That means we need to come up with ways to modify these approaches and/or adopt new approaches that are either added to the ones we currently use or supplant them.
It’s easy to say we need to come up with new approaches, and difficult to actually do so. One of the possibilities I’ve written about in law review articles and in my latest book, is trying to incorporate civilian participation into the law enforcement effort (and maybe into an intermingled law enforcement-military effort to maintain order in cyberspace, but that’s a really challenging possibility).
As I noted in an earlier post, we tried that in the past with spectacularly disappointing results. The problem is that if we delegate law enforcement authority – on even a VERY minor level – to civilians, things can go sadly awry; the obvious solution is to have law enforcement personnel carefully monitor what the civilian deputies (in essence) do, but that pretty much defeats the purpose. In other words, using law enforcement personnel to monitor civilians who are supposed to be helping with the law enforcement effort may not be the best use of law enforcement personnel.
I’ve done presentations recently on topics that touch on these issues, and I’ve had the same proposal come up twice: revive the use of letters of marque and reprisal. As you may know, Article I § 8 of the U.S. Constitution gives Congress the “Power To . . . grant Letters of Marque and Reprisal”. As a recent law review article notes, this power gives Congress sole authority
to commission privateers. `The privateer, as understood at the outbreak of the war for American independence, was a ship armed and fitted out at private expense for the purpose of preying on the enemy's commerce to the profit of her owners, and bearing a commission, or letter of marque [and reprisal], authorizing her to do so, from the Government.’ Although the United States used privateers extensively from the period extending from the Revolutionary War through the War of 1812, Congress did not issue any letters of marque and reprisal after the War of 1812.William Young, A Check on Faint-Hearted Presidents: Letters of Marque and Reprisal, 66 Washington & Lee Law Review 895, 896 (2009) (footnotes omitted).
In 1856, a treaty known as the Declaration of Paris banned the use of letters of marque and reprisal, but the United States never signed the treaty, and therefore is still not bound by it. A month ago, Representative Ron Paul joined “a growing number of national security experts” to ask Congress to use letters of marque and reprisal as a tool against the Somali pirates. Others, like the author of the article I quoted above, note that issuing letters of marque and reprisal in today’s legal environment “could violate customary international law and the sovereignty of a foreign power, not to mention appearing as an act of aggression”. Young, A Check on Faint-Hearted Presidents, supra.
I can’t assess the merits of this dispute because I know nothing about letters of marque and reprisal. This post, though, isn’t about using letters of marque and reprisal on the high seas, which is how they were historically used. Instead it’s about whether the constitutional power to issue letters of marque and reprisal could be adapted for use in cyberspace.
The first step is parsing what a letter of marque and reprisal really authorizes. According to another law review article, “[m]arque and reprisal evolved from the medieval practice of reprisal, which allowed people to cross borders to obtain redress for a specific injury they suffered at foreign hands.” Eugene Kontorovich, The Piracy Analogy, 45 Harvard Journal of International Law 183, 211 (2004). The letter of marque a reprisal lets the owner pass the border of his country (“marque”) and exact reprisal on the person(s) who caused him injury. According to Professor Kontorovich, what began as a general power had by the 1600’s morphed into “a general license to prey on foreign shipping” on behalf of one’s sovereign. Other sources tend to describe marque and reprisal as purely focused on seizing the assets of citizens who are subjects of a country that is at war with or otherwise feuding with the country that issues the letters.
Since I don’t see how a power that is limited to seizing assets could be particularly useful in the cybersecurity context, I’m going to approach marque and reprisal in the general, medieval sense: as a power to cross national borders to exact reprisal on someone who has injured you. If we construe the constitutional power to issue letters of marque and reprisal in this way, it almost sounds like the strike-back option that has been floated as a way to deal with cybercrime. I wrote about that option in a post I did a couple of years ago; the premise seems to be that just as I have a right to use force to repel someone who is trying to steal or damage my property, I should have a right to use cyberforce to strike back at someone who is attacking or has attacked my computer system.
As I wrote in that post, I see a lot of problems with the strike-back option, the most important of which is that it can be an invitation to vigilantism. I might be tempted to do more than just make the person who hacked my system or is trying to hack my system back off; I might go after them seeking revenge for that and other attacks and go too far. I might also go after the wrong target, which could cause all kinds of problems as well as maybe getting me charged with a crime (unauthorized access + damage to a system).
Marque and reprisal could put a different gloss on strike-back because instead of simply acting on my own, I would be acting with Congressional approval. I would in effect be a soldier – an online privateer – defending the United States from cybercriminals and other cyberthreats. I can see problems with that, though: What if, in my enthusiasm, I were to attack a computer system belonging to another government, North Korea, say?
If I’m acting on my own, that could be a cybercrime and the North Koreans could ask the U.S. government to extradite me so I could be prosecuted in North Korea. If I’m doing in on behalf of the United States, does that transform my conduct into something more . . . into an act of war, perhaps? I don’t think we know the answer to that; when letters of marque and reprisal were used in the eighteenth century, they were issued by a country (the United States) that was at war with another country (England). Since the countries were already at war, you didn’t have the “is this an act of war?” problem.
Let’s assume we could come up with some way to avoid the online-privateeer-starts-a-cyberwar issue and consider the utility of cyber-letters of marque and reprisal. I guess my first question would be about motivation: Letters of marque and reprisal used to be popular with ship owners because they could engage in piracy legally; they could seize ships and cargos and sell both, keeping the money for themselves.
If we were to decide to use cyber-letters of marque and reprisal, I’m not at all sure we should incorporate the “use this power to enrich yourself” aspect of the old letters. I’m quite sure people could use the cyber-letters to enrich themselves by hacking into criminal systems and taking whatever could be sold or redeemed for profit. I’m just not sure it’s a good idea; earlier I noted that the best-intentioned efforts to incorporate civilians into the process of law enforcement can go awry because things get out of hand. (If you haven’t seen it, the movie The Oxbow Incident comes to mind.) It seems to me things could REALLY get out of hand if we add a profit motive into the mix.
Another problem I see with trying to adapt letters of marque and reprisal for use in the cybersecurity arena is the need to define who’s fair game and who isn’t. As I noted above, when the letters were in use three or four hundred years ago, they were used when countries were already at war with each other; so defining who was and who was not fair game was easy. The enemy was the target, the only legitimate target.
There aren’t any (declared) states of cyberwarfare at the moment, so we don’t have that criteria to use in defining who’s fair game and who’s off limits. And even if we are in a state of cyberwarfare at some point, with a declared enemy nation-state, I don’t think it would be a good idea at all to bring civilians into the mix, especially not if they’re motivated by a desire for profit. Entities in cyberspace don’t – to the best of my knowledge – fly flags or do other things that clearly identify who they are, so I can see a real potential for error (and overreaching) by our hypothetical cyber-privateers.
Even if we were to limit the cyber-privateers’ operations to cases of cybercrime, I still see problems (in addition to those noted above). Knowing very little about the old high-seas privateers operating under letters of marque and reprisal, my sense is that one of their strengths was that they were a nimble, evasive force that could attack and defeat civilian shipping with ease, after which they retreated to their home country to sell the booty.
If we were to authorize cyber-privateers to deal with cybercriminals, it seems to me we’d be opening up the possibility of essentially reversing that dynamic: I’m assuming that the cyber-privateers would be representatives of legitimate U.S. businesses and other entities who are going after online criminals as redress (reprisal) for prior attacks on them or on other U.S. businesses or entities. If I’m correct in assuming that, then it seems to me our cyber-privateers could make the entities they work for sitting ducks. The cybercriminals are likely to be the nimble, evasive force in this scenario, while the cyber-privateers are likely to be working for stable, easily identifiable entities . . . and targets. So all they might do is provoke more attacks as a type of counter-revenge.