As early as the 13th-century, governments licensed private sailors—“Privateers”— to seize vessels belonging to enemy nations, issuing letters of marque and reprisal to ship owners and captains.
Some American commentators have suggested reviving that idea in response to cyber-attacks, especially attacks backed by nation-states. A hack this spring that shut down the Colonial Pipeline—which transports 45 percent of all fuel consumed on the Eastern Coast of the United States—may encourage this approach.
The United States Constitution authorizes Congress to issue such letters. Article I, Section 8, Clause 11 grants it the power to “declare war, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.”
“Outside of the law reviews and scholarly debates over the allocation of war powers, the Marque and Reprisal Clause has played little if any role in modern times,” according to the Heritage Foundation, which notes that the United States has not issued such a letter since the War of 1812.
Two centuries later, military historians began reminding us that everything old is new again.
In 2012, Commander Jonathan L. Still wrote “Resurrecting Letters of Marque and Reprisal to Address Modern Threats,” for the U.S. Army War College. While cyber threats were not exclusive to the “modern threats” Cmdr. Still addressed, he noted “growing recognition of the cyber domain as a new frontier in which conflict resembles earlier ages of warfare and in which corporate and intellectual piracy have considerable effects on national security and the U.S. economy.” While questions might remain whether letters of marque can be fashioned to meet cyber-attacks, “the Congressional authority to issue Letters of Marque and Reprisal remains, having never been repealed.”
In 2013, Major Christopher M. Kessinger wrote “Hitting the Cyber Marque: Issuing a Cyber letter of Marque to Combat Digital Threats.” (The Army Lawyer, August 2013, reprinted at InsuranceNewsNet, November 6, 2013.) Maj. Kessinger suggested that “[a]pplying a letter of marque scheme to the cyber world would not only provide authority for American companies to defend themselves from cyber threats but allow them to take proactive measures to neutralize a cyber threat before it coalesces into danger.”
Ensign Lucian Rombado, U.S. Navy, wrote a 2019 article for the U.S. Naval Institute Magazine answering critics of the Active Cyber Defense Certainty Act, which would authorize private companies to conduct cyber “hack backs.” A former NSA deputy director called the idea an “epically stupid” one that might lead to uncontrollable escalation. Ensign Lombardo noted that private companies already are engaging in hack backs, and suggested that the Act would help legitimize and regulate such conduct. The alternative would be to leave “U.S. companies effectively defenseless against such attacks.” The bill, introduced in June 2013, did not receive a vote.
On May 14, 2021, in the Wall Street Journal Thomas Ayres (recently retired as general counsel of the U.S. Air and Space Forces, and a retired U.S. Army major general) called for “A Maritime Solution for Cyber Privacy.” Mr. Ayres noted that corporations lack the incentive to cooperate with authorities and timely report data breaches. “Historically,” he noted, “such letters provided financial incentives to overcome fear and inaction in the face of dangerous outcomes and national need. On the high seas, they assured standing and rights in admiralty courts that awarded ‘prize money’ when pirate ships were sunk or captured.”
DarkSide, the group that perpetrated the Colonial Pipeline hack, has ceased operations. On May 14, the same day Mr. Ayres published his commentary, Krebs on Security reported that DarkSide was disbanding “after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.”
It now appears that the federal government, not a private entity, effected the seizure of DarkSide’s Bitcoins. But Krebs reports that Darkside’s shutdown may have resulted from disagreements among hackers over appropriate targets, suggesting that state-authorized private action may still have a place in the cyber wars.