What Pirates can teach us about Cyberattacks
Pirates have been ravaging trading lanes for hundreds of years. Their actions were so detrimental to the burgeoning American State that they made it into the constitution. In Article One Section Eight it enumerates the powers of Congress; amongst them are “To define and punish Piracies and Felonies committed on the high Seas, and Offenses against the Law of Nations; To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water;”. These powers seem to have nothing to do with cybersecurity but some think the Letters of Marque and Reprisal should make a comeback.
Letters of Marque and Reprisal have been used for centuries by governments to give private individuals a type of official status to conduct hostilities. From Edward I to James Madison, heads of state signed these letters primarily to deal with pirates or marauding bandits. They basically worked like bounties. Individuals would apply for these letters and receive a very specific set of orders. Those individuals would be allowed to do things that they wouldn’t normally be able to do such as murder, use weapons of war, etc. in order to catch the bad guys. Once caught, the bad guys, along with their ill gotten gains, would be hauled in and taken by the state. The good guys, who are generally referred to as privateers, would then get a portion. Famous privateers include Sir Francis Drake and Captain Christopher Newport.
This may appear to have nothing to do with cyber security because a physical document signed by the Edward I allowing privateers to fight pirates sounds about as far away from cybersecurity as you can get. However, the reason it relates is that this power remains in the Constitution and last year, Lawfare, a blog about all things national security, ran an article about how Congress was looking into flexing its muscles for use in cyberspace. In that article Dave Altel writes about how, in the right circumstances, this could be a good thing.
“ Limited, effective, and restrained use of cyber letters of marque could allow industries to fund their own active defense protection and deterrence efforts, and avoid escalation issues. Perhaps most importantly, it is a solution that can scale to address a current and pressing national security need.”
“Active Defense” is a phrase often used as a substitute for “hacking back”. There are a few reasons to find Altel’s words and the idea of using letters of marque in this way unconvincing. The first is that Altel has a bias in favor of hacking back because his company Immunity could serve to gain financially from a change in American policy. @War by Shane Harris discusses how individuals like Altel get training and experience within the government before moving into consulting and cashing in on their skills. There is absolutely nothing wrong with making money but consultants and contractors have a incentive to find ways to grow their influence. This incentive can cause a cyber offensive buildup rather than a defensive one. Brandon Valeriano and Ryan Maness write in their book Cyber War Versus Cyber Realities that, in fact, the threat from cyber warfare is low and that increased buildup and fear-mongering by contractors can lead to more destabilization not less. So, this whole piece needs to be taken with a grain of salt.
Another reason to disagree with Altel’s argument is that there are no means to verify that privateers on the cyber seas stay within the bounds of their letter. Back when this power was used against pirates, the privateers were easily monitored because at some point they would have to bring back their ship to port. This meant that they could be inspected for any extra-curricular pirating on the side. However, this is almost impossible to do in cyberspace. Files can be hidden on storage drives in different countries and once a back door is created in a system, it can always be returned to.
One of the reasons for the letters of Marque were used in the first place was because states did not always have the man power or will power to fight every small pirate. In the cyber world, the US government has one of the largest computer networks in the world. It has the power to attack and defend but not always the techniques or research necessary to stay on the cutting edge. This means that privateers would be relied upon more so in these areas, i.e. contracting with the feds to give technical assistances as needed.Heather Roff’s argument in Duck of Minerva wrote that
“by legalizing such a practice, it may open up those states to countermeasures by other states. Given that most of the Internet traffic goes through the United States (US), that means that many “attributable” attacks will look like they are coming from the US. This in turn means that many states would then have reason to cyber attack the US, thereby increasing and not decreasing the likelihood of cyberwar.”
One of the major issues with cyberwarfare as it is currently understood is that it lacks a firm set of norms. This makes any action exceptionally risky because it could be used as a basis for creating new norms. This is a similar limiting principle to the use of nuclear weapons. The US did not continue using them because by doing so, it would allow others to do the same thing. Altel does not take that into account in his article. This makes sense because currently America is already one of the most targeted states in terms of cyber attacks. However, most of those attacks don’t come with the moral authority which could exist if the norm is to hack back.
Letters of Marque and Reprisal would hem the US into a criminal justice or defensive framework of looking at cybersecurity. This can be helpful because hackers are crooks and cyberwarfare can be useful on the battlefield but it also can cause issues with some of our trading partners (i.e. China). Other frames of reference could be based around epidemiology or environmental protection which could lower the temperature on all sides and keep us protected. The US continues to try and leave every route open. The current administration is not in the business of creating new international norms and so will have difficulty moving in any direction in this debate. So, although it may be an interesting thought experiment for constitutional lawyers, Congress won’t be using this power anytime soon.
