DIGITAL LETTERS OF MARQUE – THE SOLUTION TO CYBER PIRACY
Among the specific Enumerated Powers of Article 1 Section 8 the Constitution gives Congress is Clause 11: “to grant Letters of Marque and Reprisal”—essentially licenses authorizing private parties to wage war on the government’s behalf.
Congress issued letters of marque liberally until the end of the War of 1812, and they were particularly useful during the First Barbary War (1801-05). The fledgling U.S.’s fleet of six frigates couldn’t stem piracy alone. Letters of marque enlisted U.S. merchantman as far away as the Mediterranean, where Barbary states often provided pirate ships with safe harbor.
In the typical 19th-century use, Congress issued letters of marque to schooners and sloops, giving their operators the authority to sink or capture pirate ships by force.
The Resolute was the first and only privately owned U.S. craft to operate under a letter of marque since then. The blimp was flown by a civilian crew out of Los Angeles. If letters of marque could be adapted for flying machines, why not computing machines? Why can’t letters of marque be used to blow hackers out of the digital water?
Recent destructive hacks have proved that federal action alone can’t protect the cyber infrastructure. The time has come to grant letters of marque to enlist and arm private corporations to defend their interests and America’s.
Today’s pirates sail the cyber seas searching for loot, by ransom or theft. Like their 19th-century maritime counterparts, they respect no sovereignty and disrupt commerce and daily life. This weekend’s Colonial Pipeline hack and the recent SolarWinds attack demonstrate the growing danger and sophistication of such assaults. Like the Barbary pirates, hackers frequently receive haven or direct support from hostile states like Russia or China.
Hackers routinely exploit private corporations as an entry point to lucrative private assets or national-security vulnerabilities. The SolarWinds hackers launched attacks from systems run by Microsoft and Amazon. The National Security Agency, which has primary responsibility for protecting cyberspace, is legally barred from monitoring and collecting intelligence from U.S. entities.
Tom Burt, Microsoft’s vice president for security, told the Wall Street Journal in March: “This is a sophisticated actor that apparently took time to research legal authority. It knew that by operating from servers in the United States, it could evade some of the U.S. government’s best threat hunters.”
Corporate threat hunters could fill the gap, acting as cyber scouts in support of the government’s efforts. But that comes with risk: Equifax, Home Depot and Uber have each paid more than $100 million in fines and settlements due to hacker-breached customer data.
Numerous lawsuits remain unresolved; in a typical case, Walmart faced a suit alleging a breach of the California Consumer Privacy Act because hackers illegally harvested private consumer data. The judge ruled in the company’s favor, but only because the hack predated the law.
Corporations have financial incentives to protect their data; what they lack is incentives to cooperate with the NSA and to report data breaches to the government in a timely manner. Security journalist Dan Swinhoe reports that hacking has cost companies nearly $1.3 billion.
Cognizant of dangers to their bottom line, corporations hire cyber defense specialists. But when their measures prove insufficient against ever more skilled and avaricious hackers, companies freeze.
Fearful of litigation, bad publicity and punitive regulation, they delay reporting until they know the extent of the problem. That reduces the company’s risk of exposure at the cost of exacerbating the national-security threat.
When a kidnapper makes a ransom demand, the best approach is to notify law enforcement quickly. Similarly, the best way to limit the damage of hacker breaches is for the target to share information quickly with the government—in this case, the NSA.
That’s where letters of marque come in.
Historically, such letters provided financial incentives to overcome fear and inaction in the face of dangerous outcomes and national need. On the high seas, they assured standing and rights in admiralty courts that awarded “prize money” when pirate ships were sunk or captured.
Cyber letters of marque could establish incentives for timely information sharing and ensure that companies have the freedom to defend themselves.
A company targeted by hackers would apply to Congress, which would grant a letter of marque providing limited immunity from regulatory action when breaches and activities are spotted early and shared expeditiously with U.S. agencies.
And while corporations should take all measures necessary to make consumers whole when they are breached, Congress could also provide limited protection against punitive lawsuits against companies that meet accepted standards of cyber defense, provide early reporting, and take robust defensive measures against their hackers.
We haven’t had a cyber Pearl Harbor, but today’s threat from hackers could become as dangerous as enemy submarines. Congress should rally behind a nonpartisan initiative and begin issuing letters of marque now.
Enlist private corporations to serve as our cyber scouts just as the Resolute searched for hidden dangers in an earlier time of global upheaval and uncertainty.
US Army MajGen (ret) Thomas Ayres, served as general counsel to the U.S. Air and Space Forces, 2018-21.