Cyber Privateering: A Risky Policy Choice for the United States
Privateering in information security is back in fashion. This is not the first time: In 2006, Michael Tanji diagnosed parallels between cyberspace and the loosely governed sea in the 17th century and explored privateering as a policy solution.
Published by The Lawfare Institute
in Cooperation With
Privateering in information security is back in fashion. This is not the first time: In 2006, Michael Tanji diagnosed parallels between cyberspace and the loosely governed sea in the 17th century and explored privateering as a policy solution. In 2013, Halvar Flake gave a keynote, analogizing the development of the hacking community in the 1990s and 2000s with the development of navies in the 16th and 17th century. His focus was mainly on identifying similarities, not advocating policy. And earlier this year, Dave Aitel brought up the issue here on Lawfare and advocated for resurrecting privateering in cyberspace. Although I agree that the analogies are striking, the risks of adopting 17th century policy in today’s environment are underappreciated. There are many risks, but the following three stand out: an increased risk of unnecessary escalation, the potential for reprisal, and the setting of an international norm that is, for the United States, strategically undesirable.
Increased Risk of Unnecessary Escalation
We must first identify what we want to achieve with the proposed policy solution. Despite claims of the targeted nature of letters of marque, historically these mostly allowed an aggrieved merchant to attack a broad category of targets based on the nationality of the other ships. How does this logic come to bear in cybersecurity? Chinese citizens conducting industrial espionage, as witnessed up to 2015, may be adequately captured by the analogy. Parts of the Russian-speaking cyber criminal underground may also qualify under a similar logic. However, U.S. policy advocates usually adopt a narrower definition for actions taken under the U.S. flag. For example, Aitel argues for restricting U.S. privateering to gathering evidence about suffered breaches; the idea is that this broadens offensive authorities only to the extent necessary to conduct private sector attribution. And this would come with strict governmental oversight and controls.
Historically, however, privateers were hard to control. They regularly overstepped their commissions, especially when it was in the interest of their sponsors’ government.
Think of Corporation A in a country being authorized to investigate Corporation X in another country. Corporation A may just find it convenient to profit from information found about Corporation Y during the investigation authorized against Corporation X. Will the strict controls applied to privateers hold? Maybe in societies with a strong separation of powers and a tradition of checks and balances. But in other countries, where power is not kept as much in check, probably not.
Even if we assume, for the sake of argument, that the U.S. private sector could perform cyber operations with the same level of care as governmental agencies (assuming that these agencies are careful) and stipulate that their corporate sponsors weigh the potential blowback carefully against their business interests, in such case privateers still constitute a means of engaging in conflict and potentially warfare. Which countries should the United States be willing to issue privateering licenses against? We can be sure that such licensing will be seen as a hostile act.
In addition, once the private sector engages in these limited offensive operations, at some point they may be discovered. A foreign government will be informed that part of their supply chain suffered an intrusion. Will the targets recognize the attackers and their intentions? A capable adversary may trace the attack back to the United States. Distinguishing between a contractor working for a corporate partner for evidence-gathering and one working for the U.S. government will be hard. This can be an advantage for a state that intends to use proxies regularly. However, as this policy would further cloud the U.S. government’s intent, it would compound problems for cyber defense. Given the possibility of a worst-case analysis by the defender, privateering magnifies the risk of unintentionally setting off an escalatory spiral.
Potential for Reprisal
Intentionally breaching foreign domestic law brings risks upon the privateers, their corporate sponsors, and, if done at scale, the U.S. government. Under such domestic law, the injured party may have a legitimate criminal case to pursue in court. The full range of consequences for people engaging in privateering, and potentially their sponsors, are unclear, but among other things, we might expect some restrictions on their ability to engage in international travel, unless they are willing to stand trial abroad.
But there are further countermeasures that might be taken against privateers: reprisals. The injured party could appeal to their own government to seek retribution. Aitel pointed this out in his post: “We must be comfortable having whatever legal framework we adopt apply to American companies reciprocally by foreign parties.” This point is crucial. Are we prepared to legitimate intrusions sponsored by other countries’ companies? Remember, the United States will not be the arbiter of whether their claims are legitimate. Furthermore, retribution may not be restricted to cyberspace. Rather, having sponsored a cyber attack, company assets residing in the country that got attacked may suddenly be exposed to legal risk abroad. Other countries may also choose to broaden the narrow definition of whom to take reprisal against. After all, privateering was a tool to seek redress against harm suffered by another national. What restricts a foreign power to take a more expansive definition of privateering?
Privateering is a Strategically Unwise Norm for the United States to Set
Once we establish privateering as a legitimate course of action in the cyber realm, the question then arises: who profits most from such a regime? Historically, privateering was the policy tool of the challengers, not the incumbent great power. The power with the largest trade interests had the most to lose. By the end of the 18th century, when Britain became the dominant naval and trading power, it was France and the United States that relied heavily on privateers. Britain took the threat of U.S. privateering so seriously that it struck a deal with most other naval powers to abolish privateering in 1865. England’s Prime Minister Lord Palmerston summed the logic up as follows:
Privateering is a Practice most inconvenient to the Power which has the largest number of merchant men at sea, and the least useful to the Power which has the largest War Navy. England is that Power and we should therefore willingly agree to abolish that Practice in regard to all Powers which would enter into the same Engagement towards us. (Lemnitzer 2014)
While I do not think that the United States is in the same dominant position of Britain in the 19th century, U.S. policymakers would be wise to take Palmerston’s analysis to heart.