chevron-down Created with Sketch Beta.
June 10, 2020 Feature

Cyber Privateers: Protecting American Intellectual Property from Cyber Theft

Allen Loayza

©2020. Published in Landslide, Vol. 12, No. 5, May/June 2020, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

Over the last decade, cyberattacks have increased exponentially, and cyber theft is now the “fastest-growing crime in the U.S.”1 As the number of attacks has increased, the damage caused by these attacks has also risen, with Cybersecurity Ventures predicting that the costs of cybercrime would double from $3 trillion in 2015 to $6 trillion annually by 2021.2 These costs include the loss of intellectual property such as computer software, confidential data, and other sensitive information, which by some estimates can comprise “more than 80 percent of a single company’s value today.”3

Which Countries Have the Most Advanced Cyber Warfare Capabilities?

Events such as the airstrike on January 3, 2020, that targeted Iran’s General Soleimani,4 and reports that Russia invested significantly in building “large-scale espionage capabilities” to interfere in the 2020 U.S. elections,5 are bringing renewed attention to the threat of cyberattacks and the vulnerability of American companies to such attacks. This renewed focus has highlighted the potential for future attacks, with adversaries of the U.S. accounting for four of the seven countries believed to have the most advanced cyber warfare capabilities: Iran, Russia, China, and North Korea.6

Iran has been the focus of considerable speculation as to how it will respond to the targeting of General Soleimani. Jon Bateman, a former Defense Intelligence Agency expert on Iran’s cyber forces and now a cyber policy fellow for the Carnegie Endowment for International Peace, declared that “a cyberattack should be expected.”7 Iran began seriously building its cyber war capabilities almost 10 years ago, after experiencing a cyberattack where a computer virus, Stuxnet, infiltrated and destroyed one-fifth of the centrifuges used in its nuclear program.8 Currently, Iran’s preferred methods of cyberattack include denial of service attacks, data-destroying malware, and social media disinformation campaigns.9

Early in 2019, Iran was the subject of an alert by U.S. Cyber Command, warning that Microsoft Outlook users were potentially vulnerable to cyberattacks by a group of Iranian hackers known as APT33.10 One notable difference in this case from previous attacks was the response, which involved the U.S. launching a cyberattack that “disabled computer systems used by Iran’s Islamic Revolutionary Guard Corps to control rocket and missile launches.”11 What is most significant about the incident is that the U.S. response was officially publicized and could indicate a shift for the U.S. when responding to such attacks.12

Yahoo experienced an attack on its systems in 2014; four people were indicted in 2017 by the Department of Justice (DOJ) for the attack.13 Two of the four people indicted were senior officials at the Federal Security Service, which is the principal security agency of Russia.14 In the indictment, the DOJ alleged that the criminals responsible for the attack collaborated with the two senior Russian officials to target Russian journalists, politicians, and citizens, as well as a broader effort to defraud Yahoo users.15 Yahoo also experienced separate attacks in 2013 and 2016, which the FBI believes were tied to Russia.16 These attacks were quite costly to Yahoo, ultimately resulting in Verizon paying $350 million less than planned to acquire Yahoo.17 The Yahoo hack also exposed the ties between Russian intelligence services and criminal groups, with U.S. and British intelligence officials estimating that Russia now has over two dozen criminal organizations with cyber capabilities that are equal or superior to most governments.18

In 2017, the Russian government was again suspected of involvement in a major cyberattack against Equifax.19 Among investigators with a background in intelligence, a leading theory is that the breach was initially accomplished by an inexperienced hacker who was able to infiltrate Equifax’s systems but could not delve deeper into its systems.20 Instead, it is suspected that the hacker sold information about the infiltration to a Russian or Chinese buyer and that the stolen data is being used to identify potential U.S. spies.21 Additionally, the financial information acquired could be used to turn Americans into agents of a foreign government, because financial strain is a common reason for why people commit espionage.22 Nigel Inkster, a former senior official at Britain’s MI6, predicted that “for the foreseeable future [the Russian government’s] behaviour in the cyber domain is going to be even more flagrant.”23 Experts believe that the sheer scale of the breach—143 million individual records containing valuable and sensitive personal data—will inevitably result in further cybercrime attacks, including attacks targeted toward specific individuals and organizations.24 In January 2020, a federal grand jury indicted four members of China’s military for involvement in the Equifax hack.25

In 2010, U.S. Steel had an intrusion into its network in which hackers stole proprietary information to give Chinese steel companies a competitive advantage.26 The DOJ eventually indicted five members of China’s People’s Liberation Army in 2014 for stealing the intellectual property of U.S. Steel, Westinghouse Electric, and Alcoa.27 Jon M. Huntsman Jr., former ambassador to China, commented that “China is two-thirds of the intellectual property theft problem, and we are at a point where it is robbing us of innovation to bolster their own industry, at a cost of millions of jobs.”28 This statement is corroborated by DOJ statistics showing that since 2012, more than 80 percent of federal economic espionage cases involve China.29 Further, FBI Director Christopher Wray’s testimony in July 2019 before the Senate Judiciary Committee confirmed that there are over 1,000 intellectual property theft investigations underway with “almost all leading back to China.”30

Marriott International’s Starwood reservation system was hacked as early as 2014, but the breach was not discovered until 2018.31 Officials briefed on that investigation stated that the hackers were suspected of working for China’s internal spy agency, the Ministry of State Security.32 The suspected hackers were part of an operation that stole personal information on approximately 500 million Marriott guests, as well as separately hacking health insurers and stealing the security clearance files of several million Americans.33 One explanation for why Marriott was targeted is that they are the leading hotel provider for U.S. government and military officials, and the Marriott reservation system held information that included credit card and passport information.34

North Korea is suspected of involvement in two ransomware incidents in 2017, where hackers encrypted and denied access to company information until the companies paid a ransom to unlock their data.35 The first attack was against IDT Corporation, an American telecommunications company. The ransom demand was a cover for a more targeted attack to gain employee credentials for IDT’s network.36 The second attack was the much-publicized WannaCry attack, which was a ransomware attack that locked up hundreds of thousands of computers around the world until a ransom was paid.37 Interestingly, the WannaCry hackers used the same servers as the attackers in the hack of Sony Pictures Entertainment in 2014.38

How Should the U.S. Respond to Cyberattacks?

U.S. Department of Defense cyber policy has been evolving since 2011 when the Pentagon issued its first formal cyber strategy.39 The necessity and urgency of an overall strategy had been building at the Pentagon since 2008 when a military computer system was breached and military contractors such as Lockheed Martin experienced repeated cyberattacks.40 The Pentagon also slowly realized that while civilian and military infrastructure had grown more dependent on cyberspace, the security and defense of these systems had not kept pace with the threat from hackers.41 Importantly, the new strategy, for the first time, made a finding that a cyberattack from another country against the U.S. could constitute an act of war.42

The Pentagon cyber strategy was updated in 2018 and included two important objectives when discussing U.S. national security and the need to protect critical infrastructure and deter aggression by adversaries.43 The first objective is the need to “defend forward” to stop or impede cyberattacks and to “preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident.”44 The second objective is the need to expand cooperation and “build trusted relationships” between the Pentagon and the private sector, which owns and operates the majority of U.S. infrastructure, and to “carry out deliberate planning and collaborative training” between the Pentagon, private sector entities, and other federal departments and agencies.45

Understanding the Pentagon’s first cyber strategy objective requires defining the terms and concepts in use. “Defending forward” is best understood as the intent to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”46 A related concept is “active cyber defense” or “hacking back,” which is defined as:

[T]he synchronized, real-time capability to discover, detect, analyze, and mitigate threats. It operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. While intrusions may not always be stopped at network boundary, an entity may operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on an entity’s network.47

Although the terms are somewhat interchangeable, “defending forward” refers to a much broader and more proactive set of actions than “active cyber defense.” “Defending forward” may also be more likely to escalate a situation because the goal is to stop malicious activity at its source, which could entail retaliatory action against a hacker’s network and systems.48 As cyberattacks have increased, U.S. companies have begun taking precisely this kind of retaliatory action, using “active defense” or “strike-back” technology.49 There are no statistics as to how many companies are using or have used this “active defense” technology, as retaliatory measures are usually not publicized. However, some large companies, such as Facebook, have taken steps to publicly identify the hackers that are compromising their networks.50

The Pentagon’s second cyber strategy objective—to increase and expand the role of private entities in protecting cyberspace, including planning and training—surfaces periodically in public discussions, and then disappears with little to no progress. Janet Napolitano, then secretary of the Department of Homeland Security, acknowledged back in 2012 that “officials had been contemplating authorizing even ‘proactive’ private-entity attacks.”51 That same year, former NSA director Kenneth Minihan stated, “It’s time to have the debate about what the actions would be for the private sector.”52 Attempts to involve private entities in cyber defense have looked to the similarities that cyberspace has with other environments and to analogs in U.S. history, with the oceans of the world being one such environment and analog.53

Admiral Mike Rogers, second commander of the U.S. Cyber Command, made this comparison directly when he stated, “The [high] seas around the world are, much like the cyber domain, not governed by one single nation. We have created maritime norms and have to do the same in the cyber space to ensure a flow of information and ideas.”54 The comparison between cyberspace and the high seas is apt, as the military faces challenges in cyberspace today that parallel the challenges faced with the oceans in early American history.55 The Pentagon’s efforts to achieve dominance in cyberspace should be guided by its previous experiences in gaining dominance over the oceans, where the U.S. Navy relied heavily on privateers to gain “superiority of the ocean environment.”56

What Are Privateers, Letters of Marque and Reprisal, and Prize Law?

Privateering has a long history and was most commonly used by nations between the 13th and mid-19th centuries.57 Privateers were “armed vessel[s] owned and officered by private persons, and holding a commission from the government, called ‘letters of marque,’ authorizing the owners to use it against a hostile nation, and especially in the capture of enemy merchant shipping.”58 A letter of marque is “[a] license authorizing a private citizen to engage in reprisals against citizens or vessels of another country.”59 Letters of marque are what distinguished a privateer from a pirate.60 The U.S. Constitution explicitly grants Congress the power “[t]o declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.”61 Thus, letters of marque are still authorized under U.S. law to allow private vessels to seize pirate ships.62 Letters of marque gave the U.S. government great flexibility in conducting foreign affairs and were at times issued even when there was no formal declaration of war.63

Privateers faced significant regulations, “including highly detailed and precise requirements for legal captures that were, in turn, subject to rigid enforcement in specialized prize courts.”64 Prize courts used prize law, a subset of maritime law, to regulate the capture and retention of assets seized on the high seas.65 Privateers were also required to post bonds.66 Any improper conduct by the privateer could result in the loss of the bond, their commission, and their cargo.67 Violations of the restrictions laid out in the letter of marque could also require the privateer to pay reparations to victims.68 This combination of heavy regulation, detailed and specific requirements in letters of marque, the posting of bonds, and the use of specialty courts all ensured that the privateering system would work as intended and privateers would be subject to oversight.69

Cyber Privateers, Cyber Letters of Marque, and Cyber Prize Law

Implementation of letters of marque would have to include specific criteria for when, how, and to what extent a cyber privateer could conduct operations.70 The most fundamental criteria would be a reasonable belief that the suspected hackers are responsible for a specific attack. Other examples include categorizing hacking incidents on a spectrum with escalating levels of evidentiary proof needed to assign blame—thereby making the assignment of culpability more transparent and minimizing the possibility of misidentifying perpetrators. Criteria for letters of marque should also consider the four principles of self-help, proportionality, sovereign control, and qualification.71 Defining guiding principles for the requirements that letters of marque would contain could help minimize possible negative consequences of hacking back, such as collateral damage, escalation of incidents, and rogue privateers.

The principle of self-help defines the responsibilities required of the party experiencing a cyberattack.72 While any company can (and may) suffer a cyberattack at some point, reasonable security measures must be taken by any company seeking to use the services of a cyber privateer. While not an all-encompassing list, reasonable security measures would necessarily include properly configured firewalls, adequate authentication systems, and up-to-date patches on computers.73 Fortunately, most large U.S. companies are already taking steps to implement “reasonable security” because this is a requirement for regulations set by the California Consumer Privacy Act.74

The principle of proportionality defines the scope of actions permitted by the letter of marque.75 Cyber privateers could only take steps that are “equal to or less than the actions taken” by the hacker.76 This principle is essential because of the ever-present risk that responses to cyberattacks will lead to a cycle of response and counter-response with escalating severity, leading to modest attacks spiraling out of control to more challenging situations.

The principle of sovereign control defines how U.S. law would regulate the actions of cyber privateers and minimize collateral damage.77 Cyber privateers would be required to post a bond and abide by highly detailed operational rules to receive a letter of marque. The letter of marque would also include adequate controls to limit the actions a privateer could take, as well as the duties owed to the people whose systems they infiltrate and any uninvolved third parties.78 Cyber prize courts could be created to interpret letters of marque, judge compliance by cyber privateers, and adjudicate disputes between privateers and third parties. These courts would be similar to specialty courts like FISA courts, bankruptcy courts, and tax courts that have been used in other contexts.79 An excellent example of just such a licensing process is the system some states use for bounty hunters, who are legally authorized to capture fugitives and receive payment for such captures.80 Bounty hunters have “police-like powers” but face lesser restrictions than law enforcement when pursuing fugitives.81 Some states even require bounty hunters to be licensed, and the state can revoke a license for “incompetence, untrustworthiness, or unsuitability.”82

Lastly, the principle of qualification defines the minimum level of skill and expertise that a cyber privateer must have to receive a letter of marque.83 Necessarily, this principle would encompass the means needed to verify a privateer’s level of skill and expertise through some certification process.84 Publicizing who cyber privateers are, what their certification level is, and the specifics of the letters of marque would build trust in both the system of regulation and the qualifications of cyber privateers by prioritizing transparency. One approach would be to use blockchain technology to create a central registry that contains this information in a way that is transparent, immutable, and searchable by the public.


For at least the last decade, the United States has been in a state of low-level cyber war. Foreign nations have hacked and infiltrated American companies to steal intellectual property and gain competitive advantages. General Keith Alexander once called this theft the “greatest transfer of wealth in history.”85 Government agents from foreign countries, in collaboration with criminal organizations and nonstate hackers, have repeatedly conducted cyberattacks with little to no repercussions for the hackers themselves or the nations supporting them.

Allowing private individuals and companies to receive immunity for active cyber defense and hacking back activities would help protect American interests and the intellectual property of American companies by leveling the playing field regarding the use of nonstate actors. It would also serve as a deterrent to the actions of hackers from hostile nations. Just as privateers assisted U.S. Navy efforts until the Navy was able to attain dominance of the seas independently, so too can cyber privateers assist the efforts of the Pentagon as the U.S. attempts to attain dominance in cyberspace.


1. Abigail Summerville, Protect against the Fastest-Growing Crime: Cyber Attacks, CNBC (July 25, 2017),

2. Cybersecurity Ventures & Herjavec Grp., 2019 Official Annual Cybercrime Report 2 (Steve Morgan ed., 2018).

3. Emily Mossburg et al., The Hidden Costs of an IP Breach: Cyber Theft and the Loss of Intellectual Property, 19 Deloitte Rev. 106, 107–08 (2016).

4. Tony Romm et al., “A Cyberattack Should Be Expected”: U.S. Strike on Iranian Leader Sparks Fears of Major Digital Disruption, Wash. Post (Jan. 3, 2020),

5. Zak Doffman, Russian Secret Weapon against U.S. 2020 Election Revealed in New Cyberwarfare Report, Forbes (Sept. 24, 2019),

6. Keith Breene, Who Are the Cyberwar Superpowers?, World Econ. F. (May 4, 2016),

7. Romm et al., supra note 4.

8. Sara Morrison, The US Is Worried about Iran Retaliating with a Cyberattack, Vox: recode (Jan. 7, 2020),

9. Steve Ranger, Disk-Wiping Malware, Phishing and Espionage: How Iran’s Cyber Attack Capabilities Stack Up, ZDNet (Jan. 7, 2020),

10. Zak Doffman, U.S. Military Warns Outlook Users to Update Immediately over Hack Linked to Iran, Forbes (July 3, 2019),

11. Zak Doffman, U.S. Attacks Iran with Cyber Not Missiles—A Game Changer, Not a Backtrack, Forbes (June 23, 2019),

12. Id.

13. Sam Jones et al., Licensed to Hack: The Rise of the Cyber Privateer, Fin. Times (Mar. 16, 2017),

14. Id.

15. Press Release, U.S. Dep’t of Justice, U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts (Mar. 15, 2017),

16. Law Enforcement Says Yahoo Account Hacks Were Likely Sponsored by Foreign Government, CBS News (Dec. 15, 2016),; Martyn Williams, Inside the Russian Hack of Yahoo: How They Did It, CSO (Oct. 4, 2017),

17. Ingrid Lunden, After Data Breaches, Verizon Knocks $350M off Yahoo Sale, Now Valued at $4.48B, TechCrunch (Feb. 21, 2017),

18. Jones et al., supra note 13.

19. Kate Fazzini, The Great Equifax Mystery: 17 Months Later, the Stolen Data Has Never Been Found, and Experts Are Starting to Suspect a Spy Scheme, CNBC (Feb. 13, 2019),

20. Id.

21. Id.

22. Id.

23. Jones et al., supra note 13.

24. The Equifax Breach: Consequences, Implications, and Sequelae, CyberWire (Apr. 11, 2019),

25. Press Release, U.S. Dep’t of Justice, Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax (Feb. 10, 2020),

26. Dave Aitel, Cyber Deterrence “At Scale, Lawfare (June 10, 2016),

27. Press Release, U.S. Dep’t of Justice, U.S. Charges Five Chinese Military Hackers for Cyber Espionage against U.S. Corporations and a Labor Organization for Commercial Advantage (May 19, 2014),

28. David E. Sanger, As Chinese Leader’s Visit Nears, U.S. Is Urged to Allow Counterattacks on Hackers, N.Y. Times (May 21, 2013),

29. Nicole Hong, A Military Camera Said “Made in U.S.A.” The Screen Was in Chinese, N.Y. Times (Nov. 7, 2019),

30. Steven T. Dennis, FBI Chief Says China Is Trying to “Steal Their Way” to Dominance, Bloomberg (July 23, 2019),

31. Nicole Perlroth et al., Marriott Hacking Exposes Data of Up to 500 Million Guests, N.Y. Times (Nov. 30, 2018),

32. David E. Sanger et al., Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing, N.Y. Times (Dec. 11, 2018),

33. Id.

34. Id.

35. Nicole Perlroth, A Cyberattack “the World Isn’t Ready For, N.Y. Times (June 22, 2017),

36. Id.

37. Nicole Perlroth, More Evidence Points to North Korea in Ransomware Attack, N.Y. Times (May 22, 2017),

38. Id.

39. Siobhan Gorman & Julian E. Barnes, Cyber Combat: Act of War, Wall St. J. (May 31, 2011),

40. Id.

41. Id.

42. Id.

43. U.S. Dep’t of Defense, Summary: Department of Defense Cyber Strategy (2018).

44. Id. at 2.

45. Id. at 5.

46. Id. at 1.

47. Paul Rosenzweig, International Law and Private Actor Active Cyber Defensive Measures, 50 Stan. J. Int’l L. 103, 105 (2014).

48. Lyu Jinghua, A Chinese Perspective on the Pentagon’s Cyber Strategy: From “Active Cyber Defense” to “Defending Forward, Lawfare (Oct. 19, 2018),

49. Joseph Menn, Hacked Companies Fight Back with Controversial Steps, Reuters (June 17, 2012),

50. Id.

51. Id.

52. Id.

53. B. Nathaniel Garrett, Taming the Wild Wild Web: Twenty-First Century Prize Law and Privateers as a Solution to Combating Cyber-Attacks, 81 U. Cin. L. Rev. 683, 690–91 (2013).

54. Florian J. Egloff, Cybersecurity and the Age of Privateering, in Understanding Cyber Conflict: Fourteen Analogies 231, 231 (George Perkovich & Ariel E. Levite eds., 2017).

55. Garrett, supra note 53, at 691.

56. Id. at 691–92.

57. Egloff, supra note 54, at 231.

58. 2 Oxford English Dictionary 1389 (compact ed. 1971).

59. Letters of Marque, Black’s Law Dictionary (11th ed. 2019).

60. Garrett, supra note 53, at 688.

61. U.S. Const. art. I, § 8, cl. 11.

62. 33 U.S.C. § 386.

63. William Young, A Check on Faint-Hearted Presidents: Letters of Marque and Reprisal, 66 Wash. & Lee L. Rev. 895, 906 (2009).

64. Theodore T. Richard, Reconsidering the Letter of Marque: Utilizing Private Security Providers against Piracy, 39 Pub. Cont. L.J. 411, 433 (2010).

65. Garrett, supra note 53, at 687–88.

66. Richard, supra note 64, at 433.

67. Id.

68. Lucian Rombado, Grant Cyber Letters of Marque to Manage “Hack Backs, U.S. Naval Inst.: Proc. (Oct. 2019),

69. Richard, supra note 64, at 455 n.344.

70. Michael Tanji, Privateering as a Solution to Cyberspace Threats, Medium (July 8, 2014),

71. Id.

72. Id.

73. Id.

74. Abraham Kang, What Is “Reasonable Security”? And How to Meet the Requirement, CSO (Apr. 23, 2019),

75. Tanji, supra note 70.

76. Id.

77. Id.

78. Id.

79. Garrett, supra note 53, at 706.

80. Richard, supra note 64, at 452.

81. Id.

82. Id.

83. Tanji, supra note 70.

84. Id.

85. Josh Rogin, NSA Chief: Cybercrime Constitutes the “Greatest Transfer of Wealth in History, Foreign Pol’y: Cable (July 9, 2012),

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Allen Loayza is a third-year student at Northeastern University School of Law and has a strong interest in IP litigation. Prior to law school, he was a programmer and entrepreneur who successfully founded two internet-related startups.