This is a linkpost for https://arealsociety.substack.com/p/you-can-just-take-things-cyber-letters?r=99bhj
For too long the United States has suffered from state sponsored or state enable cybercriminals, while preventing our security professionals from fighting back.
The US should revitalize privateering for the digital age, and there is constitutional support for the practice. In this more academic paper, I dive into the history of letters of marque and how we can use them to combat cybercrime such as ransomware and crypto theft.
There are plenty of people who would love to fight hackers but fear legal retribution, giving them institutional support would enable them to actually affect change.
I am not sure what you are suggesting. Is your call for sanctioning private "hack-backs" of foreign organizations and individuals suspected of ransomware attacks, or is it more generally sanctioning attacks against organizations residing in state entities which are suspected of fostering ransomware groups? The analogy to letters-of-marque would suggest the latter -- it did not matter if you were a peaceful merchant, if you were flying the flag of the enemy you were fair game.
Either one seems to be a terrible idea.
First, attribution of IT attacks is notoriously hard. Sure, in many cases you can see which IP addresses the attacker used, but chances are that they did not use their personal DSL to attack you directly, but attacked you through another victim whose only crime is that it too had insufficient network security.
Second, I do not really see how hacking ransomware groups backed by nation state actors would lead to their arrests. Redirecting plane flights to your own sovereign soil so you can arrest someone is a tactic which was used by several states, but I do not think that it is either feasible or wise to try this purely through software exploits. Nor do I think it is wise to normalize this behavior.
Third, ransomware groups have a much smaller attack surface than their targets. Your Texan municipality likely ran a bunch of services on a shoestring budget, probably based on a Microsoft stack, possibly end-of-life. By contrast, a successful ransomware group will have a security budget per employee that is orders of magnitude higher. They will likely not use Outlook+Office+AD in their network, and might not even use email for internal communication. They will also not run a bunch of half-baked online services to get an appointment at the DMV or whatever. Sure, the NSA might get into their network, but they would also be reluctant to burn through their precious hoarded 0-days to do so.
--
My counter-proposal would be to just criminalize paying the ransom. At the end of the day, ransomware is a coordination problem. If nobody ever paid, it would not be a thing. But once you have been hit with it, it is generally cheaper to pay than to accept an extended outage (at least, if the attacker calculated their ransom correctly). By making the expected costs for paying the ransom higher (e.g. through corporate death penalty or excessive taxes if caught), one can easily adjust incentives for the negative externalities.
More fundamentally, there is the victim's narrative that IT security is impossible in the face of ransomware groups. "We bought advanced endpoint snake oil 2025 enterprise edition and sprinkled it all over our AD, and still we got hacked. This proves that when facing an adversary with a lot of criminal energy, even state of the art cybersecurity is insufficient." Bollocks. If you had spent the kind of money you suddenly had when it came to paying the ransom beforehand, you likely would not have been hacked.