U.S. Bill Proposes Empowering Corporations to Combat Cybercrime

On August 15, 2023, U.S. Representative David Schweikert, a Republican from Arizona, introduced House Resolution 4988, known as the Scam Farms Marque and Reprisal Authorization Act. This proposed legislation aims to empower the President to issue “letters of marque and reprisal” to private companies, allowing them to pursue cybercriminals outside U.S. jurisdiction. Essentially, it would authorize corporations to engage in offensive cyber operations, commonly referred to as “active defense,” against criminal entities operating in regions where law enforcement faces limitations.

The language of HR 4988 is notably broad, permitting entities to “employ all means reasonably necessary to seize outside the geographic boundaries of the United States and its territories the person and property of any individual or foreign government.” This expansive wording raises concerns, as it could enable private actors to take significant actions against foreign entities, including foreign governments, under the designation of a “criminal enterprise.” Although the bill is not expected to pass into law, its introduction reflects a notable shift in U.S. cyber policy and the evolving relationship between government and private sector operations.

Implications of Active Cyber Defense

Historically, the U.S. has not issued letters of marque since the Civil War, primarily due to treaties like the Paris Declaration of 1856. This treaty encouraged nations to abandon privateering practices. While the U.S. did not sign this declaration, the practice of issuing letters of marque has been largely dormant. The current proposal introduces the concept of extraterritoriality, allowing U.S. companies to conduct cyber operations abroad while being shielded from prosecution under U.S. law. However, this protection does not extend to foreign laws, complicating the legal landscape for potential operations.

Advocates for the bill argue that traditional law enforcement methods are often too slow to effectively combat cybercrime, thus justifying the need for private companies to take swift action. Yet, this approach carries significant risks. For instance, if a private company executed a cyber strike against a criminal organization, it could inadvertently disrupt ongoing law enforcement investigations. This scenario raises concerns about the potential for private actions to compromise coordinated efforts to dismantle criminal networks.

As cyber threats transcend borders, collaboration among countries is crucial. In Canada, the Royal Canadian Mounted Police (RCMP) leads efforts against cybercriminals, supported by the National Cybercrime Coordination Centre. Coordinated actions often require extensive planning and cooperation between international agencies, meaning that independent strikes by private companies could hinder effective collaboration.

Future of Private Sector Cyber Operations

The notion of increased private sector involvement in offensive cyber operations is gaining traction. On August 26, at an event hosted by the U.S.-based Center for Cybersecurity and Law, Sandra Joyce, Vice-President of Google Threat Intelligence, announced the creation of a “disruption unit.” This team aims to proactively dismantle cyber threat operations, signifying a shift towards more aggressive corporate cybersecurity measures. Joyce emphasized the need for “legal and ethical disruption,” yet the terminology hints at a more proactive stance against cybercriminals.

Critics argue that without adequate oversight, the actions of private companies could mirror those of cybercriminals, blurring the lines between defense and offense. If HR 4988 were to become law, countries like Canada would have to navigate how to classify these American corporate entities engaged in offensive operations, particularly if their actions affect Canadian citizens or law enforcement.

The implications of such a shift in policy could lead to greater confusion in international relations, especially if private actors are not clearly distinguished from criminal groups. This lack of communication and transparency could undermine global efforts to combat cybercrime and foster distrust among nations.

As Alexander Rudolph, a cyber defense policy analyst and Ph.D. candidate at Carleton University, notes, the evolution of cyber operations is a critical area of study. His research focuses on the strategic doctrines of major cyber powers, highlighting the importance of understanding how nations operate in the digital landscape.

In conclusion, while HR 4988 is unlikely to pass, it serves as a significant marker of the changing dynamics in U.S. cyber policy. The increasing interest from private companies in offensive operations suggests a shift that could redefine the landscape of cybersecurity and international cooperation against cyber threats.