Rebooting Letters of Marque for Private Sector, Active Cyber Defense

The views expressed in this paper are those of the author and do not reflect the official policy or position of the 780th Military Intelligence Brigade, U.S. Intelligence and Security Command, Department of the Army, Department of the Navy, Department of Defense, or the U.S. Government.

Letters of Marque for Private Sector Cyber Defense

Cyber assaults on U.S. Corporations will continue to increase until the United States articulates an enabling policy for the private sector to protect themselves by increasing costs to the hacker. The Center for Strategic and International Studies recently estimated cybercrime and espionage have caused $600 billion dollars worth of damages. U.S. Corporations are under cyber siege 24 hours a day in a “…borderless war that has impacted business across the world….” On a daily basis, hackers target businesses and individuals to steal data or damage digital systems. In many cases, hostile foreign powers directly sponsor or otherwise enable the attackers. “In recent years, some foreign countries appear to have begun to operate in close cooperation with cyber criminals, and the dividing line between where a criminal enterprise ends and where a nation state begins can often be difficult to determine.” Collectively these actors have virtually no consequence when attacking or attempting to attack private enterprise as all American private enterprise can do is lock the doors and hope for the best. Adding to the volume and complexity is the low cost of entry and lack of geographical boundaries.

Our adversaries, both nation state and criminal, have discovered that conducting offensive cyber operations against the United States in the “gray zone” has incapacitated the United States. The gray zone creates an ambiguous security and legal environment. The gray zone permits nation states and their bad actor proxies to conduct unprecedented theft of intellectual property and personal information for illegal gain. While the reputation of the United States to defend itself from military aggressors is undeniable, we have yet to demonstrate our resolve and will to do so in cyber-space. As a result, nation states and criminals occupy the gray zone and dominate, we have; “…failed to keep pace with the threat.” Nation states in particular have used the gray zone to “…pursue their objectives while reducing the risk of triggering open warfare.”

In 2017, the average time for an intruder after entry to begin moving laterally to other systems in the network averaged 1 hour and 58 minutes. Because of the speed at which a hack takes place, law enforcement cannot respond to an attack after it begins; only the victim has time to respond. Speed of relevance is critical to combating cyber-attacks. Businesses that come under cyber-attack have few legal or technical options beyond monitoring its network, fixing broken systems, and moving on. “…[U]nder U.S. domestic law, a private victim of a cyber-attack possesses a limited array of potential cyber responses. Digital self-defense, such as “hacking back,” takes many forms from simply tracing an attack to identifying the culprit to damaging the hacker’s machine. However, the same laws that prohibit hacking in the first place—such as the Computer Fraud and Abuse Act (enacted in 1986)—also prevent a company from striking back at maliciously motivated hackers.”

A recent proposal to modify the criminal statute only makes some aspects of hacking back a “defense” to criminal prosecution. A defense to prosecution does not prevent the matter going to a criminal trial. As a result, a hacking victim engaged in defensive actions could be prosecuted by cyber ignorant prosecutors and forced to hire uniquely qualified defense counsel at extraordinary costs. The proposed statutory modification also fails to address the potential for liability. Network and internet providers whose infrastructure was used to hack back might claim damages against the hacking victim who navigated those systems to engage in defensive actions. Since the proposed statutory modification does not mitigate serious risks, costly litigation, and tort liability to the private sector any participation is doubtful.

Similarly, U.S. Statutes providing for federal criminal charges for hacking are not effective against international hackers. A detailed search found a deficient number of foreign cyber prosecutions by the Department of Justice in 2015 through 2017. Moreover, no agency within the U.S. has principal responsibility for cyber security on behalf of U.S. Corporations. Recently, the Department of Homeland Security was given additional funding and authority to coordinate with local, state, tribal, and territorial governments on security initiatives, while working to reduce and eliminate threats to critical infrastructure. However, this new authority still leaves private sector not deemed critical infrastructure vulnerable. Finally, high costs and questionable effectiveness prohibit building of a cyber police force by the U.S. Government to protect the private sector. The Department of Defense provides cyber support to its industrial base under 32 C.F.R. 236. “The Pentagon reports more than 10 million efforts at intrusion each day.” In 2015 Senator Angus King complained during a Senate hearing: “We are in the cyber war with our hands tied behind our back. We would never build a destroyer without guns … you cannot defend, defend, defend, defend and never punch back.”

Imagine, one evening you are home with your loved ones and you hear your back door rattling. You go to investigate and you see an unknown “hacker” deliberately attempting to get in. You pick up your phone and call 911, but the operator tells you, sorry but we don’t protect you from cyber intrusions. You hang up your phone and you hear a different noise at your window. When you investigate you see another hacker diligently working to gain entry. As you look to see the progress of the masked person at your back door, you hear a noise coming from your fireplace and it is not Christmas Eve. This silly hypothetical should give you a brief sensation of what it is like to own a cyber network under persistent attack. If bad actors do steal valuable or sensitive data, victims will attempt to hold the custodian responsible under some tort theory of liability. If you believe this is the concern of some big corporation, remember your photos, medical, and other sensitive data are contained on those servers under unrelenting attack.

Despite unrelenting attacks, endless data breaches, and data use abuses by social media and search engines, the internet has changed the world. Web-connected devices provide access to instantaneous, unfiltered, global information. Even those in information hostile-nations are supported by information freedom fighters who develop tools, tactics, and techniques to aid them in overcoming government restrictions on information. Not only has the internet contributed to the democratization of information, it also contributes to everyone’s bottom line. It is estimated the internet contributed four trillion dollars to the world economy in 2016. With informational and economic successes “…more than 20 billion devices are forecast to be connected, by 2020.”

The Internet Infrastructure

The internet infrastructure is comprised of multiple redundant interconnected digital networks owned by numerous companies and governments. In the United States, AT&T, CenturyLink, Cogent, Level 3, Sprint, and Verizon own the bulk of the U.S. internet infrastructure (backbone). These companies provide bulk service to Internet Service Providers (ISP) or to customers directly.

To assist with the discussions this article provides an oversimplified map of how the internet works. As previously stated, the internet consists of large infrastructure owners who deliver long-haul digital routes for data flowing from and to different internet service providers who in turn deliver the data packets to end users. Because this process involves several hand-off points, no one internet operator or end user can see the entire transmission of data. Since the majority of data is legitimate, defenders have to be able to distinguish the bad data from the good in a never-ending stream of data that on its face appears legitimate.

Imagine looking at live images from a traffic cam of a particular stretch of road during rush hour traffic near a major city. There are thousands of cars (data) on the freeway (backbone infrastructure), some cars exit onto large local roads, (internet service providers (ISP), while some cars continue on the freeway out of the camera’s view (data transfer to another backbone provider). In both cases, the backbone provider does not know what happens with the data once it exits its freeway or leaves its backbone boundary. That backbone provider knows the data came from X and went to Y. Neither points may be originations or final destinations making distinction, and, more fundamentally, tracking very difficult, all while happening at the speed of light. Returning to the traffic cam some cars that exited to large local roads controlled by ISPs now exit into large parking garages, (server farms or corporate networks), and finally, some cars drive into private garages, (cyber citizens). In this case, the ISP does not know what happens to the data once it enters the server farm or cyber citizen device. The ISP knows the data came from X and went to Y. Unlike with someone watching the traffic cam, ISP providers may not readily be able to know where the data originated other than the immediate backbone provider it exited. The ISP would have to contact the backbone provider to see where that data entered that backbone. Similarly, the large corporate end users or server farms can’t see past its ISP. Despite the interconnected aspect of the internet the hand-offs create knowledge gaps that bad actors exploit, and there is no corresponding mechanism or statute currently in force to attempt to mitigate or deter bad actors.

Letter of Marque

United States Constitution: Article I, Section 8, Clause 11 in the United States Constitution states: “The Congress shall have Power … To …, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water;”

A Letter of Marque is a government license authorizing a private person or entity to take an action on behalf of the issuing government, which could include permission to cross an international border, and in some cases after review by a court transfer title of the goods captured to the license holder as a “prize.”

Historically, to request a Letter of Marque, a ship-owner would apply stating the name, description, tonnage, and force (armaments) of the vessel, the name and residence of the owner, and the intended number of crew, and tendered a bond promising strict observance of the country’s laws, treaties, and of international laws and customs. The commission was granted to the vessel, not to its captain, often for a limited time or specified area, and stated the enemy upon whom attacks were permitted. For instance, during the Second Barbary War President James Madison authorized a brig named the Grand Turk to cruise against Algerian vessels, “…public or private, goods and effects, of or belonging to the Dey of Algiers”. The East India Company (a British Company) arranged for letters of marque so that, should they have the opportunity to take a prize, they could do so without being guilty of piracy. However, the United States has not issued a letter of marque since the War of 1812. Interestingly, from December 1941 until 1942, Goodyear’s commercial L class blimp Resolute operating out of Moffett Field in Sunnyvale, California, flew anti-submarine patrols. As the civilian crew was armed with a rifle, many believed this made the ship a privateer, and that she and sister commercial blimps were operated under letter of marque until the U.S. Navy took over this patrol.

Cyber Letter of Marque

A 21st century Cyber Letter of Marque would not grant U.S. Corporations (private entities whether public or privately held) the right to capture a prize. However, a Cyber Letter of Marque would permit the right of self-defense outside of a corporation’s network borders. Currently, U.S. Corporations protect and defend their network only after penetration by the bad actor – not the preferred position for defense. The strategic advantage and likelihood for success have clearly passed to the bad actor. A Cyber Letter of Marque would permit (vetted, trained, and bonded) American businesses to watch outside its network to look for pre-attack indicators and when attacked respond beyond the network borders. A cyber letter of marque provides a mechanism to facilitate a more robust and effective cyber defense for U.S. Corporations.

Given the inherent complexity of detecting nefarious cyber activities, no one specific level of internet provider or corporate user can singlehandedly deploy a Cyber Letter of Marque. Combating cyber threats requires custom-tailored Cyber Letters of Marque with applicable authorities specific to the unique response possibilities for each entity involved in the transfer of internet data to respond and repel attacks and determine origin. Cyber Letter of Marque authorities would be tailored to each recipient and only after careful consideration of the strategic consequences and capabilities of the Cyber Letter of Marque holder. Robust communications between the layers of internet operators, and corporate end users, with unique authorities at each layer create opportunities for collective cyber response actions and reduce the unchallenged volume of cyber intrusions and attempted intrusions before an attack gains momentum.

However, just giving U.S. Corporations expanded authorities will not solve the relentless volume of hackers. Nor can a sole government solution protect everyone on the internet. A whole of Nation solution is required. Department of Homeland Security (DHS): National Cyber Security and Communications Integration Center (NCCIC), “[s]trives for a safer, strong Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.” However, “major incidents” are not the norm. Gray zone cyber incidents are the norm and providing measurable success for our adversaries and billions of dollars in domestic damages. DHS announced a new center to be known as the National Risk Management Center and will provide a centralized home where firms (likely critical infrastructure) can turn for cybersecurity solutions. A cyber drill dubbed “Jack Voltaic 2.0” was conducted in Houston, Texas in July 2018. The exercise demonstrated gaps in operational and legal authorities. The Chief Technology Officer at the Houston Police Department said: “The assumption is that [the Department of Homeland Security] will be there, but that’s not entirely the case.” Readiness teams sent by the DHS National Cybersecurity and National Communications Integration Center, “…can give advice, but not a lot.” Bell said. If Cyber Letter of Marque holders are to be truly successful and change the paradigm of the gray zone, both private sector and government need to establish persistent/enduring approach to countering gray zone cyber incidents. By expanding the National Risk Management Center to support Cyber Letter of Marque holders in a Cyber Fusion Center, connects stakeholders in real time facilitating synchronization of efforts and effects.

Liaisons: Private sector participants issued a Cyber Letter of Marque will assign cleared representatives who will be physically located in a Cyber Fusion Center as liaisons who have instantaneous reach back with the Corporate Network Operations Team. Similarly, Tier Three (discussed below) Federal Agencies and other relevant Federal and State Agencies will also have liaisons with reach back capabilities to Law Enforcement and U.S. Military cyber operators and other government resources. Co-locating representatives permits real time connection to the whole of Government with the private sector. Now when gray zone cyber incidents are initially detected, all relevant parties are seeing the response action in real time. Participating members of the Intelligence Community and Law Enforcement will inject relevant information that could facilitate the response action. If the attack is multi-pronged, other relevant agencies and private sector participants response time is significantly reduced. The whole government and private sector cannot effectively work together after a cyber incident has started. However, if private sector and relevant government agencies work together in a fusion center 24/7/365 and participate in joint exercises to test workflows, then a truly efficient nexus can be created to rebuff gray zone attacks.

International Treaty

Paris Declaration: In 1856, Britain, France, and other world powers met in France to discuss concerns arising from wartime maritime law. In response to the United States’ and others’ effective use of privateers, the Paris Declaration of 1856 was a document attempting to ban privateering. However, the United States refused to sign the agreement. The Paris Declaration states that it is not a universal ban on privateering and only applicable to signatory nations at war with other signatory nations, [emphasis added] and does not have the authority to police the actions of non-signatories. Accordingly, the plain language of the document does not apply to the United States. “Additionally, the Declaration clearly pertains and limits itself to maritime law. Since a cyber letter of marque regime is not grounded in maritime law and letters of marque are specifically authorized in the United States Constitution, it is permissible under international law, Paris Declaration notwithstanding, to issue cyber letters of marque.”

Deployment of Cyber Letters of Marque

Congress holds the power to issue Letters of Marque under the United States Constitution. That authority could be delegated to the Department of Commerce or other appropriate agency to issue Cyber Letters of Marque. Prior to issuing a Letter of Marque, a Cyber Letter of Marque Program would be developed for U.S. Corporations to apply and participate. The enrollment would be voluntary and participation costs borne by the U.S Corporation. After successfully completing training, the private sector employees would receive certification by U.S. Cyber Command and Federal Law enforcement. Upon certification, corporate employees will participate in (sector-specific) exercises that require the skills they have learned to be deployed in a safe training environment. After completion of the program, a Letter of Marque for Active Cyber Defense would be issued to the U.S. Corporation. The Letter of Marque would detail specific authorities and any limitations.

Participating private sector employees would be in two tiers: One tier using unclassified tools and techniques, and tier two using higher level cyber tools requiring a Department of Defense security clearance.

TIER 1. Private Sector Response

Pre-Approved Unclassified Tools: As an example, for the financial sector, U.S. Cyber Command, Department of Homeland Security, along with Treasury will establish a set of “response actions” that are exempt from U.S. laws that prohibit “hacking back.” Pre-approved response actions will not be classified, reducing the number of employees who require a security clearance, and maximizing the number of certified corporate network responders. Companies can develop proprietary responses that can be cleared of criminality in advance and could also be licensed, or shared for a fee or free. Companies that hire, train, and retain the best responders can market their enhanced security, or recover development costs under license or fee arrangements. The Federal Government for its part will always have a no-fee license for defense of essential Federal systems. While proper network configurations, and good network and system hygiene, create an environment to repel high volume low threat cyber-effects, the ability to respond directly to illegal hacking will alter the cost benefit calculation for the hackers.

No U.S. Criminal Liability if using approved tools and techniques Foreign Criminal Liability would require a nation to acknowledge that a hacker operating within its geographical borders was victimized by the U.S. Corporate response. While legally possible, it places the charging nation in an embarrassing international position of raising criminal charges based on the claims of a criminal or state hacker against an actual victim.

International Law: Applicability of the Paris Declaration requires the use of a letter of marque for maritime purposes, between a signatory nation against another signatory nations who are at war. Physical presence or the conduct of business by a U.S. Corporation in a signatory nation is not enough to activate the Paris Declaration. However, U.S. Corporations would not be permitted to launch cyber defense actions authorized by a U.S.-issued letter of marque in other nations without host nation consent. Civil liability remains to ensure private sector participants hire, train, and supervise skilled Tier One responders. Cyber Letter of Marque holders will carry a Bond to cover any civil liabilities or damages.

TIER 2. Cleared Private Sector Employees Response

Pre-Approved National Level Classified Tools: Similar to Tier One, relevant Federal Agencies will pre-approve and assign to specific private sector participants classified tools that can only be used by cleared private sector personnel when an attack escalates beyond Tier One.

Deny Internet Access to Infected Devices: Devices with internet access within the U.S. are either willingly or unwittingly participating in the cyber-effect. Tier Two responders can temporarily deny internet access to those infected or participating devices in order to contain the attack. Internet access blocking is only authorized when necessary to restore network functionality or to aid in the pursuit of the bad actor. Internet access blocking is not authorized for any compromised Federal systems, hospitals, or critical infrastructure. Internet Access blocking is permitted against privately owned computers with compromised systems and active attack or effect participation. Internet access denial is only authorized to permit enough time for the targeted network to be restored or 24 hours, whichever is less. If more than 24 hours is needed or the targeted network is critical the Federal Government, (law enforcement or DoD) will assume the active defense under Tier Three.

Since Cyber Letter of Marque authorities are tailored specifically for each participant, when they work together the specific authorities provided to each can enhance the overall response action when coordinated. Therefore, a financial institution that is responding to an attack under its Cyber Letter of Marque authorities may need the assistance of one or more network providers to coordinate the response.

If cyber defense conducted under a Cyber Letter of Marque begins to expand to a sensitive nation, or sensitive target, a decision by a government representative at a Cyber Fusion Center will be made in real time. A senior watch officer at a Cyber Fusion Center will determine which federal agency assumes the response action. Once assigned in real time that Federal Agency will follow the Agencies’ existing command and control authorities. If the private entity is going to pass the response to the Federal Government then the hand off will occur outside the private sector network boundary. Keeping the Federal Government outside the private sector network eliminates the potential for the Federal Government to cause damage to private sector systems and protects the privacy of the private sector clients and data. When the Federal Government assumes the response position we enter the third tier listed below.

No U.S. Criminal Liability if using approved advanced tools and techniques. Foreign Criminal Liability would require a nation to acknowledge that a criminal or state hacker operating within its geographical borders was victimized by the U.S. Corporate response.

International Law: Some nations might claim U.S. Corporations are acting as cyber mercenaries as they are now using State level tools and techniques. The most widely accepted definition of mercenaries is found in Article 47(2) of Additional Protocol I of the Geneva Conventions, It sets forth the conditions that must be met:

• Special recruitment to fight in an armed conflict,
• Directly participates in hostilities,
• Is motivated by private gain, and is promised by a party to the conflict of material compensation in excess of that paid to combatants of similar ranks and functions,
• Is neither a resident nor national of a party to the conflict,
• Not a member of the armed forces who are involved in the conflict,
• Not sent by another state of official duty as a member of its armed forces.

In short, no. Applying Additional Protocol I, several conditions are not met in order to declare Cyber Letter of Marque holder mercenaries. Cyber Letter of Marque holders are protecting their own private property, even if the company is publicly traded. If successful they do not gain anything more than restored dominion over that which they already own. The Federal Government does not pay Cyber Letter of Marque holders to participate even if they are successful. In fact, Cyber Letter of Marque holders pay to participate and for the training of their personnel. Cyber Letter of Marque authorities are only available to U.S. Corporations, who are in fact residents in the nation. Finally, DoD contractors using Cyber Letters of Marque are not members of the armed forces, nor sent to conduct offensive operations, but are conducting defensive actions. Accordingly, Cyber Letter of Marque holders to include DoD contractors are not mercenaries under international law regardless if participating in a declared armed conflict or not.

TIER 3. Federal Law Enforcement / Department of Defense Cyber Response Actions

Federal law enforcement and DoD Cyber Forces who have been following the cyber engagement can make recommendations to the private sector team, or take the response over deploying advanced Nation state-level tools, effects, and techniques. Since both DoD and Federal Law enforcement have been involved from the beginning it is easy to determine which agency has primacy over the cyber response. If the cyber effect originated from the U.S. or friendly western nation, and after the attack is repelled, federal law enforcement will organize the evidence already collected from the engagement and proceed as a criminal case. If the cyber effect originated from an adversary or unfriendly nation, the DoD will have primacy over the event and respond accordingly. In this model real time Federal monitoring expedites the “law enforcement/military” decision point. Most importantly, the cyber effect has been rebuffed and only when the private sector was overwhelmed or the response actions required are outside the scope of the Cyber Letter of Marque, will the Federal Government respond. As a result of this model corporations bear the costs of Tier One and Two responses and only when an active cyber defense is transferred in Tier Three does the federal government participate actively. The longer private vetted U.S. Corporations pursue bad actors the greater the likelihood they will succeed in determining the origin of the bad actor and repel the attacks.

No criminal or civil liability for the private sector participants as they are out of the fight. No change to existing Federal Tort Law.

Effects of a Private Sector Cyber Letter of Marque

Attribution: Deputy Secretary of Defense William Lynn wrote in 2010, “Whereas a missile comes with a return address, a computer virus generally does not.” Attribution, as it relates to cyber attacks, is an epic point of frustration. Alexander Melnitzky argued that attribution may be a bit overblown in his article “Defending American Against Chinese Cyber Espionage Through the Use of Active Defenses.” Others argue that without attribution your right of response is limited. This belief is based on the punishment aspect of deterrence. One must know who is attacking in order to deliver an appropriate measure of justice in response to the actor. “Classical deterrence theory rested primarily on two main mechanisms: a credible threat of punishment for an action; and denial of gains from an action.” As demonstrated no credible threat of punishment (i.e. incarceration) exists for international hackers. Accordingly, a better approach to deter hackers is to focus on the cost-gain analysis. “Deterrence is a function of the total cost-gain expectations of the party to be deterred, and these may be affected by factors other than the apparent capability and intention of the deterrer [sic] to apply punishments or confer rewards.” “[T]his means that a defensive effort is inadequate for better cybersecurity a strategy that does not impose consequences on attackers is inadequate…” Therefore, if active cyber defense under Cyber Letter of Marque authorities focuses on increasing costs and reducing gains to the hacker by impacting time and effort of the hacker, attribution is less relevant.

Cyber Citizens: Historically Letters of Marque have been used against governments, corporations, pirates, and private individuals of other nations. However, what happens when attacks appear to originate from the United States. Botnet attacks allow remote control of computers whose owners have not properly protected and updated their connected device or even aware of the improper use of their device. As a result, an attack or effect might initially look like it is from computers within the United States. This fact along with existing federal criminal law has directly impeded U.S. Corporations’ ability to actively defend networks. Cyber Letter of Marque holders, specifically internet service providers, will be permitted to temporarily deny internet access to non-federal compromised systems for 24 hours or less, only for the time required to contain the attack. While on its face the temporary loss of access to the internet by cyber citizens and private corporations sounds like a bad unintended effect, the never-ending cyber-attacks of the 21st century also must be addressed. Since internet service is a commercial product the temporary loss of access is reasonable when a poorly maintained computer system is part of an attack that denies access to thousands of innocent cyber citizens banking sites.

International Reactions

While I found no violation of international law in resurrecting Letter of Marque for cyber, that does not guarantee an absence of international reactions. As has been demonstrated recently cognitive warfare is alive and well. Cognitive warfare is about controlling the decision cycle. Those who fear active cyber defense and fear delegation of authority will conjure images of global escalations arising from corporate cyber defense measures. Others who want to keep the United States from acting will claim we are increasing hostilities in cyberspace. “Concern about escalation should not lead to timidity or indecision. This is a contest of wills and our opponents will use threats to bluff us into continued inaction. However, the same political constraints on the conduct of warfare that hamper the U.S. ability to respond to opponent cyber actions using military [kinetic] forces will also hamper them. For a better defense, the U.S. will need to become more comfortable operating in the “gray zone” that our opponents now inhabit.” We have been victims for far too long. We developed the technology that underpins the global internet and because of a complete lack of will, the world has surpassed us in using the technology against us. A Cyber Letter of Marque delegating Active Cyber Defense is a small but bold step in changing this paradigm.

Conclusions

Cyber Letter of Marque is permitted under the United States Constitution and will help deter unrelenting cyber-attacks against the U.S. No treaty or provision of international law prohibits the use of Cyber Letters of Marque by vetted and certified U.S. Corporations.

Jay Healey, senior research scholar at Columbia’s School of International and Public Affairs said: “America’s cyber power is not at Ft. Meade,…” “NSA and U.S. Cyber Command are simply not positioned, and realistically can’t be, to prevent attacks on private sector entities.” “By supporting capable businesses seeking to take proactive steps to defend their assets in cyberspace, the new administration can secure a cost-effective policy win with significant potential to improve whole-of-nation cybersecurity.”

“Private businesses never anticipated that they would be forced to defend their operations from adversaries as capable as the foreign intelligence services of nation-states. Yet that is what they are forced to do in cyberspace. [T]he American government does not have the resources or bandwidth to be the sole provider of security in this realm. The legal and reputational constraints on the private sector’s ability to aggressively and proactively defend itself thus creates a gap in the nation’s cyber armor that exposes the integrity of private sector networks and data…”

Leaders of U.S. Corporations are in the best position to quantify how much of their resources to use to defend their own network and assets. In lieu of the taxpayers funding a minimal amount of shared security, U.S. corporations can market their enhanced security and, if needed, charge for greater protection, thus the market will dictate the amount spent on cyber security and not the federal budget. Similarly, as threats increase, decrease, or change, U.S. Corporations can quickly adjust budgets and deploy the latest technology and personnel much faster than the U.S. Government.

The recent discovery of an epic digital component hardware vulnerability by leading semiconductor companies, and endless software coding errors proves that no hardware or software solution will stop the onslaught of cyber hacking. Only when victims can “hack back” legally and diminish or forestall the gains made by hacking can server farms and networks be more secure.

References

1. James Lewis, Economic Impact of Cybercrime-No Slowing Down, A Report of the Center for Strategic & International Studies (February 2018) at 4.
2. Rebecca Blumenstein, NSA Chief Michael Rogers Talks Cybersecurity, Wall Street Journal, November 23, 2016.
3. Simon, Raising the Consequences of Hacking American Companies, at 2.
4. Colonel Gary P. Corn, Navigating Gray Zone Challenges In and Through Cyberspace (Jan. 16 2018) (2018 Forthcoming) at 6.
5. Id. at 7.
6. CrowdStrike, 2018 Global Threat Report, at 73.
7. Simon, Raising the Consequences of Hacking American Companies, at 3.
8. Nye, Deterrence and Dissuasion in Cyberspace, at 47.
9. Nye, Deterrence and Dissuasion in Cyberspace, at 46.
10. Nye, Deterrence and Dissuasion in Cyberspace, at 44.
11. Id.
12. U.S. Const. art. I Section 8 Cl. 11.
13. Eastman, Some Famous Privateers p. 45 (reproducing a letter of marque granted in 1815 to the Grand Turk).
14. Shock, James R.; Smith, David R., The Goodyear Airships, Bloomington IL, Airship International Press, 2002, p. 43,
15. Richard Struse, Chief Advanced Technology Officer, NCCIC, Technical, Policy and Legal Considerations of Cyber Threat Intelligence Sharing, Department of Homeland Security, (downloaded August 10, 2018: https://www.oasis-open.org/events/sites/oasis-open.org. events/files/1.2%20DHS%20Richard%20Struse.pdf.)
16. Justin Lynch, Homeland Security Announces new first response cyber center, The Fifth Domain, (August 2, 2018).
17. Mark Rockwell, Cyber exercise shows need for closer federal-state coordination, FCW, (downloaded February 6, 2019: https://fcw.com/articles/2019/02/06/jack-voltaic-lessons-learned.aspx 2/7/2019).
18. Id.
19. Id.
20. 1856 Paris Declaration Respecting Maritime Law (1856), reprinted in The Law of Naval Warfare: A Collection of Agreements and Documents with Commentators’ 64 (Natalino Ronzitti ed., 1987) [hereinafter Paris Declaration]
21. Paris Declaration, supra note 63, at 61-62.
22. Paris Declaration, supra note 63, at 65.
23. Kessinger, Hitting the Cyber Marque, at 17.
24. Nye, Deterrence and Dissuasion in Cyberspace, at 50.
25. Alexander Melnitzky, Defending America Against Chinese Cyber Espionage Through the Use of Active Defenses, 20 CORDOZO J. INT’L & COMP. L. 537, 540 (2012).
26. Nye, Deterrence and Dissuasion in Cyberspace, at 54.
27. Nye, Deterrence and Dissuasion in Cyberspace, at 52.
28. Sean D. Carberry, Why the private sector is key to cybersecurity, FCW, (March 1, 2017).
29. Frank Cilluffo and Alex Nadeau, How the Private Sector Can Remake US Cybersecurity, The Daily Signal, (January 31, 2017).
30. id.