“There are only two types of companies: those that have been hacked and those that will be.”
—Robert Mueller, then–Director, Federal Bureau of Investigation
“The Congress shall have Power . . . to declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.”
—U.S. Constitution, Article I, Sec. 8
Congress is once again considering the Active Cyber Defense Certainty Act, which would permit private sector cyber “hack backs,” something critics consider “the worst idea in cyber security.” The bill would authorize private companies to engage in active cyber defense by venturing into an attacker’s network space—hacking back. Opponents argue this would create a cyber Wild West, but an underground community of cyber firms that engage this type of activity already exists. Thus, passing the Active Cyber Defense Certainty Act would legitimize these actions and empower cyber security firms to better protect their clients. Lawmakers should reduce the risk of such authority by employing a vehicle established by the U.S. Constitution in article I, section 8, clause 11: Letters of Marque and Reprisal.
A letter of marque authorizes private parties to engage in conduct that, absent the letter, would legally be piracy. Used extensively during the War of 1812, these letters allowed privateers to capture British merchant ships, leveraging private sector efforts in a controlled manner. Cyber letters of marque could provide a safe, reliable vehicle to empower private sector hack backs.
During the War of 1812, armed privateering vessels were dispersed along the eastern seaboard and quickly deployed to conduct merchant vessel seizures. Privateering vessels were compensated by the sale of the captured ships and cargoes—prizes. They were operationally restricted by limitations laid out in their specific letters, which included the privateers’ authorized level of force and their geographic restrictions. If privateers violated the restrictions, they were legally bound to make reparations to the victims. President James Madison understood the operational effectiveness of letters of marque: The letters were primarily issued to combat British merchant vessels that would not fight back with heavy naval weaponry. Large-scale naval combat with enemy ships-of-war was reserved for U.S. naval forces. In this way, letters of marque proved successful when employed in a thoughtful, organized manner.
From Blue Water to Cyber Space
In the face of rising cyber threats, the United States has established government-led cyber incident response through the Cybersecurity and Infrastructure Security Agency (CISA), an organization under the Department of Homeland Security (DHS) that provides “comprehensive cyber protection” for critical infrastructure. While CISA responds to attacks that pose grave national security threats, noncritical private companies do not qualify for CISA’s immediate aid when they are hacked. These non-critical companies may hire their own cyber security firms, but those firms’ services are legally limited by the Computer Fraud and Abuse Act (CFAA) of 1986 to purely defensive operations. As Representative Tim Graves (R-Ga.) pushes for passage of the Active Cyber Defense Act, he questions what options these non-critical companies have: “Where do they turn—Can they call 911? What do they do?” U.S. companies need the ability to react to cyber attacks quickly, without waiting for government to respond. Cyber letters of marque would authorize private cyber firms to conduct “active defense” operations—taking the fight to the enemy—to protect U.S. business and industry and strengthen the country’s overall cyber posture.
How They Could Work
Imagine a Wall Street bank suspecting it has been hacked. The bank hires a cyber security firm to provide both traditional, reactive network defense and active cyber defense to hack back when necessary. The cyber security firm would receive a Cyber Letter of Marque only after complying with required investigations and accreditation. The Cyber Letter of Marque would provide restrictions for the hack back operation to ensure proportionality and distinction against the attacker. Until an attack occurs, the cyber security company would engage in local defense, within the attacked system only. If defensive measures fail and the bank is hacked, the cyber security firm would invoke its standing Cyber Letter of Marque to conduct a hack back operation against the aggressor. The goals of the hack back would be first to stop the attacker’s ongoing exploits and then degrade the attacker’s infrastructure. This degradation would impose a cost, to dissuade the attacker from further malicious activity. The information gleaned from the hack back operation would be reported to the Department of Homeland Security to support public-private data sharing to improve the U.S. cyber security posture. As soon as the hack back operation is complete and the goals are accomplished, the authority under the standing Cyber Letter of Marque to hack back would expire. The cyber security firm would return to conducting purely defensive work for the bank, at least until the next qualifying attack occurs.
Legitimize Current (Illegal) Operations
Private hack-back authority may seem careless and risky—but private companies already engage in hack-back operations. Cyber security firms are legally bound by the CFAA, which prohibits a user from “knowingly [accessing] a computer without authorization.” But some firms do not let the CFAA hinder their operations when working to protect their clients. In “The Digital Vigilantes Who Hack Back,” Nick Schmidle dives into the underground community of cyber security executives that test limits of fighting back against adversaries.
Among others, the article tells the story of Shawn Carpenter, a former employee of Sandia National Laboratories, who created “honeypots”—documents meant to entice hackers—in 2003 to trap Chinese cyber criminals meddling on Lockheed Martin systems. Carpenter took the initiative to crack this case and pioneered a movement of private sector active cyber defense. Throughout his project to pinpoint the hackers on Lockheed systems, Carpenter was not motivated by any financial incentives but rather wanted to quickly neutralize the hackers when no one else would. Many others have bent the rules to ensure their client networks are safe when the government cannot react quickly enough.
The attackers clearly do not abide by the CFAA. Rep. Graves succinctly explains the current state of affairs in U.S. cyber space: “We love it when people say, ‘This would only create the Wild West.’ The Wild West currently exists! We’re only asking for a neighborhood watch.” U.S. cyberspace operates in a grey zone between legal and illegal actions that threaten national security. Thus, the Active Cyber Defense Certainty Act would legitimize the under-the-table operations that occur every day. Cyber Letters of Marque at least would provide the tool for Congress to ensure hack back operations are supervised and conducted safely and responsibly. According to Stephen Orr, a Cyber Science professor at the U.S. Naval Academy, many adversaries will “only respond to strength, thereby serving as an impetus for the U.S. to act more aggressively in cyberspace.” Stewart Baker, a former general counsel at the National Security Agency, told author Schmidle, “Hacking is a crime problem and a war problem. You solve those problems by finding hackers and punishing them. When they feel their profession isn’t safe, they’ll do it less.”
Not everyone thinks allowing companies to defend themselves actively is appropriate. Rick Ledgett, former NSA deputy director, told Schmidle allowing private sector hack backs would be “an epically stupid idea.” Critics of the Active Cyber Defense Certainty Act argue that allowing private cyber companies to hack back may lead to chaos, with the possibility of uncontrollable escalation resulting. If a firm operating under a Cyber Letter of Marque does not follow the letter’s restrictions—or accidentally hacks the wrong entity—the United States runs the risk of initiating unwanted cyber conflict. According to Cyberscoop, Justin Fier of Darktrace warns that “cyber crossfire” is a real possibility given the ease with which false flag operations can obfuscate an attacker’s identity. In addition, Cyberscoop reports that the Federal Bureau of Investigation does not support this system because private cyber companies cannot be trusted to properly conduct hack back operations.
While Cyber Letters of Marque would ensure that participating cyber firms operate within legal restrictions and understand the consequences of unauthorized actions, errors and mistakes can still occur whenever a cyber firm crosses over into adversary network space.
The Way Forward
Lawmakers have two options. The first is to maintain the status quo and only permit government agencies to conduct active cyber defense—however overburdened they may be. This leaves U.S. companies effectively defenseless against attacks. The second is to take the leap into the next era of active cyber defense. Cyber Letters of Marque would allow the United States to pioneer a new wave of public-private cyber collaboration under government supervision and authority. They would revolutionize the way companies deal with these inevitable hacks.
Author’s note: The author wishes to thank Ensigns Eric Roque-Jackson, Hank Secrist, and Addi Williams for their research contributions to this article.