How does a military attorney defend against cybersecurity negligence claims?

When a service member is accused of a cybersecurity failure, mishandling sensitive data, failing to follow security protocols, leaving classified material exposed, the charge usually takes a familiar legal form: dereliction of duty under Article 92 of the UCMJ. Defending it is less about technology than about proving, or disproving, the elements of dereliction. The defense lives in the gap between an honest mistake and culpable failure.

The likely charge: dereliction of duty

Cybersecurity lapses are typically prosecuted as dereliction of duty under Article 92. The government must establish:

  • The accused had certain duties (here, the specific cybersecurity or information-handling obligations).
  • The accused knew, or reasonably should have known, of those duties.
  • The accused was derelict in performing them.

That dereliction can be willful, through neglect, or through culpable inefficiency, and the degree of fault affects the punishment, willful dereliction is treated more harshly than simple negligence. This is the framework that governs a cyber-negligence allegation, and that history is real: service members, including senior officers, have been found derelict for failing to safeguard classified information in violation of a regulation.

The key defense: more than an honest mistake

Here is the heart of the defense. To convict, the prosecution must prove the failure was more than a simple, honest mistake, it must show actual negligence, culpable inefficiency, or willful dereliction. That standard is the opening.

A strong defense often shows that the member:

  • Followed established procedures and acted with reasonable care, even though something still went wrong.
  • Faced factors outside their control that caused the failure, rather than a breach of the member’s own duty.
  • Did not actually have, or know of, the specific duty the government claims was breached.

If the member did what was required and exercised reasonable care, a bad outcome alone does not establish dereliction.

The broader exposure

It is worth noting that mishandling classified material can implicate other law beyond Article 92, so an attorney assesses the full exposure. But the core military charge for a cybersecurity lapse remains dereliction, and that is where the defense concentrates.

Where a data breach is blamed on a member, the attorney shows it was an honest mistake despite reasonable care, since dereliction requires more than a bad outcome.

The practical upshot is that cyber-negligence cases are dereliction-of-duty cases. The government must prove a known duty and a culpable failure that rises above an honest mistake, so the defense is built on the member’s actual duties, the reasonableness of their conduct, and the difference between bad luck and real dereliction.

Frequently Asked Questions

How are cybersecurity lapses usually charged in the military?
Most commonly as dereliction of duty under Article 92 of the UCMJ, which requires a known duty and a culpable failure to perform it.

Does an honest mistake amount to dereliction of duty?
Generally no. The prosecution must show more than a simple, honest mistake; it must prove negligence, culpable inefficiency, or willful dereliction.

What is a strong defense to a cyber-negligence claim?
Showing that the member followed established procedures and acted with reasonable care, that the failure resulted from factors outside their control, or that the claimed duty did not exist or was not known.


This article is general information about dereliction-of-duty allegations involving cybersecurity. It is not legal advice and does not create an attorney-client relationship. Application is fact-specific and the law can change. Anyone facing such an allegation should consult a qualified military defense attorney.

Sources

Leave a Reply