An 18th-Century War Power Resurfaces in Cyber Policy Talks
As the threat of Chinese cyberattacks on the United States continues to escalate, a centuries-old war power is being considered as a potential solution. Privateering contracts, which were once used to deputize pirate ships to attack enemy vessels, are being discussed as a means to authorize private sector hacking operations against China and other foreign adversaries.
The idea of private companies conducting offensive cyber operations on behalf of the government has been met with skepticism by some experts, who argue that it would be a risky and potentially unproductive approach. "You wouldn't deputize the private sector to conduct a physical war for you, so why would you do that in the cyber domain?" said Jamil Jaffer, executive director of the National Security Institute at George Mason University.
The Government Already Has Offensive Cyber Capabilities
However, officials argue that the government already has offensive cyber capabilities available through Cyber Command and the National Security Agency. "The further you go away from your own system, the more offensive an operation seems," said Jaffer. "There's a lot of things you could do defensively that wouldn't cross that line, but most of those wouldn't require anything like a letter of marque and reprisal."
Officials are considering using these tools against non-state criminal syndicates and hackers, who likely have fewer resources at their disposal. South American gangs and drug cartels have been raised in discussions at DHS and the Defense Department as possible targets to demonstrate offensive hacking capabilities.
Potential Benefits and Risks
Using private companies to conduct cyber operations could potentially provide several benefits, including increased flexibility and speed. "If you're going to send private companies to act as agents of the government in hacking endeavors, you can see how industry companies would want protections," said Chris Cummiskey, a former DHS official.
However, there are also significant risks involved, including the potential for unintended consequences or even catastrophic failure. "You don't want a wholesale Pirates of the Caribbean scenario where companies are out there just doing their own thing and start doing their own approach to things," said Cummiskey.
The National Security Council Weighs In
Alexei Bulazel, top cybersecurity official on the National Security Council, recently said that proposals to expand legal authorities for private-sector hacking had been taken "to the absolute extremes." However, he still supports rethinking how the government responds to cyberattacks.
A Path Forward
Before the government can consider authorizing private companies to conduct cyber operations on behalf of the state, it must first define clear guidelines and regulations. This includes determining where to issue legal protections for firms if they are indeed authorized to offensively hack.
"The federal government can't really help everybody," said Rep. Eric Swalwell of California. "But if we all just know the laws of bullies, if you let them continue to punch you, and you don't punch back, they're only going to continue to take your lunch money."