Trade Cases

Leibowitz on Trade: Cybercrime, Piracy and Letters of Marque

Written by Lewis Leibowitz

Many of you may have sat, like me, in a line to get gasoline this week. It brought back memories of the Arab Oil Embargo of 1973 and the Iranian boycott of 1979. This time, a gasoline pipeline supplying about half of that product to the eastern United States was closed, allegedly due to a cyberattack by criminals based in Russia (or somewhere). Rumors abounded that Colonial Pipeline paid millions of dollars in ransom to recover their computer systems. In the meantime, the pipeline was shut down because the company could not calculate how much gasoline was delivered and to whom.

Cybercrime is a large and growing problem and, at least publicly, no government has announced a plan to combat it effectively. This week, proposals began to appear suggesting that an old tactic, granting “letters of marque and reprisal,” should be resurrected to combat cyber piracy of the kind that snagged Colonial Pipeline.

That suggestion triggered the “history detective” in me. I thought readers would like to know what this proposal might mean for private industry and especially traders—honest traders.

Letters of marque and reprisal are an early example of “public private partnership.” They were documents that authorized private shipowners to attack and capture enemy vessels in time of war, and they also referred to the vessels themselves. A “letter of marque” was a ship that had this authorization. Those ships were also known as “privateers.”

A vessel that did not have a letter of marque could be treated as a pirate ship and prosecuted as such. So that piece of paper was literally the difference between life and death.

Letters of marque were used by the American colonials during the American Revolution, the undeclared war against the Barbary Pirates (1802-1805) and, heavily, during the War of 1812. The private ships were very useful in conflicts between the United States and Great Britain, because the latter had a navy many times the size of the small and ill-armed U.S. fleet. Indeed, the American navy did not surpass the British in size and firepower until after Pearl Harbor.

Basically, the letters of marque worked as follows: Congress would pass a law pursuant to the constitutional power to Grant Letters of Marque and Reprisal (Article I, section 8). The president would then sign letters to each vessel so designated. If the vessel captured an enemy ship it would be taken to a U.S. port and there the Admiralty Court would consider whether the capture was legitimate. If so, the vessel and its cargo would be transferred to the privateer’s owner, leaving the previous owner and the planned purchasers of the cargo with nothing. It was every effective way to encourage private initiative and augment the naval power of the U.S.

Of course, the United States did not invent letters of marque. Such past luminaries as Sir Francis Drake and his benefactor, Queen Elizabeth I, practiced the art very effectively. And British privateers captured many French and Spanish cargoes during the decades of war between 1792 and 1815.

How is all this relevant to cyber warfare in the 21st Century? Well, some have thought about that. An article last week in the Wall Street Journal, “A Maritime Solution for Cyber Piracy,” by Thomas Ayres (May 13, 2021) advocated resurrecting the letter of marque to combat computer hacking, much as privateers combated enemy traders.

It’s tempting to think this would be an advance—but it has many complications. Still, the prospect of a latter-day Errol Flynn fighting for justice on the heavy seas of cyberspace is a pleasing prospect. What would it involve?

If a computer hack (such as the “ransomware” attack on Colonial Pipeline last week) takes place, a letter of marque would permit a private company to capture a foreign software pirate entity, or retaliate against the entity and retain all or part of any financial gain from the “capture” or retaliation. A few issues suggest themselves: (1) how sure does the “privateer” have to be that they have the right pirate?; (2) what sort of retaliation is authorized?; and (3) what sort of court would adjudicate disputes between the privateer and the bad actor, or by rival claimants to the property recovered? It will come as no surprise that people have written about these issues.

More fundamentally, private acts can result in government-to-government conflicts. That can be deadly indeed. An international convention in 1856, at the conclusion of the Crimean War (a war that did not involve letters of marque, by the way) agreed to stop issuing letters of marque to avoid the possibility of wars being initiated as a result of private actions.

Imagine the U.S. or other victim of cyberattack issuing a letter of marque to a cybersecurity firm authorizing that firm to counterattack a cyber-criminal. The official government authorization would permit the country housing the alleged cybercriminal to take the private action of the letter of marque as an act of war.

Reports this week suggested that the perpetrators of the Colonial Pipeline ransomware attack were based in Russia. Perhaps Russia has issued the modern equivalent of a “letter of marque” to these hackers; it’s also possible that the Russian government does not know, or does not care, about these activities. What, then, should the U.S. reaction be to attacks on basic infrastructure? Clearly, the ransomware attack on Colonial Pipeline affected our economy and potentially our security.

We plainly need to think more about these issues. There have been proposals to accuse cybercriminals based on evidence that is less than the criminal standard of guilt (“beyond a reasonable doubt”). Under U.S. law relating to defending against computer crime, private companies are not permitted to “hack back” against computers that are used to hack U.S. companies, although the government apparently is not prohibited from doing so. The new Cybersecurity and Infrastructure Security Agency (CISA), created in 2018, is charged with protecting America’s “critical infrastructure.” CISA is permitted to protect critical infrastructure by going on offense.

There are many issues that need to be discussed and resolved before counter terrorism through private action can be called effective and responsible. In the meantime, companies like Colonial Pipeline need to concentrate on preventing these attacks by keeping up their cyber protection and strengthening their systems. If that proves to be impossible, more private initiatives need to be considered. But please, let’s not start a war over it.

Lewis Leibowitz

The Law Office of Lewis E. Leibowitz

1400 16th Street, N.W.
Suite 350
Washington, D.C. 20036

Phone: (202) 776-1142
Fax: (202) 861-2924
Cell: (202) 250-1551

Lewis Leibowitz, SMU Contributor

Lewis Leibowitz

Read more from Lewis Leibowitz

Latest in Trade Cases