Lawfare Daily: Sezaneh Seymour and Brandon Wales on Private-Sector Cyber Operations

[Intro]

Brandon Wales: The threats that we are facing in cyber have not been sufficiently managed using the tools that we have to date. They have not sufficiently worked. We still have a ransomware epidemic in this country. We still have nation states that operate with near impunity in cyber. They're looking for additional tools, and hack back is one of them.

Alan Rozenshtein: It's the Lawfare Podcast. I'm Alan Rozenshtein, associate professor of law at the University of Minnesota, and senior editor and research director at Lawfare. Today I'm talking to Sezaneh Seymour, former senior editor at the National Security Council, and Brandon Wales, former executive director of the Cybersecurity and Infrastructure Security Agency.

Sezaneh Seymour: Most of our critical infrastructure is privately owned, and those companies make their own decisions about security, investment and risk. But when things go wrong, it's the public that ends up paying the price, and sometimes the government has to step in.

Alan Rozenshtein: Sezaneh and Brandon are the authors of a new Lawfare Research Report “Partners or Provocateurs,” which tackles the increasingly urgent question of whether the U.S. should authorize private companies to hack back against their adversaries. We discussed the framework they propose for evaluating such a policy shift from defining the objectives and scope of offensive operations, to the complex questions of legal authority and liability for collateral damage.

[Main Podcast]

So I, I wanna start at a, at a, at a 30,000 foot level before we dive into the details of this really interesting paper and proposal that, that you have all published with us on Lawfare.

The, the first question I have is why you chose the approach that you did, which specifically is to, instead of laying out, let's say, a concrete proposal, here is how the United States should go about you know, empowering private sector entities to do cyber operations. Instead, to set out this kind of framework to give policy makers a, a choice of options. Why, why did you feel like that, you know, today, given what's happening in D.C. was the better way of going about this?

Sezaneh Seymour: So why did we choose to not present a concrete proposal? You know, one of the reasons is it's very easy to get lost in, in technical jargon, in the cybersecurity conversations and forget that, you know, this is really, isn't just about networks and hackers, it's really about national security risks that we're facing because of our systemically poor digital resilience and the consequences aren't abstract and it's a really complex issue, right?

So we're talking about the risk of a hack making critical services, unavailable communities suddenly waking up with no power or water, you dial 911 and no one answers. You know, a company wakes up and finds that there are decades of cutting edge research are suddenly wiped from their systems.

And the scale of the problem is huge and the problem is really complex. And so one of the things that we're trying to do is just lay out a first principle series of questions that we think are worth a thoughtful, dispassionate discussion to just even ask what are we trying to accomplish here when we talk about offensive cyber operations and expanding participation to the private sector because this isn't a new issue, as you know, and as we've discussed before, this has come up multiple times.

But really, I think we need to ask ourselves first principles: What are we trying to accomplish? What is the nature of the problem and what are the risks and benefits? So that's really what we've tried to lay out here.

Brandon Wales: You know, I'll, I'll add on only building on the complexity point. I think what we really wanted to get across was that there are multiple layers of complexity around this issue, each of which requires careful consideration as part of any policy making process.

And again, I think there's a broad sense that more needs to be done in this space, more needs to be done from an offensive cybersecurity, offensive cyber perspective, and that the private sector may have a role in that and we wanted to give people options, different ways to think about it, different policy goals they could achieve, how they could handle different aspects of this challenge from the kind of targets, the kind of tactics, the type of legal regime that we put in place.

So instead of coming up with one answer that would just be ours, I think we wanted to help feed the policy process with the kind of information that will be essential for policymakers to come up with the best option at the end of the day, if this is something they really wanna pursue.

Alan Rozenshtein: Next, I wanna try to define some terms, and I was hoping that you all could clarify the distinction between the different kinds of cyber operations that are at issue here.

So in, in the, in the lingo, there are defensive cyber operations, there's active defense, there's offensive cyber operations. To me, the lines have always seemed very blurry, especially in cases like the, you know, Sophos counter offensive that you mentioned. So we can speak to that as well. What is your best simple explanation for the differences between these, these different kinds of cyber activities?

Brandon Wales: I mean, I, you know, I, I'd start with maybe like, the simplest way to think about it is defensive operations are things that you're doing on your own network, and offensive operations are when you're gonna be touching someone else's network, an adversary's network or potentially an intermediary network that an adversary is using to target you. So that's the clearest distinction.

I think from there, it gets complicated and it gets very and allotted to a gray area. You know, active cyber defense is a term that gets thrown out a lot. Some people buy that mean hack back where you're actually going out and, and targeting adversaries. Sometimes it means doing things on your own network to specifically disrupt an adversary's operation that might be ongoing.

There's not clear legal definitions for this outside of what's covered by the, the Computer Fraud and Abuse Act, which basically just prohibits any type of alteration of someone's computer that you don't have authorized access for. And I do think that as part of any regime that could come out of this, clarifying some of the, the boundaries here are essential.

And I think that is one of the key questions that we ask. One of the key factors is: What types of cyber activity are you comfortable enabling the private sector to do once they leave the boundaries of their own network?

Sezaneh Seymour: You know, when you started you said you see them as sort of like, ill-defined squishy terms and I had the complete opposite perspective when I started this work 'cause really when we talk about this, I dunno, Brandon, you tell me, like in government we talk about offense and defense and we think about them as two, or at least I used to think about them as two circles on a Venn diagram with almost no overlap.

And as we start to look through actually the types of activity that we see today private sector operator is doing there, it does feel like there's a little bit of overlap. Brandon mentioned the active cyber defense. And, and there's already some stuff that's happening, you know, with permission through the courts and et cetera.

So it's interesting, I walked away with a very different perspective that some, some of the things that policymakers and others are really talking about wanting to happen may already be happening, and those serve as instructive precedents. The challenge may just be that they're not happening at scale, or it's taking too long to be able to make them lawful to happen, you have to seek civil cover through the courts, things of that nature.

Alan Rozenshtein: Why write this paper now? And I ask because the debate over sort of hacking back or however you wanna call it, it's not, it's not a new debate, right?

It's been going on for many years. It has these ebbs and these flows. Why do you all feel like now is a good time to intervene in this debate? Is there, is there additional interest on Capitol Hill that you are anticipating or, or trying to affect? I'm curious about the timing component of this.

Brandon Wales: Yeah, so I'll, I'll, I'll start and then Sezaneh can add in. There is certainly far more interest on the Hill than there has been in a long time. I testified in January I got asked about it from one or two different members who are interested in it. There are members on both sides of the aisle have talked about it publicly, about the interest in doing this.

Certainly there's a broader interest in expanding offensive cyber operations coming directly from the White House. So there is just a much broader interest right now. I think partly driven by the fact that there is a sense like, you know, an accurate sense, that the threats that we are facing in cyber have not been sufficiently managed using the tools that we have to date, they have not sufficiently worked.

We still have a ransomware epidemic in this country. We still have nation states that operate with near impunity in cyber. They're looking for additional tools, and hack back is one of them.

Sezaneh Seymour: Yeah, and the, the conversation has been persistent really, because the scale of the problem is huge, as Brandon said, and it continues to grow, right?

So I saw a really instructive statistic just a few months ago that has always stuck with me 50 years ago like the total value of companies on the S&P 500 index was mostly in things like you know, tangible assets like factories and inventory. I think it was over 80%. Today that's flipped. So over 90% of the S&P 500’s value is in intangible assets like software, data, intellectual property.

And it's those assets that internet connectivity has enabled hackers whether just malicious criminals or nation states to go after and preposition in. And, and that's part of the reason why governments and security experts have continued to tell companies to focus on defense and get better at taking punches, putting energy into surviving and bouncing back from attacks, recognizing that security can never be perfect, right?

But status quo isn't enough. Like there are many things we could be doing and, and this idea of like, why should we just continue to take punches? Why can't private companies punch back, is I think the language that was used at Bradon’s hearing, keeps coming up.

And that's part of the motivation now is like perhaps there's deterrent value to having basically the U.S. private sector unleashed in some way. Like perhaps threat actors won't target the United States in the way that they have in the past. I mean, there are all sorts of motivations here, but for, for sure, I think the scope and scale of disruptions is driving this.

Alan Rozenshtein: So we're, we're gonna jump into the paper, but before we do, I wanna ask one last kind of background question, and it's about your, your own background and how that informs how you approach this problem. So you both have had high level positions in the government working on these kinds of issues. Sezaneh, you were at NSC. Brandon, you, you ran CISA. Now you're, you're both in the private sector doing related work.

And so I'm curious how those experiences, again, both on the government side and, and then on the private sector side, have informed this and, and I'll just say, I'll do a little bit of editorializing. I'm an academic and academics sometimes debate these interesting questions of hack back and, and that's great and all, but there's sometimes an error of kind of unreality because often those of us who have, you know, interesting academic ideas about this don't actually know what it would mean to enable a private entity to go and you know, do various cyber activities abroad.

I think you two both have the benefit of knowing much more on a day-to-day basis, what that would actually look like. And I think it lends wonderful credibility to your, to your analysis. But I don't know how, how do you see how your background has informed how you, you think about these kinds of issues?

Brandon Wales: The thing that I would hit on the most is having spent a number of years having, being part of the conversations around how the U.S. government authorized was authorizing its own offensive cyber operations, the process by which the government went through and considered potential targets decided on them, debated how to use its offensive cyber capabilities.

I most wanted to bring that to bear in considering expanding that, the role of the private sector in that space, that the complexity, the thoughtfulness carried forward because there are a lot of advantages to the very deliberate process the U.S. government goes through. Now, again, it does slow things down.

It's not as fast and as nimble and it doesn't have the benefit of scale potentially that the private sector could bring, could bring to bear, but it makes sure that really critical issues are being considered. And I wanted to make sure that as people were thinking about expanding the role of the private sector that they thought through those same questions.

What kind of targets are legitimate? Where could those targets be located? What types of capabilities should be allowed, which shouldn't be allowed, the degree at which the U.S. government should be involved in these decisions? All of those have real importance for geopolitical and national security interests of the country and they need to be part of this conversation.

And so when Sezaneh raised this idea to me, I wanted to jump right in because these issues are extremely, extremely important. And I saw them firsthand in the government as we went through them. And as we're thinking about expanding to the private sector, we need to have that same thoughtfulness as part of the policy process. And I think that's what this paper attempts to do.

Sezaneh Seymour: Yeah. And one of the things that has changed, so I've been out of government for a couple of years now, and my perspective has changed dramatically. I used to see things exclusively through the national security lens, and I still do to a great extent, but now at a cyber insurer, and one of the things that I have the benefit of is a ton of data, and I understand a lot about like, just what's happening on the ground in terms of like, you know, real systems being attacked by real threat actors and how they fare and recover.

And, and what I'm, what I'm seeing is you know, truthfully, a lot of the incidents that we're seeing, notwithstanding the ones that are driven by malicious nation states like the Volt Typhoons are, are not that sophisticated.

I'm also getting a much better appreciation for something we've been hearing agencies like CISA say for a long time, and that's that today we put a disproportionate burden for the security of our technology on the end users of technology. And that to me feels like if what we care about as a society is security, that's probably not the right policy, like from public policy perspective, that's probably not the right formula here.

So I think it's important to engage in the hack back conversation because it's important to be open to any option. But recognize that really a, a complex problem is gonna require a complex solution. And this may be one of them, but thinking about these things just with an open mind is both timely and important.

Alan Rozenshtein: So one thing you stress in the paper is the importance of getting very clear on the goal of all of this, what strategic objective are you trying to, would the, would the U.S. government be trying to achieve here? And there are a range of policy objectives, right? There's augmenting the government's capacity, there's disruption of adversaries, there's a bunch of other stuff.

And so I'm curious, obviously these are all interesting and legitimate goals. In the kinda short term, what do you think are the sort of primary goals that policy makers should be thinking about, you know, in the next 18, 24, 36 months that is relevant to how private sector involvement and hacking back, however you wanna call it, can, can be used?

Sezaneh Seymour: You know, I don't have a, a personal view. I just think one of the things that's happening is we're often talking about solutions and the way to structure legal changes without actually talking about what we're trying to achieve. So that's, that's sort of thing one.

What's clear is like in the conversations that I've heard and some of the quiet conversations that are happening now, the goal really is to expand capacity, the ability to act more quickly than, than currently we can because we're limited to basically the U.S. government performing offensive cyber actions with certain narrow exceptions. That’s sort of thing one.

Thing two, I think there's, there is an interesting thing in the United States where, you know, of course we don't, the, the U.S. government doesn't monitor private networks domestically, and so there is a bunch of data that private actors will have.

Alan Rozenshtein: That's, that's, that's what they would say wouldn't, wouldn't it?

Sezaneh Seymour: Yeah. Yeah. Well, that is what I'll say. Being, having been in, I have a lot more information now that I did when I was in,

Alan Rozenshtein: Fair enough

Sezaneh Seymour: When it comes with the United States, but there is like an aspect of like participation that can actually compliment the picture in a way that's, you know, advances our national security and resilience goals. So just laying out what the, what the specific goals are I think is really important.

We identify a couple of other country models, we talk about in Estonia, like having just a bench of experts that you can call upon in the event that there's a national security issue that you can draw up just to immediately augment your bench, so to speak. So I, I'm generally open.

There are certain things a private sector can do that government can't do, and I think that's important to recognize. But that's, that I think is a piece of what's missing in the conversation actually across many policy circles is that many are engaging in this conversation with different goals in mind.

Deterrence is a big one. The idea that again, as I've said, like if the United States allows private sector entities to hack back, like maybe as a, just as a region, we'd be less, or as a country, we'd be less interesting to, to criminals.

Brandon Wales: So, you know, I, I think Sezaneh hit the point perfectly, so I, you know, I'm not gonna disagree anything with there.

What I'm gonna try to add is how, I think policymakers should kind of reflect on all of the, the potential policy objectives we had in there, which is really a question of how do they, how does the government get the most out of the innovation and capability in the private sector? And there are a lot of ways of doing that.

To date, it is focused on things like information sharing or a direct contractual relationship to support the cyber activities, both defensive and offensive of the federal government as it moves forward. Even if it wants to have the private sector expand its role, there's not a one size fits all approach to that.

They can have an expanded role without going directly into offensive operations, directly hands on keyboard of, of, of hostile networks. It could be you know, improving the ability to provide more insights into the government based on the, the enormous visibility that the private sector has. It could be lightening certain potential blockages and prohibitions on doing that. It could be expanded research and development and offensive tooling that will eventually benefit the government.

But really the goal needs to be how do we get the most out of the private sector, because that is really a strategic advantage for the United States. The thing that separates United States from places like China and Russia is really the vibrancy of our private sector, and we wanna get the most out of that because that can add tremendous value what he does every day on a defensive cybersecurity perspective.

But if we wanna get them more involved in, in the offensive space, let's identify the best possible way of doing that that maximizes our advantages and minimizes the potential risks, some of which we identify in the paper.

Alan Rozenshtein: So let's talk about the mechanics of how some of these proposals might work, and we'll get into the legal questions in a, in a little bit. Right now I just wanna think more like on a, you know, day to day or hour by hour basis. There's some cyber intrusion, some private sector entity wants to respond in some way.

What are the different models for how this might happen? Does the government just sort of give ex ante permission and say, good luck, let us know, you know, does the private entity go to the government and say, hey, here's what we'd like to do. How detailed is the government involvement? Just kind of walk us through the range of, of, of possibilities and sort of what are the, kinda the high level pros and cons of different points on this sort of spectrum.

Brandon Wales: You know, I'll start, but I, I think as you note, each of these has a potential range of, of options, you know, the degree at which the U.S. government is involved upfront and also in the midst of, of an attack. The government could have a very light touch where it could just say, it could have some licensing regime, or it could have some broad ex ante permission for, for the private sector to respond to, to cyber activity.

It could broadly allow targeting of a certain class of actors. Alternatively, it could be, it could be much more involved having to approve individual operations. There would have to be a decision there. And again, there is a range of options. I mean, the more the U.S. government is involved, the more it controls the impact, the more it can provide its insight, knowledge, and expertise, particularly in terms of the potential diplomatic and, and escalation risks from conducting certain operations. The less it's involved, potentially some of that information is not available to, to the private sector.

On the other hand, the more the U.S. government is involved, the more it is likely to suffer from this similar type of kind of bureaucratic processes that could slow down operations, that proposals like that are being talked about are trying to solve for. If you're trying to speed up the speed and scale of operations, then you wanna reduce friction, you wanna reduce bureaucratic processes. Having the U.S. government heavily involved might run counter to that, to that objective.

So again, going back to the earlier conversation, identifying that objective and those sets of goals and objectives is critical because how you structure the program, including the degree of involvement and how, how you would structure the regulatory or, or statutory regime are essential.

Sezaneh Seymour: Brandon has covered it beautifully. I would say that there, it seems to me in many of the conversations are really two objectives here. Just increasing the number of actors that can work in the space, given the scale of activity, but also the speed.

So as you look at the different, we have a number of different proposals and you know, setting aside how they would work legally, like and those are illustrative by the way, and they're not exhaustive, but like the idea really is, are you going to give entities permission to basically act immediately when they're attacked or even preemptively if they see someone sniffing around their systems and they wanna disable or you know, try to identify the actor before they're basically hacked.

There's the question of giving permission to those entities before, or forcing entities to come to the government for permission after they're attacked or granting permission so that they can act once they're attacked. Like there are a bunch of different models.

I would say it feels like because we're trying to solve the speed problem. And many of the proposals we've seen have been about licensing regimes, right? So you identify specific actors that you, you identify, have the capacity to do this work because it is not easy to do, right? Have the capacity, they can work at scale, and you provide them clear boundaries to act. That seems to be. The direction that many are going in.

What is less clear to me, however, which we don't cover in our paper, is any entity that's licensed, are they going to be permitted to only defend their own networks? Or are we gonna have like hack back as a service? Which is a, a little bit of a scary thought to think about, but that, that's another open question because we have many, many businesses that are being hit every single day. And you know, you can see that there will be demand potentially from some, to actually seek this kind of assistance. And that, that's an open question, I think.

Alan Rozenshtein: is it an open question? It seems obviously what will happen. Like, like within 48 hours.

Brandon Wales: I agree with you. I think it'll be, I mean, I, I was talking about this with my team this week and literally the first question was like, oh, are we gonna do a startup to, to support this effort? I mean, you know, that, that kind of idea, you know, percolating.

I think that there will be, and in some respects it may be in the government's interest to have people who are the right level of expertise and capacity that would be licensed to do this, as opposed to making a bit more of a free for all with a lot less capability and a lot more potential downside risk from actors who don't know what they're doing, trying to engage in offensive activity.

Sezaneh Seymour: And, you know, there could be value if, especially as you think about the risk and there are so many different moving pieces, but maybe the goal is just sometimes identifying the actor and attribution. That's something that someone can do without, you know, without just destroying or doing anything that can't be undone in an offensive cyber activity.

Yeah, you're, I think you're right, Alan. I think even if on day one, that's not the action, I think eventually there will be a demand for hack back as a service. And this is, the conversation starts with that and ends with, do you guys wanna start a hack back as a service company?

Alan Rozenshtein: You know, I'm, I'm, I'm around.

So maybe I'm, maybe I just lack imagination, but I will say the spectrum that you all lay out, which, and I think analytically is totally the right way to think about it from, you know very minimal case by case authorization where you know, the company has to go to the government and, and ask, you know, hey, we'd like to do this. And okay, you can do this, but you can't do that all the way to here you go, here's your license. You know, got speed.

I, that's obviously analytically the correct way of thinking about it, and honestly, if the speed concern is paramount, then I guess you would want to kind of go to that more autonomous end of the spectrum. But it just seems to me that given the difficulty of attribution, the, the fact that, you know, you could be going against what you think is an attacker, but it turns out to be a totally innocent third party because the attacker routed, you know, their attack through some third party that they took over. On the one hand, so attribution risk on the one hand.

And then the escalation risk on the other, which is okay, maybe this really is the Russians that are hacking you. Well, is the government really gonna wanna just sit out and let you take down the Moscow electricity grid? It, it seems to me that, that, at least at the very beginning, no executive branch, maybe Congress is different here, but like, no one sitting where, where you all sat–the two of you when you were in D.C. though, don't, lemme put words in your mouth–would be comfortable with anything other than the most limited kind of, okay, you guys can press the button, but you know, we, the government, Uncle Sam is gonna be behind your shoulder this whole time.

Brandon Wales: So I, I think Alan, the only, the only caveat that I would, that I would say is there's a big difference between authorizing, for example, a private sector to hack back against the infrastructure that is targeting them.

Now again, you raise, there's important points as we discussed in the paper around third, you know, this could be an innocent, an unwitting third party whose infrastructure is being used, but in terms of targeting the infrastructure that is being used and a broader kind of retaliatory strike.

So if a Russian government actor from the FSB or the SVR or maybe a Russian ransomware group is launching an attack against the company, retaliating against separate infrastructure just to cause a disruption to impose some kind of consequences that really, in my mind, is likely to maintain, stay a U.S. government type of action where it's imposing broader consequences on the act, on the that country as some mechanism, me, you know, method of either consequence or deterrence.

I think that is different than authorizing the private sector to immediately, you know, to respond to the infrastructure that is targeting them and take it offline, that one seems more reasonable in that spectrum of, of potential options. And I think the government may be more willing to allow the private sector to conduct an operation that just directly responds to malicious infrastructure that is being used against them than they would against an unrelated piece of infrastructure in some type of retaliatory strike.

Yeah, I, I don't see that as, would be part of any type of of serious policy proposal in this space.

Sezaneh Seymour: The, the point about not always knowing who you're attacking though, I think is a really important one, and it's one, I mean, you asked a few moments ago, like, how has our perspective changed? I mean, being, being in an an insurance space, I, I think about who's responsible for collateral damage?

Alan Rozenshtein: I mean, it's, it's, it's you at this point, right?

Sezaneh Seymour: Sometimes, yeah.

Alan Rozenshtein: I mean, a lot of the time it's you.

Sezaneh Seymour: Maybe. But the insurance community is really good about writing exclusions when we, we have difficulty pricing, right? So I mean, we face a, an environment where there could be a lot of collateral damage and sometimes you won't even know that, that an incident, you know, that someone has lost. Like, you know, you'll have business interruption claims.

There are a lot of different stats here that you can point to, and people have different methodologies and whatever, but directionally, I think they're right that this one is a SecurityScorecard stat, if I'm not mistaken, that they found that over 40% of ransomware incidents that they observed hijack innocent infrastructure.

So you can, and you don't always know that–

Alan Rozenshtein: I'm surprised it's, I'm surprised it's that low.

Sezaneh Seymour: It sounds low to me too, but I didn't like–

Alan Rozenshtein: I, I feel like it should be 100% of the time.

Brandon Wales: That's probably ones they can prove. They can prove 40%.

Sezaneh Seymour: Yeah, I think, well, that's probably right. Yeah. Because like, you know, these entities are really good. The other stats that I've seen and I don't–

Alan Rozenshtein: When I do ransomware, I always route it through a third party. I mean, I just, that just

Sezaneh Seymour: Seems like best.

Alan Rozenshtein: Exactly. It's among me and my buddies right. All the time. Always.

Sezaneh Seymour: I mean, I saw some horrifying, so apparently I saw a stat that 95% of like phishing emails go through botnet infrastructure and and that's like, I mean, it, it's just, it's, and all of that is like obfuscated

Brandon Wales: and, and certainly the, the more sophisticated attacks you go, the more likely it is. I mean, you know, something like Volt Typhoon 100% was routed through obfuscated infrastructure that was on small and home office routers.

So yeah, I mean if you are directly responding to an attack on your infrastructure, most likely you are targeting a piece of hijacked infrastructure someplace. Could be in the U.S., could be in Europe, could be somewhere else, but you are, you are likely targeting an unwitting third party.

Sezaneh Seymour: And that, and that's why this is so complex, right? And that's why it keeps coming up.

Alan Rozenshtein: Yeah, there's a separate question to be had about whether it's such a good idea for all of our fridges and toilets to be internet enabled and therefore immediately part of some Russian botnet. But we can have that on a different podcast conversation.

Sezaneh Seymour: Yeah.

Alan Rozenshtein: Okay. I, I wanna get in now to the, to the legal part of this analysis. So before we talk about what sort of legal reforms could accomplish any one of the kind of large permutation of options I wanna talk about what the sort of status quo here is.

In my understanding, the Computer Fraud and abuse Act is the main blocking statute. Obviously there's all sort of international law dimensions, let's just focus on, on U.S. law here. Is that correct? And is there any way around that without doing sort of major reform, really substantive reform of things like 1030 and, and whatever other relevant statutes there might be?

Sezaneh Seymour: Yeah, I mean, my read, and I'm not a lawyer, but based on, you know, the, the extensive time we spent on this, and frankly the prevailing view of other experts in this field is CFAA has to be, CFAA has to be addressed in some real way because under the Computer Fraud and Abuse Act, basically any effort to access another, an outside system, an adversary system without authorization can trigger liability.

So that is part of the reason why you do see a little bit of activity in this space. Like when the Microsofts, the Palo Altos or the Googles of the world take down botnet infrastructure, but they're always doing it with the cover of, you know, support. So that to me feels like a reasonable place to start unless you're looking at, you know, maybe you don't need that if you're going through letters of marque. But that's, that's sort of a separate, a separate, and I think maybe less likely case.

Brandon Wales: Yeah, I mean, the bottom line is you'll need some type of congressional action either to amend the CFAA or to pass some other type of legislation that will give certain authorities, notwithstanding the CFAA, you know, the private sector, the ability to conduct something.

But you're gonna need some type of congressional action if you want to allow the type of hack back, that is the one that is most discussed. And I think the reality is corporate councils are going to demand that or else they're gonna view the risk as simply too great to allow this kind of op, you know, these kind of operations without very clear statutory, you know, clarity.

Sezaneh Seymour: That's an important point because you could, like, you know, you can write an EO tomorrow and like, I don't think anybody would wade into this space without that kind of legal certainty.

Alan Rozenshtein: I mean, it worked for TikTok, which I just have to say because that's been my obsession for the last year. But yes, I take your point. No, good corporate counsel certainly should just–

Sezaneh Seymour: Yeah, yeah.

Alan Rozenshtein: Go on various unenforceable promises out of the White House. Fair enough, fair enough.

Sezaneh Seymour: I mean, it's not just, you know, CFAA. There's also the Electronic Communications Privacy Act is another that I think will become potentially triggered depending on what the activity is, where the action is. But yeah.

Alan Rozenshtein: So Sezaneh, you, you mentioned letters of marque and, and I have managed to, to wait an entire 40 minutes before getting to ask about that. But letters of marque are always fun to talk about because I think immediately think of cyber piracy or I guess cyber, cyber privateering, maybe the more historically accurate term.

So what are letters of marque and reprisal and just explain how, why a 18th century, you know, legal concept which is in the constitution could possibly be relevant to a 21st century digital problem.

Sezaneh Seymour: Yeah, I mean, well first of all because they're really cool is like, I, a real answer.

Alan Rozenshtein: I, I honestly have wondered, 'cause obviously people have talked about cyber letters of marque for many years and like part of it is, I've always wondered how much of it is because it's really cool, which is like a perfectly fine reason to do policy.

Sezaneh Seymour: Yeah, well, I mean, I had this conversation with a colleague earlier this week. It's a congressional constitutional authority, as you say, right? So they're like, well, we can do it now. And I'm like, yes. But it takes an act of Congress, which as you know, living in Washington is, you know, is not a quick, if your speed is your, your your interest is probably not where we need to be.

But just as you note, this is a constitutional authority that's in our constitution, basically. They’re instruments that give a sovereign authorization, I think is a language to private entities to do what otherwise might be unlawful acts of piracy or war. So essentially think of it as a license to, to steal, to act, to, I mean, the specifics would be in the actual letters of marque, but,

Alan Rozenshtein: And, and it's a license under international law or under domestic law? I, I,

Sezaneh Seymour: Domestic.

Alan Rozenshtein: I'll always, I'll always say, yeah, it always, I've never fully understood. When I, you know, I teach Con Law, right to–

Sezaneh Seymour: Yeah

Alan Rozenshtein: 1Ls. We don't spend a lot of time on letters of marque and reprisal, but, you know, I do read it every time I teach Con Law.

And I've always wondered if the, the primary authority here is a domestic authority, which I would've assumed was already covered by, let's say, the Commerce Clause or if it's international law authority? But I would've thought they maybe already covered by Congress's powers to regulate, you know, the, the Law of Nations or, or, or to, to create crimes regarding the, the, the, the Law of Nations.

I always assume that the, what letters of marque are doing in the Constitution is that it is specifying that it is Congress rather than, let's say the president who has the authority under international law to trigger letters of marque, which presumably in the 19th, in the 18th century were a recognized international law thing that a sovereign could do, hence privateering.

Sezaneh Seymour: Yeah. I mean, they haven't been used since the Civil War, right? So I, I don't, I don't think we fully really know, but they, they are very popular in the context of offense and cyber. And they've also been proposed as we found in our research to seize or pillage assets from sanctioned entities, Russian entities in particular. I think there were also–

Brandon Wales: Cartels.

Sezaneh Seymour: Cartels, like also, yeah, cartels in the context of I think the fentanyl crisis. And so the reality is like the, the domestic international question is, is, is the right one, but ultimately I don't think a foreign government would recognize a cyber letter of marque.

Brandon Wales: Yeah, I mean, I think a cyber letters of marque would, a private entity may have all the same legal liability in international context for any violations of of the laws of other nations, or possibly they could be, you know, they could be treated as if they are being done by the U.S. government because of the official sanction.

I don't think we really know today how that would be handled because it just, they've not been used in this kind of context in, in more than a century. So, you know, we, we would, those issues would need to be ironed out and I think there are going to be really important ones for if that is chosen approach for the private sector that would receive these letters of marque, what the implications are both domestically and internationally for exercising them.

Alan Rozenshtein: Am I right though then that again, letters of marque being very cool, Congress doesn't need to call this a cyber letters of marque, nor does it need to specifically point to the letters of marque provisions in the Constitution to accomplish whatever reforms of Section 230 one would want to enable this on the, the domestic side?

Is, is that, I mean, so I, I think cyber letter, it's a useful shorthand for the concept.

Sezaneh Seymour: Yeah.

Alan Rozenshtein: But it doesn't actually have to be tied to this like specific constitutional authority of letters of marque.

Brandon Wales: Yeah, that, that, I think that is our understanding. I think the only real issue is what are the, what does that mean for the international context? And then would they be covered under kind of U.S. government sovereign cyber action as similar to action that would be taken by military or intelligence services here? Would they be treated similarly on international law or will they, you know, the private companies bear some separate responsibility?

Alan Rozenshtein: And, and actually that, that's where I want to sort of turn to next, which is the international law dimension to it, right? Obviously the primary concern for, you know, U.S. general counsel is, I don't wanna violate 1030, but presumably you also don't wanna violate international law.

Or to the extent that you don't really think that international law is all that important, you don't wanna violate someone else's law, right? You don't wanna violate, ideally Chinese or Russian law. But fine maybe you have accepted that.

But what you really don't wanna do is violate French law or U.K. law, or Canadian law because again, on the assumption that most of these attacks will be routed through innocent third parties, probably in friendly countries 'cause those friendly countries will have infrastructure that, you know, the, the U.S. servers are probably more willing to, let's say, whitelist or, or allow through, you know, you have a situation where you might, you know, take down a Canadian hospital or a French school or whatever the case is. And, and now you're in trouble, right?

So how do you to, to the extent that one can avoid that and how much do corporate counsel care about foreign legal issues, even if they have clearance under, under U.S. law? And obviously there are a lot of different countries I'm asking to go to go country by country. But am am I right to think that that is an important piece of this puzzle?

Sezaneh Seymour: I think it's, it’s one of the many, but one of the top issues that I think will be very difficult to resolve. I'm not quite sure how we resolve it, especially, you know, we have many multinational companies that care, as you noted, like you do business in the United States, you also do business in Europe.

And that global legal context is so important because, you know, as we parse out in our paper, some countries have sort of thought and integrated some public private cooperation in the offensive cyberspace, but of the US moves in this direction, we would be the first to explicitly authorize, presumably independent operations private offensive cyber operations in our national law.

And then we're basically setting new precedent. I'm not really sure what would happen, frankly. And I think if I were advising just sitting inside of a company, we, we operate in many countries, and one of the questions for us would be like, is it even worth moving into this space? Or is the potential, you know, we talked about accountability, responsibility, liability, like, you know, is, is the, Gordian knot of potential unknowns, like so large that it's just not worth waiting into the space. I, I don't really have a good answer to that.

Brandon Wales: Yeah, I mean, I, I don't, I don't have much to add because I think this, you know, Sezaneh hit the, hit the nail right in the head.

I mean, this is probably one of the most critical questions that we'll be facing, any regime, which is, if you want the regime to be workable, if you want people to actually use it, how do you address this issue? So any multinational company that has the, you know, that may operate overseas is, is going to have a very careful consideration around using this authority because of the potential for criminal and/or civil legal risk in, in third countries.

Now again, you know, some smaller companies that may not, that don't operate globally, they may be more willing to use it, but again, then they're the ones that are less likely to have the kinds of capabilities and may not wanna invest the resources in having teams that are capable of executing this kind of, this kind of operation. And so I think this, that's gonna be a real challenging piece to address.

Now again, you may wanna say you're authorized to conduct operations in certain places, but not others. And, or you may just be willing to only conduct operations in places where you have lower legal liability. And so you're not gonna conduct operations where you're, where you have locations, you're not gonna conduct them in Western European countries, but you may be willing to conduct them in Iran or China directly.

So that may be an outcome but I'm not sure it's one that can be easily designed into a program from the start given, as we talked about the way in which most cyber-attacks are routed through unwitting third parties.

Sezaneh Seymour: And you know, as we talk about it, we get back to one of the questions that we raised in the paper, right? So we talk about your policy objectives and we talk about like the scope of authorized activities and within the kinds of activities that, that we would imagine private sector entities potentially performing.

We bucket them into destructive and non, you could potentially see an environment where, you know, there's a global ransomware pandemic where allies agree that you know, if, if the activity is just trying to identify what you believe with reason, with collaboration, with the private sec, with the government rather, is a criminal ransomware enterprise and you're just trying to get, use a private entity to get attribution to identify the source and the infrastructure that may be enough because no one is disrupting anything or taking anything down. And then there's like a separate, a layer of approval through the government process.

You could, you could imagine a scenario where we sort of dip our toe in the water and we're using private entities to just be the investigators, right? Who are these entities? Where are they? What infrastructure are they using? And are they criminals or is it innocent infrastructure? Like you might be able to see that, but this is, this is one of the thornier issues.

Brandon Wales: And Alan, lemme just one more point on this 'cause there are a variety of ways in which you can deal with third party infrastructure.

It may not always be a hack back. And the more sophisticated companies who may have operations and and locations in Western European countries, for example, may just choose that for infrastructure that's targeting them, that's located there they're gonna make referrals to the law enforcement or cybersecurity authorities of those countries. And they're gonna reserve their hack back for locations elsewhere again, where there's less legal liability.

So, even if the authority was granted, they may not wanna use it in all contexts for exactly this purpose because they wanna try to avoid some of the downside risks. And because of their size and scale, they have the ability to get to the right people and have law enforcement authorities take action or make a notification to that unwitting third party whose infrastructure has been hijacked by a ransomware crew or by the Chinese.

Alan Rozenshtein: So I wanna end by asking you both to kinda reflect on what it means that we're even having a conversation seriously about enabling private sector participation in what ordinarily we think of as a classic state activity, right, which projecting force abroad.

Do, do you view this as an indication that fundamentally our cybersecurity has failed, right? And that the government in particular has failed in its obligations so that now we have to spend all this time talking about letters of marque and, you know, the role of insurance and all that sort of stuff.

Or alternatively, is this just inevitable, right? That this is not the sort of threat that under any plausible a set of conditions the government could handle by itself, and that you'll always need some degree and potentially extensive degree of private sector involvement. So let's start with, with Brandon and then Sezaneh, you can have the last word.

Brandon Wales: Yeah. I mean, you know, in some respects we've, we've come full circle as a country. I mean, the reason why there was letters of marque is because governments, you know, early governments weren't able to deal with piracy on the high seas, and today were not able to deal with, you know, what is the current day pirates of ransomware crews and and malicious nation state cyber actors?

We are not meeting the moment. The threats are more aggressive and at a scale where government action alone has proven insufficient. Now, again, there's lots of answers. I mean, previous administration wanted to focus much more on regulatory authority to kind of drive down risks domestically. The current administration wants to ramp up offensive activity to provide more of deterrence and disruptive effect.

But it's all designed around the idea that we are not able to match the level of threat we currently face. And that is why this is now being taken more seriously than it was five years ago when, when people were having some of the very similar conversations, but they were not in the places and of import that they are, that they are today.

Sezaneh Seymour: Brandon, it won't surprise you captured my sentiment. But I would just say that, you know, the question of whether we failed, I think is an important one. The reality is we, we continue to face a very, very serious national resilience problem, a digital resilience problem. And it's driven by a lot of different factors.

I will say that getting more private sector participation in offensive operations isn't a silver bullet and I actually haven't heard anyone seriously suggest that it is, right? But, you know, it's one tool. I will say my, my very strong view, especially with a, a sort of renewed perspective on this is that if our national end goal is resilience, then there are probably much more effective policy changes that we should be prioritizing as a country.

So, you know, again, we have digital vulnerabilities across our infrastructure. Those are exacerbated by the quality of technology that's brought to market. We put too much of the security burden on end users of technology, notwithstanding the fact that they're the least equipped to handle that right, relative to the vendors.

Most of our critical infrastructure is privately owned, and those companies make their own decisions about security, investment and risk. But when things go wrong, it's the public that ends up paying the price and sometimes the government has to step in, as we saw with with Colonial Pipeline.

The right policy response here is going to have to address all of those realities. And there are a lot of Lawfare papers that actually speak to these different things, you know, standards, software liability, et cetera. So far in this country, I, I don't, I wouldn't say the government has failed because just we can't agree.

We have not had the political will for comprehensive reform in this government. Our approach has mostly been voluntary, with the exception of some narrow reporting obligations, and that that is like, that trend continues, right?

As a consequence of that whether it's failure or not, I don't know, but our nation has basically endured a never ending series of digital paper cuts, right? Each cyber incident is painful. Recovery takes longer than we like, but eventually we recover and we move on. In my view, all it's gonna take is one or two more serious disruptions for the public sentiment to shift and demand action. And at that point, I suspect there will be political will to act. Offensive cyber operations may be part of that conversation, but that alone isn't gonna be enough.

Alan Rozenshtein: I think that's a good place to end it. Brandon and Sezaneh, thanks for writing a really terrific paper and for coming on the show to talk about it.

Sezaneh Seymour: Thanks for having us.

Brandon Wales: Thanks, Alan. Appreciate that.

Alan Rozenshtein: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter at our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja. Our theme song is from Alibi Music. As always, thanks for listening.