Letter Of (Cyber) Marque And ReprisalFacilitating future 'hack back' programs
The past couple of years have seen a growing base of "hack back" supporters -- with several new businesses around the globe now presenting their services in a similar vein, each advocating more forceful responses to breaches, such as launching denial-of-service attacks against the attackers, hacking botnet command-and-control servers, embedding exploits in pilfered documents, etc., in an effort to mitigate ongoing threats.
While the service offerings are full of bluster and promise -- arguably to appeal to the media more than to potential customers -- what is clear is that there is a large delta between what's being proposed and what services are actually being delivered on a daily basis. It would seem that there's a small problem with what some people would like the laws to be and what they actually are (at this point in time). All of which brings me to the discussion of letters of marque.
The concept of "letter of marque," or more precisely "letter of marque and reprisal," has been thrown about now and again in hacking and breach discussions over beers for several years as a novel solution to overcoming the legal shackles holding back the more assertive methods of dealing with a cyberthreat. Given the changing attitude to dealing with persistent threats commonly attributed to China and organized crime, perhaps it is now time to look more seriously at the proposal.
According to the Oxford English Dictionary, the phrase "letter of marque and reprisal" originally referred to "a license granted by a sovereign to a subject, authorizing him to make reprisals on the subjects of a hostile state for injuries alleged to have been done to him by the enemy's army."
It may sound a little outdated, but the U.S. Constitution still provides Congress with the power "To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water" (Article I, Section 8, and Clause 11).
Now I'm no lawyer, but even that dated definition resonates with key elements of the threat faced by organizations and private business today. Undoubtedly there are a whole bunch of sticking points that need to be dissected by learned professors of law somewhere, but to laymen looking for a bridge to overcome the cumbersome and outdated laws that prevent them from stopping the next breach by a known and named adversary ... well, the granting of these letters would hold considerable appeal.
I see this approach as being quite different to the vigilante and mercenary alternatives often discussed -- in particular, allowing an organization to defend itself by taking reprisals in order to prevent an attack from occurring again in the future, and the tendering of a bond to ensure adherence to a code of ethics. I could easily see the likes of Google, GE, Lockheed Martin, Bank of America, etc., employing internal teams and resources to deal with a proven list of cyberadversaries under the guise and bounds of such a letter.
While many would consider the focus to be on the protagonists in what has effectively become an undeclared cyberwar with China, I'd personally be more inclined to focus on the known pirates of the virtual seas of the Internet -- the organized crime units that run, propagate, and capitalize on botnet victims.
The majority of these villains are well-known to threat analysts and law enforcement; however, they operate under the physical protection and immunity of various agencies and governments around the world. A letter of marque and reprisal would go a long way in dealing with these particular pirates.
I'd hazard to guess that within a few short months (given the long leash that a Letter would provide), a more sizable dent could be made in dealing with this threat than has been made in the past decade of legal takedowns and prosecutions.
But at the end of the day, the probable issuance of Letters of (Cyber) Marque and Reprisal to U.S. organizations looks to be pretty remote -- at least until some real legal review has been performed, or until vigilantism gets so out of control that an alternative legal avenue is desperately sought.
Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio