Running a personal VPN, a proxy, or an unapproved tunneling tool on a Department of Defense network is a real disciplinary exposure, not a gray-area IT footnote. Whether it becomes a security offense, an ordinary regulatory violation, or something prosecuted under the federal computer-fraud framework depends on what the member did, what the member intended, and what kind of information was touched. The UCMJ supplies more than one route, and the route the government picks shapes the elements it must prove and the punishment the member faces.
The most common charge: Article 92
Unauthorized VPN use is most frequently charged under Article 92, failure to obey a lawful general order or regulation, codified at 10 U.S.C. 892. Military networks are governed by detailed acceptable-use and cybersecurity regulations that prohibit installing unauthorized software, circumventing security controls, and connecting unapproved devices or services. When a regulation of that kind squarely forbids the conduct, the government can charge a violation under Article 92.
Article 92 contains distinct theories, and the difference matters. Under the lawful-general-order theory, the prosecution must prove the existence of a lawful general order or regulation, that the accused had a duty to obey it, and that the accused violated or failed to obey it. Knowledge of a general regulation is not an element, because such regulations are presumed to apply to everyone subject to them. Under the separate theory for orders that are not general, the government must additionally prove the accused had actual knowledge of the order. Article 92 also reaches dereliction of duty, which can apply where a member negligently fails to follow required network-security practices.
A point worth stressing: the regulation must actually prohibit the conduct charged. If a unit relies on a vague handbook entry or an order so unclear that a reasonable member could not understand what was forbidden, the lawfulness and clarity of the underlying order become litigable. An order is presumed lawful and the accused bears the burden of rebutting that presumption, but a genuinely ambiguous directive can defeat the charge.
The computer-specific offense: Article 123
The 2019 Military Justice Act, which took effect on 1 January 2019, renumbered and rewrote large parts of the punitive articles, and it created a dedicated computer-crime article. Article 123, codified at 10 U.S.C. 923, is titled offenses concerning Government computers and is modeled on the civilian Computer Fraud and Abuse Act at 18 U.S.C. 1030. Anyone analyzing these cases must use current numbering, because older materials place forgery at Article 123; that offense moved when the statute was reorganized.
Article 123 reaches three categories of conduct: knowingly accessing a Government computer with an unauthorized purpose and thereby obtaining classified information or other protected information; intentionally accessing a Government computer with an unauthorized purpose and thereby altering, damaging, or destroying information or denying access; and knowingly causing the transmission of a program, information, code, or command that intentionally causes damage to a Government computer without authorization.
The key concept is unauthorized purpose, which turns on whether the member used the computer in a way clearly contrary to the interests or intent of the authorizing party. Simply running a VPN does not automatically satisfy this. But if a member used a tunnel to evade monitoring in order to reach restricted data, exfiltrate protected information, or defeat access controls, Article 123 fits, and it is far closer to a true security offense than a bare regulatory breach.
When it becomes a genuine security offense
The phrase security offense is not a single charge; it is a description of conduct that endangers protected information or systems. VPN use crosses into that territory when the surrounding facts show a threat to classified or controlled information. Tunneling on a classified network such as SIPRNet to bypass data-loss-prevention tools, moving protected data outside authorized channels, or accessing material the member was not cleared to see can support Article 123 and, depending on the information involved, can implicate other articles. Mishandling or compromising classified information can be charged under Article 92 by reference to information-security regulations, and conduct that does not fit a specific article may be charged under Article 134, the general article, where the government proves prejudice to good order and discipline or service-discrediting conduct. Where the facts show an intent to deliver national-defense information to someone not entitled to receive it, federal espionage statutes assimilated through Article 134, clause 3, can come into play, though that is a far more serious and fact-dependent path.
What the government must actually prove
The charging decision drives the burden. To make out a straightforward Article 92 case, the government essentially shows the regulation, the duty, and the violation. To elevate the matter to Article 123, it must prove the additional mental state, unauthorized purpose, and, for the most serious subsection, that protected or classified information was obtained. The presence or absence of intent to harm, to evade monitoring, or to reach restricted data is what separates a regulatory infraction from a security crime. Innocent or merely careless use, such as a member installing a consumer VPN for privacy without touching protected data, will usually stay in Article 92 or dereliction territory rather than becoming a computer-intrusion offense.
Defenses and mitigating themes
Defense counsel typically attack the elements rather than the technology. Was the regulation lawful, clear, and actually in force at the relevant command? Did the member have the requisite knowledge where knowledge is an element? On Article 123, was there an unauthorized purpose at all, or merely permitted use put to an unremarkable end? Was any protected information actually obtained, altered, or damaged, or is the government inferring harm it cannot prove? Lack of intent, ambiguity in the network policy, and the absence of any compromised data are the recurring themes that hold a case at the regulatory level and keep it from being recast as a security offense.
Bottom line
Yes, unauthorized VPN use on a government system can be charged as a security offense, but only when the facts support it. The default landing spot is Article 92 for violating network regulations. It rises to a computer-security crime under Article 123 when the member acted with an unauthorized purpose and reached, damaged, or denied access to protected or classified information. The more the conduct looks like deliberate evasion of security controls to touch information the member was not entitled to, the more serious the article, and the heavier the burden the government must shoulder. A member under investigation should not assume a VPN is a minor matter; the charge that ultimately appears on the charge sheet depends entirely on intent and on what data was at risk.
Disclaimer
This article is provided strictly for general educational and informational purposes. It is intended to explain how the Uniform Code of Military Justice (UCMJ), the Rules for Courts-Martial, the Military Rules of Evidence, and related military administrative processes work as a matter of public legal education. It does not constitute legal advice, a legal opinion, or a recommendation about any particular case, and it is not a substitute for advice from a qualified military defense attorney who can evaluate the specific facts and command, service, and jurisdictional circumstances involved.
Reading this article, or contacting any website on which it appears, does not create an attorney-client relationship between the reader and any law firm, attorney, or author. Every court-martial, nonjudicial punishment action, administrative separation, and security-clearance matter turns on its own facts, the charged articles, the convening authority, the service branch, and the evidence, and outcomes vary widely from one case to another.
Military law also changes over time. The Military Justice Act of 2016 (effective January 1, 2019) and subsequent National Defense Authorization Acts renumbered and rewrote many punitive articles, revised the Article 32 preliminary hearing, and altered sentencing, clemency, and appellate procedures. Statutes, regulations, executive orders, the Manual for Courts-Martial, and decisions of the service Courts of Criminal Appeals and the Court of Appeals for the Armed Forces may have been amended, superseded, or reinterpreted after this article was written, and article numbers or procedures cited here may have changed.
For these reasons, no reader should act or decline to act based on this content without first consulting a licensed attorney experienced in military justice about their own situation. The author and publisher make no warranty, express or implied, as to the accuracy, completeness, timeliness, or current applicability of the information provided, and disclaim any liability for any action taken or not taken in reliance on it. If you are facing investigation, charges, or an adverse administrative action, time limits may apply, and you should seek qualified counsel promptly.