Buccaneer.com 2.0

Fifteen years ago, parallels between the age of piracy and the state of cyber-insecurity illustrated how we might combat malicious online activity by leveraging private resources. While the call to do just that has grown louder over time, there are still those who feel the increased use of private sector resources for computer network operations is a controversial issue. Enthusiasts tend to have a facile understanding of certain absurdities and dangers, while their opposites fail to recognize just how far-gone things are. Privateering is reality. The only outstanding issue is how much autonomy private concerns will be given going forward.

Re-Introduction

Securing resources and technologies that depend on the Internet to function is a national security issue. That hasn’t changed in 15 years.[1] Neither has the fact that cyber threats have grown at a pace that exceeds both government’s and industry’s ability to address them. The cybersecurity market is $156 billion dollars strong,[2] yet victims still fall prey to the same sorts of problems identified decades ago. We have a National Security Agency,[3] Cybersecurity and Infrastructure Security Agency,[4] ISACs,[5] ISAOs,[6] and service and national level cyber commands,[7] but there has been no obvious indication that their existance has made our adversaries – both state and non-state – think twice about conducting offensive actions against us.

We attempt to address these issues at the national level with familiar but flawed ideas like arms control and deterrence, because in policy-making circles we are heavy on students of Kahn and Kissinger and Kennan and light on people who know how the  Internet actually works. Concepts like “defend forward” and “persistent engagement” are attempts to improve our ability to display strength, but with no statistics from the government to illustrate how effective such measures are, we are left to look at things like the effects of the scourage of ransomware and assume that while we may have turned the dial up, we’re still closer to 0 than 11.

At the time Buccaneer.com was written, the idea of adopting a privateering model was novel, even if the range of complications was extensive and seemingly intractable. Yet the reality even then was that we could neither defend ourselves nor take the fight to our adversaries if it were not for what are effective combatants who draw their salaries from private payrolls, not the U.S. Treasury.

A Spade by Any Other Name

The word “privateering” in relation to online activity evokes a number of strong emotions and allows imaginations to run wild. Privateering is the employment of private sector resources to conduct activity authorized by the government in furtherance of national policy. It is not restricted to offensive activity, and it is not about acquisition or recovery of “treasure.”[8]

Privateering is not “hack back” – allowing the victims of attacks to attempt to retaliate against their attackers. Hack back is vigilantism: an emotionally satisfying idea, but one that only makes sense if you suspend a great deal of disbelief about the capabilities of the average private concern. Some will look at “privateering” and “hack back” and see a distinction without a difference. But hack back is illegal under 18 U.S.C. 1030,[9] while the government has regularly employed private sector resources in support of national policy since the founding.[10] In this context we just don’t call them privateers, we call them contractors. Viewed through that frame, privateering is not an issue for debate, it is a fait accompli.

Sounds Like a ‘You’ Problem

Most commentators get wrapped around the axle about the idea of privateering because it sounds like we’re outsourcing the right or authority to wage war. Now, the use of Authorizations of the Use of Military Force and not Declarations of War is a serious topic in political circles that – after a 20-year war of great cost and nominal value – needs to be resolved.[11] And the extensive use of private military companies in Afghanistan and Iraq (and the crimes and general bad behaviour of same – proven or alleged) only adds fuel to the fire.[12] So the idea that we would extend that sort of thinking and behavior onto the medium that plays such an increasingly important role in our lives does seem at best irresponsible and at worst catastrophic.

Yet adversary[13] governments[14] have no qualms about using private actors to execute online tactics in support of national policy. The primary reason we look askance at such efforts is that we emphasize the use private sector resources for defensive or supporting functions,[15] yet every agency with the authority to conduct Computer Network Operations (CNO)[16] does so with the help of contractors. Our offensive power would be a shadow of itself were it not for commercial concerns who can attract and retain the talent necessary to staff an effective capability. If you are at all familiar with the military services’ inability to retain pilots,[17] linguists, or other highly skilled practitioners with rare talents, you understand the dynamics at work.

In fact, if it were not for the defensive role contractors have played over the years, our offensive capabilities may not have evolved as quickly or grown to the size it is today. Government and private sector collaboration (overt or discrete) is laid bare with every indictment filed or accusation levelled against a foreign officer or agent. It is unlikely that all the data necessary to make such statements come exclusively from governmental sources. This is the private sector supplying the government with ammunition of sorts, not treasure.[18]

Westphalia Online: Does Not Compute

Governments do not have a monopoly on the ability to project power online. They never have. In the physical world you might own a gun, but you cannot wage war. The government is the sole arbiter of decisions like that. Yet every conference, panel, seminar, or working group held on these issues always consists of experts in government or policy, not technologists or CNO practitioners. This is why we have so many discussions about “norms” and ideas like a “Digital Geneva Convention” [19] when, if they had invited a few people with online “combat” experience, the folly of that sort of thinking would have been painfully obvious.

It is not that we should not try to make cyberspace a better place, but for everyone who still holds on to those early pipe dreams of what good the ‘Net would do, note that even John Perry Barlow didn’t believe his initial ravings at the end.[20] In fact monetization – of misinformation[21], disinformation[22], deep fakes, and “Q”[23] have almost certainly driven more minds to close than open, and spread more hate than peace, love, and understanding. We dream of Mr. Rodgers’ Neighbourhood[24] while we live in Mr. Robinson’s Neighbourhood.[25]

And while cyberspace may have physical underpinnings that can be controlled (or destroyed), the military doesn’t actually have a lot of say when it comes to the control of that environment. The U.S. Air Force cannot control the weather, but they use technology that enables them to fly regardless of the weather. Likewise, Cyber Command doesn’t control the Internet, service providers do, but there is no technology that can help them overcome that issue. We do not know how closely government and telecoms may collaborate, but here is one thing I think we can all agree on: if someone started a “cyber war” that started to interfere with revenue, there is probably an EVP at Verizon or Deutsche Telekom who has more power over the outcome of that conflict than any General does.

Whether we are talking about medieval free lances, or hackers with government sanction, the point of using contractors is the same: it allows the government to put the right – rare – resources against a problem for as long as that problem exists, and to disperse them when the job is done. The use of the private sector to address cyberspace-related issues works well because no government agency can afford to attract and retain the necessary talent for a career,[26] and they most certainly cannot move at Internet speed. Our adversaries know this and embrace it,[27] but we are only now proposing that these ideas be studied.[28]

The Real Issues

The use of private sector resources to support government policy is not controversial; increased autonomy for private sector resources is a very real risk that warrants serious discussion and broad input.  Imagine you have the authority and ability to gain access to some of the most sensitive systems a country or state-owned enterprise may have. As we have seen with regards to much more trivial matters, there is a sub-set of people who simply cannot be trusted. [29] Temptation of this sort exists regardless of where your paycheck comes from and no matter how trivial the matter. [30]

Opponents of increased involvement of private actors fear that adding one or more players to the list of belligerents is a sign that government is giving preference to lex talionis over other courses of action.[31] Such a move would certainly stand in contrast to light weight actions like indictments, but the real danger is not at the national level but the personal one. It is only a matter of time before U.S. CNO practitioners will find themselves the targets of legal (and possibly extra-ordinary) action by other nations. Ask Michael Spavor or Michael Kovrig how they feel about being pawns in the digital great power competition.[32]

More aggressive activity carried out online by incentivized private actors triggers the hand-wringing crowd, who are concerned about the negative impact of increased adversary activity on the quality of life in a heavily tech-dependent society. Yet they can only point to ‘what ifs’ and short-term examples of their proposed extremes. What is almost universally absent in their calculus is how societies in adversary nations will respond when they find themselves in the same situation, and their response to the actions of their own industry and government. This is not to say that our strategy should be an advanced game of ‘chicken’ but a recognition that good equations have balance.  

It is also important to note that no matter how adversarial your relationship, there is very little value in damage or destruction. Events like Stuxnet or Saudi Aramco[33] are notable for many reasons, not the least of which is that they’re rare. You want the other side to recover because they’re just going to put more valuable resources back online. It might be harder to compromise them, but it is never impossible.

Conclusions

Of the super-power class of nations practicing CNO, we’re the only one debating whether or not the private sector should play a role in CNO, while conveniently ignoring the fact that the private sector is effectively the backbone of our CNO capabilities. It is as if the literal lack of eye patches and parrots is creating some sort of cognitive dissonance amongst otherwise clear-thinking people. Our adversaries are not encumbered with such burdens. They literally wrote the book on this sort of thing decades ago,[34] which we talked about, but then promptly ignored because it ran counter to our preferred way of waging war.

Privateering is still the most feasible approach to the problem, especially given the changing dynamics associated with the projection of power, though one that could have serious repercussions if allowed to expand without careful management and diligent oversight.

The only real alternative to privateering – a large and powerful government enforcement capability – is unlikely. The excessive cost of such a capability and lack of political will are the two key mitigating factors. One need only look to the inadequacy and unoriginality of governmental efforts to retain cybersecurity experts to realize there is no scheme that troops would find attractive that government can afford, or organizations would find paletable on cultural grounds.

A greater level of autonomy amongst private actors would require a strong, independent, and transparent mechanism for oversight. But this begs the question:  in the midst of a talent shortage where would we draw sufficiently skilled and knowledgeable practitioners for an oversight function? Who wants to join the watchers, when the do-ers are making x3 the money?

Our insistence of fighting in a certain way, or viewing issues through frameworks that are understood rather than applicable, is not a uniquely American phenomenon, but one we seem to excel at. By that I mean we would rather subject ourselves to unnecessary misery, expense, and loss over an extended period of time in the name of culture rather than point out imperial nudity. Suffering is not a virtue when justifiable options exist that address the problem as it is, not as we wish it to be.

The argument over privateering has run its course. National insecurity in cyberspace is not a problem that is going to be effectively addressed by a tactic, but by the formulation and application of technically coherent policy. That will not happen without the increased involvement – at a level of parity with those proficient in policy – of those with technical acumen at the strategic level.


[1] https://www.haftofthespear.com/wp-content/uploads/2021/04/Buccaneerdotcom.pdf

[2] https://www.globenewswire.com/news-release/2021/03/17/2194254/0/en/Global-Cybersecurity-Market-Size-to-Grow-at-a-CAGR-of-12-5-from-2021-to-2028.html#:~:text=The%20global%20cybersecurity%20market%20size,the%20global%20market%20for%20cybersecurity.

[3] https://nsa.gov

[4] https://cisa.gov

[5] Information Sharing and Analysis Center https://www.nationalisacs.org/

[6] Information Sharing and Analysis Organization https://www.cisa.gov/information-sharing-and-analysis-organizations-isaos

[7] https://en.wikipedia.org/wiki/United_States_Cyber_Command

[8] https://www.zdnet.com/article/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history/#:~:text=NSA%3A%20Cybercrime%20is%20%27the%20greatest%20transfer%20of%20wealth,to%20support%20cybersecurity%20legislation%20being%20pushed%20through%20Congress.

[9] https://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim)

[10] https://www.history.com/news/american-privateers-revolutionary-war-private-navy

[11] https://www.fcnl.org/updates/2021-04/2002-iraq-aumf-what-it-and-why-congress-should-repeal-it

[12] https://www.researchgate.net/publication/276187873_PRIVATE_MILITARY_CONTRACTORS_WAR_CRIMES_ AND_INTERNATIONAL_HUMANITARIAN_LAW

[13] https://www.nytimes.com/2020/03/29/technology/russia-troll-farm-election.html

[14] https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion

[15] https://www.fedscoop.com/recorded-future-cyber-command-contract/

[16] https://apps.dtic.mil/dtic/tr/fulltext/u2/a506188.pdf

[17] https://www.defenseone.com/ideas/2021/04/usafs-bad-bets-pilot-retention-show-it-needs-outside-help/173431/

[18] https://www.scientificamerican.com/article/how-the-chinese-cyberthreat-has-evolved/

[19] https://www.cnbc.com/2018/01/26/microsoft-calls-for-new-digital-geneva-convention-after-spate-of-high-profile-cyberattacks.html

[20] https://www.eff.org/cyberspace-independence

[21] False, inaccurate, or misleading information that is communicated regardless of an intention to deceive. https://en.wikipedia.org/wiki/Misinformation

[22] False or misleading information that is spread deliberately to deceive. https://en.wikipedia.org/wiki/Disinformation

[23] https://en.wikipedia.org/wiki/QAnon

[24] https://en.wikipedia.org/wiki/Mister_Rogers%27_Neighborhood

[25] https://en.wikipedia.org/wiki/Recurring_Saturday_Night_Live_characters_and_sketches_introduced_ 1980%E2%80%9381#Mister_Robinson’s_Neighborhood

[26] “Contractors are more expensive than employees” is a familiar refrain, but the calculus behind the logic assumes that a soldier or GS employee will stay on the job until they retire, which means the government is on the hook for all those years of salary and benefits, plus their retirement expenses, which could go on for decades. In theory, a contractor may only work on a government project for 4 or 5 years, after which they would move on. That makes them expensive now, but not in the long run. In reality one can complete a career in military or government civilian service and get hired on as a contractor doing effectively the same job, often in the same agency, and log another 20 years supporting government projects. Contractors are more expensive than employees, but then the use of contractors has nothing to do with economics, and everything to do with politics and culture. The government uses

[27] https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF

[28] https://www.meritalk.com/articles/senate-bill-asks-for-dhs-study-on-hack-back-options/

[29] https://www.cnn.com/2013/09/27/politics/nsa-snooping/index.html

[30] https://nypost.com/2021/07/13/facebook-reportedly-fired-52-workers-who-were-caught-spying-on-women/

[31] https://en.wikipedia.org/wiki/Eye_for_an_eye

[32] https://www.nbcnews.com/news/world/canadian-sentenced-11-years-china-spying-case-tied-huawei-n1276524

[33] https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

[34] https://en.wikipedia.org/wiki/Unrestricted_Warfare