs when there is overwhelming bipartisan and bicameral consensus about a particular set of policies, as well as

The Supreme Court’s recent expansion of the major questions doctrine has rocked administrative law, throwing into doubt executive agencies’ statutory authority for numerous regulations. Some Justices have suggested that they want to go further and reinvigorate the nondelegation doctrine as a constitutional limit on Congress’s authority to delegate power to the executive branch. This Article is the first to consider how these developments might put at risk the United States’ international commitments. The Article first identifies the role of congressional delegations to the executive branch with respect to the formation and implementation of ex ante congressional– executive agreements, executive agreements pursuant to treaties, sole executive agreements, and nonbinding agreements. It then explains how the Supreme Court’s recent decisions might spark challenges to the agreements themselves or to the executive’s authority to implement them. Turning from the diagnostic to the prescriptive, the Article takes the Supreme Court’s recent cases as a given (problematic though they are) and argues that delegations involving international agreements differ from purely domestically focused delegations in material ways that counsel against applying the major questions doctrine or nondelegation doctrines to them. In particular, the existence of foreign state counterparties with whom the executive must negotiate means that Congress cannot simply direct the executive branch on international agreements with the same specificity that it can in domestically focused legislation. Moreover, declaring an existing international agreement or its implementing legislation invalid based on a domestic statutory interpretation doctrine risks causing the United States to violate international law, as well as harming its reputation as a reliable agreement partner. Treating international agreement-related delegations identically to domestically focused ones would also run counter to long-standing historical gloss from the Supreme Court itself that treats foreign-relations-related issues in exceptional ways. After arguing against using the major questions and nondelegation doctrines to police delegations related to international agreements, the Article proposes steps that the courts, Congress, and the executive branch can each take to ensure that existing and future international agreements are well-grounded in constitutional and statutory law.

A resilience agenda is an essential part of protecting national security in a digital age. Digital technologies impact nearly all aspects of everyday life, from communications and medical care to electricity and government services. Societal reliance on digital tools should be paired with efforts to secure societal resilience. A resilience agenda involves preparing for, adapting to, withstanding, and recovering from disruptions in ways that advance societal interests, goals, and values. Emphasizing resilience offers several benefits: 1) Resilience is threat agnostic or at least relatively threat neutral; 2) its inward focus emphasizes actions under the control of a targeted country, rather than attempting to change behaviors of external adversaries; and 3) because resilience can address multiple threats simultaneously, it may be less subject to politicization. A resilience strategy is well-suited to address both disruptions to computer systems—whether from cyberattacks or natural disasters—and disruptions to the information environment from disinformation campaigns sowing discord. A resilience agenda is realistic, not defeatist, and fundamentally optimistic in its focus on how society can withstand and move forward from adverse events. This Article identifies tactics to bolster resilience against digitally enabled threats across three temporal phases: anticipating and preparing for disruptions, adapting to and withstanding disruptions, and recovering from disruptions. The tactics of a resilience strategy across these phases are dynamic and interconnected. Resilience tactics in the preparation phase could include creating redundancies (including low-tech or no-tech redundancies) or “pre-bunking” disinformation campaigns. Actions in the preparation phase help with adapting to and withstanding disruptions when they are ongoing. Forewarning people about cyberattacks can ensure they do not panic when crucial services cease to function. More persistent and recurrent threats like disinformation campaigns may require structural adaptations, like privacy law reform, to curb the exploitation of personal data that can be used for democracy-damaging disinformation. Recovering from disruptions draws on steps taken earlier. Resilience tactics in the recovery phase could include reverting to manual controls and turning to pre-positioned hardware stockpiles that enable continuity of operations after cyberattacks, as well as supporting and protecting journalists and researchers subjected to intimidating online abuse. These are just possibilities—a resilience strategy is ours to imagine and pursue, and doing so is a crucial step to strengthen national security for a digital age.

A former O'Connor clerk recalls her inner toughness tempered by good humor and abiding pragmatism.

National security review of corporate transactions has long been a relatively sleepy corner of regulatory policy. But as governments merge economic and national security, national security reviews are expanding in frequency and scope, causing numerous deals to be renegotiated or even blocked. This expansion of national security’s impact on corporate transactions—which this Essay calls “national security creep”—raises theoretical questions in both national security and contract law and has important practical implications for dealmaking and the economy. This Essay makes several contributions. First, it provides an updated account of the national security review process for investments, which has changed substantially in recent years with the expansion of the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS), the global diffusion of CFIUS-like processes, and U.S. moves to regulate outbound investment. Second, this Essay considers the theoretical impact of national security creep. It argues that the executive branch’s increasingly broad claims about what constitutes national security may cause judges to alter long-standing deference to the executive on national security issues, with implications for deal parties, the executive, and scholars who debate whether courts should treat national security as “exceptional.” It also argues that CFIUS’s temporally tentacular review authority upends well-understood contract theory that considers regulatory review to be an ex ante contract design cost. Finally, this Essay considers practical implications of national security creep and concludes with suggestions for how the executive, courts, Congress, and scholars should approach national security creep going forward.

There has been a recent bipartisan shift to frame economic issues—among many others—in national security terms.

When a state seeks to respond to a cyberattack, must it first attribute the attack to the perpetrator responsible? The US policy of “Defend Forward” and “Persistent Engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law. This chapter explores the international and US domestic laws governing cyberattack attribution. It argues that common across international and US law is the fact that cyberattack attribution serves as both a potential source of empowerment and a potential constraint on governmental action. In both systems, attribution of a cyberattack to another state bolsters the US executive branch’s authority to respond, and conversely, the absence of attribution can place the executive on less certain legal footing.

In 2021, the USA and other governments formally blamed Russia for a wide-ranging hacking campaign that breached the update process for SolarWinds Orion network monitoring software and used that access to compromise numerous government agencies, companies and other entities. Despite denouncing Russia’s cyber espionage and imposing sanctions, the USA did not call Russia’s actions illegal as a matter of international law – and for good reason. Based on the publicly available facts, this article argues that the SolarWinds incident likely did not run afoul of international law as it currently stands. The article considers the prohibitions on the use of force and intervention, emerging rules with respect to violations of sovereignty and due diligence, and international human rights law, and it concludes with some reflections on the role of states and scholars in decisions about whether to close gaps in international law.

Russia's invasion of Ukraine has put to the test theories about how cyberattacks fit into conventional war. Contrary to many expectations, cyber operations appear to have played only a limited role in the initial stages of the invasion, prompting competing theories and rampant speculation about why. Although written while the conflict continues, this essay considers how either of two broad explanations for the limited role of cyberattacks to date—that Russia's attempted cyberattacks were thwarted or that Russia chose not to deploy them widely—challenges conventional wisdom about cybersecurity. The essay concludes by suggesting that one lesson international lawyers should draw from the current conflict is the urgent need to clarify and enforce international rules not just for the rare high-end destructive or widely disruptive cyber operations, but also for lower-level operations that have proven more consistently problematic, both in Ukraine and elsewhere. Clarifying such rules could help to manage escalation risk now and in the future, even if such rules—like the most venerable international law prohibitions that Russia's invasion has violated—do not necessarily restrain behavior directly.

As presidents make ever more expansive claims of executive power, Congress’s ability and willingness to counter the executive is often limited. That makes all the more significant instances when Congress does overcome structural and political challenges to pass legislation to rein in the president. But thanks to the Supreme Court’s invalidation of legislative vetoes in INS v. Chadha , such congressional actions are necessarily subject to presidential veto. President Donald Trump, for example, vetoed joint resolutions aimed at restraining executive action relating to the border wall and war powers. Although vetoed bills are not binding law, this Article argues that neither are they legal nullities; instead, judges, executive branch lawyers, and other interpreters can use majoritarian congressional opposition to the executive as an interpretive tool. The result is a novel “Youngstown canon of construction”: when Congress passes a bill or resolution by a majority of both houses and the president exercises the veto, preventing the act from becoming law, then the expressed congressional opposition to the president’s view should be used to narrowly construe the underlying statutory or constitutional authority the president is claiming, if that authority is ambiguous. The proposed canon would help to counteract overbroad claims of executive power in important areas such as war powers, the National Emergencies Act, treaty termination, and the scope of federal preemption of state laws.

When a state seeks to respond to a cyberattack, must it first attribute the attack to the perpetrator responsible? This essay explores the international and US domestic laws governing cyberattack attribution and argues that attribution to another state can bolster the US executive branch’s authority to act pursuant to its Defend Forward policy and, conversely, that the absence of attribution can place the executive on less certain legal footing.

Attribution of cyberattacks requires identifying those responsible for bad acts, prominently including states. To guard against baseless or false attributions, this Article argues that states should establish an international law requirement that public attributions of state-sponsored cyberattacks must include sufficient evidence to enable cross-checking or corroboration of the accusations.