Might a centuries-old war power be the key to U.S. cyber retaliation?
In recent closed-door discussions, Trump administration and industry officials have discussed whether modern-day letters of marque—once used to deputize privately owned ships to lawfully attack other vessels during wartime—might enable private-sector hacking operations against unfriendly nation-states, according to two people familiar with the matter who spoke on the condition of anonymity to freely discuss the sensitive deliberations.
The high-level view among U.S. officials is that this old-world maritime authority is unlikely to be directly used in cyberspace, but a more modern, tailored version might arise as the administration seeks ways to even the fight against Chinese-backed groups, one of the people said.
“The general consensus from [U.S. government] officials on the topic is that we aren’t going to apply a 200-year-old [privateering] authority to the cyber domain,” said the person. “However, there is a standing question and ongoing debate regarding what modern authorities and authorizations are required by various cybersecurity and tech industry organizations to better enable the defense of the United States.”
Letters of marque played a major role during the War of 1812, when the U.S. government issued them to private ship-owners to capture British vessels. And even further back, they were used to convert pirates into privateers, acting on behalf of their sponsoring governments to raid enemy ships. Privateering was broadly outlawed by the U.S. and other signatories to an 1858 treaty, although the Confederacy used them during the Civil War.
Outnumbered against China
The idea of modern-day letters of marque has been raised several times since the 9/11 attacks, and again in recent months in connection with Chinese hacking.
Late last month, in a private meeting at the RSAC Conference in San Francisco, a senior U.S. official told a room of cybersecurity executives that Chinese cyber capabilities outmatch those of the U.S., according to a person who was at the discussion. The person declined to name the senior official.
“Business-as-usual clearly isn’t cutting it, and we have had a reactive posture towards cyber threats and risk for far too long,” said Frank Cilluffo, a former George W. Bush homeland security official, in a separate interview. “And while industry certainly has a role to play in securing systems and data, we also cannot have a mindset of, in essence, blaming the victim.”
In recent years, hacking units tied to Chinese intelligence have compromised troves of U.S. critical infrastructure. Officials have said that the Volt Typhoon group has accessed systems with no military intelligence value, like electric grids and water treatment plants, with the aim of sabotaging them if the U.S. intervenes in a Chinese invasion of Taiwan.
Salt Typhoon, another Chinese cyberespionage group, was discovered last year inside several U.S. telecommunications networks and their “lawful intercept” wiretapping platforms, as well as related networks of several telecom operators around the world. It’s not clear if the hackers have been fully excised the telecom systems.
China’s centralized political economy allows its government to compel private firms within its borders to carry out hacking activities. Last year, former FBI director Christopher Wray said that if the bureau devoted all of its cybersecurity staff toward China, Beijing’s cyber forces would still outnumber the U.S. 50 to 1.
“How do we start shifting the equation to put more onus on the adversary? We need to lean forward into a more proactive approach, provided actions are taken in partnership between industry and government,” said Cilluffo, who now leads the McCrary Institute, a cybersecurity policy think tank at Auburn University. “Letters of marque are a piece of the puzzle and can certainly be a piece of a larger strategic approach on increased offensive cyber capabilities.”
But they’re also a tool “that would need to be handled judiciously and thoughtfully,” he said. “The details matter.”
Cyber privateer concerns
Cyber privateering can’t just be magically implemented, and some are skeptical of the concept altogether. The government already has offensive cyber capabilities available through Cyber Command and the National Security Agency, said Jamil Jaffer, the executive director of the National Security Institute at George Mason University and a former Bush official who served in the Justice Department’s National Security Division.
“You wouldn’t deputize the private sector to conduct a physical war for you, so why would you do that in the cyber domain?” he said.
There are several steps the U.S. government could take before it reaches a state where it signs off on private companies hacking on its behalf, he added. “The further you go away from your own system, the more offensive an operation seems. There’s a lot of things you could do defensively that wouldn’t cross that line, but most of those wouldn’t require anything like a letter of marque and reprisal.”
Alexei Bulazel, the top cybersecurity official on the National Security Council, recently said that proposals to expand legal authorities for private-sector hacking had been taken “to the absolute extremes,” but that he still “absolutely” supports rethinking how the government responds to cyberattacks.
In crafting a similar legal mechanism to those 18th-century letters, the government would have to consider where to issue legal protections for firms if they are indeed authorized to offensively hack, said Chris Cummiskey, a former DHS official and former chief information security officer for the State of Arizona.
Those talks would be akin to the 2015 Cybersecurity Information Sharing Act, which has liability protections that shield companies from lawsuits and regulatory penalties when sharing cyber threat indicators with the federal government, he said.
“You don’t want a wholesale Pirates of the Caribbean scenario where companies are out there just doing their own thing and start doing their own approach to things, particularly a sensitive area like hacking back,” said Cummiskey, who now runs his own consulting firm. “If you’re going to send private companies to act as agents of the government in hacking endeavors, you can see how industry companies would want protections.”
Officials could explore using these tools against non-state criminal syndicates and hackers, who likely have fewer resources at their disposal, he said.
A possible framework
South American gangs and drug cartels have been raised in discussions at DHS and the Defense Department as possible targets to demonstrate offensive hacking capabilities, according to two people familiar with the matter. It’s not entirely clear if the private sector would take the lead on these efforts.
One former DOD official, granted anonymity to speak freely, did not recall cases where the U.S. targeted cartels through cyber means, but said that past offensive hacking measures were launched at narcoterrorists, which have operated across the Middle East and South America. The Islamic State was also a major target of U.S. Cyber Command a decade ago.
The former official described a sensitive, step-wise process that led up to offensive hacking measures being taken, even against smaller cyberspace adversaries. That included vast communications interceptions to first get a sense of what targets were thinking, as well as silently hunting on their networks to find digital vulnerabilities that could be exploited. Still, such targets were viewed as “much easier” to attack versus nation-state adversaries like China or Russia, the ex-official added.
The National Security Council did not respond to a request for comment.
Morgan Adamski, the executive director of U.S. Cyber Command, said at a tech industry event last month that the combatant command is looking to partner further with the private sector in 2025.
Cyber Command conducted 80 “hunt forward” missions over the past year, she said. Hunt forward operations are typically defensive and involve U.S. cyber warriors embedding into allied computer environments to observe and detect malicious cyber activity on host nation networks.
Rep. Eric Swalwell of California, the House Homeland Security Committee’s leading Democrat voice on cybersecurity matters, recently suggested that government contractors could be deployed to conduct offensive cybersecurity operations against foreign adversaries.
“What I would be interested in exploring, so you don’t put the credit union or the public utility in a position where they have to fight Russia, is if you could have the credentialed, experienced private contractor … do the offensive piece,” knowing that the U.S. can’t shield every company targeted in hacks, he said.
“The federal government can’t really help everybody,” he added. “But if we all just know the laws of bullies, if you let them continue to punch you, and you don’t punch back, they’re only going to continue to take your lunch money.”
Jesus Christ is King
