Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

On August 15, United States Representative David Schweikert, a Republican representing Arizona district 1, introduced House Resolution 4988 - Scam Farms Marque and reprisal Authorization Act (HR 4988) into the House of Representatives. This proposed legislation would grant the President of the United States the authority to issue letters of marque and reprisal to private entities, enabling them to respond with active measures to cybercrime outside the United States. The intent behind this legislation appears to be to allow organizations to hack or conduct offensive cyber operations against cybercriminals who may be in places that law enforcement is unable to reach.

Responding to a cyber attack with proactive cyber operations and capabilities is often referred to as active defence, which at the most aggressive end of the spectrum can include “hacking back” or conducting offensive cyber operations. The Seriously Risky Business newsletter recently provided a good overview of the United States' legislative history of active defence, but there is one significant aspect of HR 4988 that they and others have overlooked: HR 4988 would allow more than hacking back in cyberspace.

HR 4988 would allow an entity “to employ all means reasonably necessary to seize outside the geographic boundaries of the United States and its territories the person and property of any individual or foreign government, as applicable….”

This would allow private entities to respond in any manner against actors outside the United States without these actions being deemed illegal by the United States federal government. The bill cites scam centers and cyber criminals as a threat to the economic and national security of the United States, but the only constraints on who or what can be targeted would be explicitly determined by the President of the United States. It also makes clear that foreign governments can be deemed a “criminal enterprise” if deemed necessary by the President.

Typically, this would not receive more than a cursory glance, but changing political dynamics in the United States, where democracy is on the decline, raise concerns. In particular, compared to the previous, stalled legislation addressing the same topic of hacking back, this new bill would grant the full authority to determine and issue letters of marque to the President of the United States. This means that it would be the sole discretion of President Trump to deem who can be targeted and how.

In May, Nextgov reported that letters of marque were receiving renewed attention by industry and the new United States administration. At the time, administration officials stated reviving the 200-year-old letters of marque for privateering in cyberspace is unlikely, but they are actively investigating more aggressive or proactive means. This shows that HR 4988 is not an outlier, but may be part of a growing policy shift in the United States.

Is this Legal?

Well, it depends.

In the United States, Congress solely holds the authority to issue letters of marque, but HR 4988 would specifically give Congress’ authority to the President without any oversight on behalf of Congress. The United States has not issued a letter of marque since the Civil War (1861-1865), in part because the Paris Declaration Respecting Maritime Law of 1856 treaty, which was signed by most European countries at the time, created a deterrent against the continued use of letters of marque and privateering. Despite this, the United States has long maintained that it could issue letters of marque if it were deemed necessary.

HR 4988 seeks to create extraterritoriality for those who would be issued letters of marque. Broadly speaking, extraterritoriality refers to the concept of providing legal immunity to local laws. In effect, it would give private actors legal protection in the United States to conduct acts outside the country that would normally be deemed illegal in the United States. This would effectively provide a safe haven to those who conduct cyber attacks or other potentially illegal activities against those that the President of the United States declares a criminal enterprise.

The letters of marque proposed under HR 4988 provide legal immunity for any action taken against cyber criminals in the United States, but the lack of legal protection when outside the United States is why there is a focus on how it would be used to hack back against cyber criminals. Despite this, countries which share a border or are geographically close to the United States would have additional concerns beyond the potential of a cyber attack.

This would be a significant departure from the multi-stakeholder approach that countries and law enforcement have traditionally taken, which is built upon cooperation.

Would this disrupt Canada’s law enforcement activities?

It is possible.

Cybercrime is an international problem in a multi-stakeholder system of public and private systems across many countries and jurisdictions, which means cooperation and partnerships are essential to stopping criminals and cyber threats.

The actions that law enforcement will take to stop cybercrime can vary. Many cases involve activities as tracking down or identifying the infrastructure or servers used by criminals and contacting the provider to have the services shut down. In the best case, not only are these services shut down, but law enforcement will simultaneously arrest the criminals responsible.

As you are dealing with cyber criminals from all over the world and domestically, this can involve a lot of coordination with multiple agencies to take down a single cyber criminal or group. In Canada, the Royal Canadian Mounted Police is the primary lead in tackling cybercrime and has the National Cybercrime Coordination Centre explicitly dedicated to coordinating such operations with domestic and international partners. Particularly in situations involving multiple law enforcement agencies across multiple countries, this process can be complicated and lengthy. The time it takes for action and the sheer volume of cybercrime and cyber threat activity are among the reasons why proponents advocate for hacking back.

However, one of the primary reasons people oppose allowing private actors to hack back or conduct offensive operations against criminals is that it could disrupt law enforcement's existing efforts to target criminal groups, potentially leading to more significant takedowns or ongoing operations by law enforcement or intelligence organizations. This is why a lack of structure or oversight is concerning, because if a private actor were to target and take down criminal infrastructure, it could disrupt the access law enforcement may have or lead to criminals changing their methods and delaying a larger takedown by law enforcement.

What about intelligence organizations and the military?

This could even affect the activities of Canada’s intelligence and military organizations. Although law enforcement conducts the bulk of the work to take down cyber criminals, they typically do not hack back or conduct offensive cyber operations to disrupt cyber criminals. It is typically a country’s Intelligence and military organizations that are tasked to conduct hacking operations against national security threats, which are more commonly referred to as offensive cyber operations.

As the intelligence and military’s primary concerns are national security threats to the state, it is not uncommon for them to conduct offensive cyber operations against prolific ransomware criminal groups. In Canada, the Communications Security Establishment (CSE) is Canada’s primary intelligence organization that conducts the majority of Canada’s disruption and offensive operations against national security threats, which have included ransomware groups. The time and labour required to perform offensive cyber operations are high, which can contribute to a low volume of such operations conducted by intelligence and military organizations, with even lower volumes for operations against criminal groups.

This gap in the amount of disruption operations is what many cite as a reason that the private sector should be allowed to hack back on its own. However, even for some of the staunchest supporters of this, the lack of oversight and the unilateral role of the United States President Trump brings pause and concern about how

What is the risk that HR 4988 becomes law?

The risk is low. HR 4988 is not law, and there is a strong likelihood that it will not become law, but HR 4988 may be a signal of what is to come.

The United States government has increasingly shown a willingness to engage in unilateral action internationally despite domestic and international law or facts suggesting different actions are more likely to provide results. Even if HR 4988 does not become law, some major tech corporations appear to be looking to get ahead of the curve. On August 26, CyberScoop attended the US-based Center for Cybersecurity and Law’s event on Offensive Cyber Operations. One of the keynote speakers at this conference was Sandra Joyce, Vice-President of Google Threat Intelligence, who stated that Google will be creating a “disruption unit.”

Joyce stated that Google is taking an intelligence-driven approach to identify opportunities to take down cyber threat operations. This could involve exploring methods to proactively prevent the criminal use of their products, rather than waiting for issues to arise. Google has a massive footprint and has the reach and infrastructure to conduct such activities simply by working within its own cloud infrastructure. However, despite this potential use, the presentation was at a conference focused on the private sector's use of offensive cyber operations, which may suggest that they are considering more than just active defence. Further, Joyce’s statement stressed that Google was looking for “legal and ethical disruption,” which suggests the disruption they seek is more in line with offensive cyber operations.

Google received considerable attention for this speech, but the desire to be more proactive and conduct offensive cyber operations is one shared by many in the cyber defence industry. While there are strong arguments in favour of allowing private entities to conduct such operations, even supporters will agree that they are not a universal tool to fix all cybercrime or cyber threats. Indeed, HR 4988 is a dangerous attempt to allow the United States President to allow private entities to act as agents of the United States.

Supporters of hacking back cite its ability as a messaging tool to convey to criminals and threat actors that continued aggression in cyberspace is unacceptable. If HR 4988 were to be enacted, it would provide no oversight or process for ensuring that private entities are hacking criminal groups or threat actors. As a result, this would effectively diminish any meaningful messaging to cyber threat actors.

For law enforcement, a private actor conducting a cyber attack on a criminal group is not distinguishable from another criminal. If HR 4988 were to become law, Canada and other countries would have to determine how to treat these new American threat groups, especially in the event that they target Canadians or disrupt Canadian law enforcement activities. Unless the United States and these private actors conducting these operations establish some means to communicate and inform allied governments when such operations are to be undertaken, it may lead to some countries and government agencies thinking American private actors are another criminal group. This would ultimately create greater confusion and fundamentally negate the intentions of reducing cybercrime by introducing more doubt.