Cyber Deterrence “At Scale”

This week, Senator Sheldon Whitehouse called for the creation of a cybersecurity “militia” to strengthen US defense. He suggested reexamining a “militia model that lets ordinary citizens come to their country's aid". Whitehouse’s remarks represent a growing focus on exploring mechanisms to incorporate civilian involvement and “active defense” into traditional government activities. For example, at a recent Georgetown Cyber Policy Conference, nearly every panel turned to the conversation of “Cyber Letters of Marque” and active defense.

The legal underpinnings for both suggestions—militias and letters of marque—derive from the Constitution. Article 1, Section 8 vests Congress with the power to “provide for calling forth the militia to execute the laws of the Union, suppress insurrections and repel invasions…” The same section empowers Congress to “to declare War, grant Letters of Marque and Reprisal, and make Rules concerning Capture on Land and Water;”

In essence, letters of marque allow specified individuals to commit what would otherwise be considered criminal acts (piracy) against targets of specified nationalities for particular offenses. They also restrict the time, place, and manner of the authorized “reprisal.”

One reason for the sudden surge in Congressional interest may be the recent penetration into US Steel, by actors who stole proprietary information in order to give Chinese steel companies a competitive advantage in the global market. The action clearly threatens the national interest, but the government seems unsure how to respond, as is typical in these cases. As with many similar cases of economic espionage—the cumulative effect of which has been deemed the “greatest transfer of wealth” in history—getting concrete evidence needed for reliable attribution is impossible without access to Chinese networks.

US Signals Intelligence—led by the NSA—is appropriately focused on the strategic needs of the US Government. Economic competitiveness of US industries certainly bolters US global dominance, but the defense of a particular US company does not rise to the level of NSA priority. Thus we see members of the executive and legislative branch searching for some mechanism to fill the gaps—essentially finding a way to facilitate private actors performing a quasi-governmental function.

Militias and letters of marque are the two historical examples of how the United States employs the private sector for national defense. As with many attempts to precisely analogize cyber behavior to other areas, neither is exactly a perfect fit. But both—and particularly letters of marque—demonstrate legal mechanisms to satisfy the particular needs to empower and constrain private cybersecurity actors. Therefore, they merit policy and legal analysis and should inform the eventual implementation of a meaningful and responsive cybersecurity strategy.

The basic solution to problems like the US Steel penetration is to allow companies to contract with a licensed third party to perform actions like remote intrusion and data exfiltration and analysis under the strict oversight of law enforcement and intelligence community. This would allow the US government to build an unassailably strong case for criminal liability and sanctions. In this sense, the action is perhaps more akin to a private investigator licensing than privateer licensing.

The critical difference, however, is that private investigators are not authorized to violate laws. And in order for private actors to be effective in this particular cybersecurity space, they necessarily run afoul of statutes like the Computer Fraud and Abuse Act. While these statutes include exceptions for law enforcement and intelligence community activities, there is presently no mechanism to extend the same authority to the private sector. Legally, only the government may perform such actions—which all agree are necessary and should be undertaken—and yet the government is resource constrained from providing the kind of help the commercial sector requires. Because the critical blockage is laws, the only governmental body that can produce the solution here is Congress.

Senator Whitehouse and others are considering the possibilities in this space. Clearly, the policy here cannot be to just give private companies broad authority to break laws. Instead, such companies must be held to a rigorous standard. They should be required to adopt the norms of behavior of the intelligence community when penetrating foreign companies for strategic information. And mechanism must be in place to prevent corporate espionage—perhaps by adopting rules to prevent licensed individuals from providing specific types of evidence to their customers, and instead requiring they report such information only to US government authorities. We must be comfortable having whatever legal framework we adopt apply to American companies reciprocally by foreign parties.

Clarity as to what authorized actors can and cannot do—a bedrock element of letters of marque—are also important to avoid escalation and reprisal issues or running the risk of being hypocritical. Because these types of private companies would be using similar skillsets and scoping as a normal network penetration testing team—albeit without the target’s permission—it is prudent to require they observe the same duty of care to remain only within the scope of their license and authorization and to not damage any targeted networks.

Of course these “private investigative” teams may not find smoking guns every time. Sometimes the best evidence might be only that a Chinese Steel company used a new manufacturing technique without ever having done research and development into that technique first. But that is the kind of information that, when combined with government evidence that a Chinese-State actor had penetrated US Steel, would be sufficient to build a credible case for sanctions, further FBI involvement, or even eventual criminal indictments.

This, in turn, generates a powerful deterrent mechanism for Chinese steel (and other) companies considering stealing US trade secrets. If the US can take sanctions actions based on a company’s internal documentation that decreases the incentives to receive or solicit stolen information.

Limited, effective, and restrained use of cyber letters of marque could allow industries to fund their own active defense protection and deterrence efforts, and avoid escalation issues. Perhaps most importantly, it is a solution that can scale to address a current and pressing national security need. Certainly, legal hurdles remain in developing mechanisms to empower private companies on a limited basis. But the need for this solution and the wide-ranging benefits mean serious thought should go into examining how these constitutional principles of drawing on the skills of private citizens—which date to the founding concept of national defense—might be adapted to the cyber age.