By Alexander Rudolph Published September 13, 2025
Image created with Gemini
This article by Alexander Rudolph originally appeared on cyberincontext.ca.
Opinions expressed by contributors are their own.
On August 15, U.S. Representative David Schweikert, a Republican from Arizona, introduced House Resolution 4988, the Scam Farms Marque and Reprisal Authorization Act. The bill would let the President issue “letters of marque and reprisal” to private companies, authorizing them to go after cybercriminals outside U.S. borders.
Put simply, it would allow corporations to hack back or launch offensive cyber operations against criminals in places law enforcement cannot easily reach.
This kind of move is often called “active defence.” At its most aggressive, it means “hacking back” or breaking into systems run by cybercriminals to disrupt them. Earlier proposals on this idea have stalled in Congress, but HR 4988 goes further.
The bill states that an entity could “employ all means reasonably necessary to seize outside the geographic boundaries of the United States and its territories the person and property of any individual or foreign government, as applicable….”
That wording is broad. It wouldn’t just cover cyberspace, but could also allow private actors to take almost any action against people or groups abroad, while being protected from prosecution under U.S. law. Scam centres and criminal gangs are listed as targets, but the President alone would decide who or what could be hit. Even foreign governments could be labelled a “criminal enterprise.”
HR 4988 is unlikely to become law, but it signals a bigger shift. Even if it stalls, the fact that such powers are being proposed, and that major tech companies are exploring similar roles, shows how quickly the line between government and private cyber operations is starting to blur.
Normally, a bill like this would not get much attention. But with U.S. politics shifting and democratic norms collapsing, HR 4988 looks different. In particular, compared to the previous, stalled legislation addressing the same topic of hacking back, this new bill would authorize the President to decide who gets letters of marque. The bill explicitly defines “criminal enterprise” to include foreign governments, meaning they could be targeted under this authority.
Earlier this year, Nextgov reported that letters of marque were being looked at again in Washington. Letters of marque are government licences that date back more than 200 years. They allowed private ship owners to act as legal pirates during wartime, attacking enemy vessels, seizing cargo, and keeping part of the profits, all under the protection of their state.
American officials told Nextgov that bringing them back for cyberspace was unlikely, but they also made clear they were considering more aggressive options. That makes HR 4988 less of an outlier and more of a sign of where U.S. policy could be heading.
Is this legal?
The short answer is: it depends.
In the United States, only Congress can issue letters of marque. But HR 4988 would hand that authority to the President, without any oversight.
The U.S. hasn’t issued a letter of marque since its Civil War in the 1860s. One reason is the Paris Declaration of 1856, which pushed countries to give up privateering. The U.S. did not sign that treaty, but the practice fell out of use.
What makes this bill unique is that it introduces something called extraterritoriality. That is a legal term that refers to being exempted from local laws, which is most often associated with ambassadors receiving diplomatic immunity. . Extraterritoriality in HR 4988means a U.S. company could launch a cyber attack abroad and still be safe from prosecution in the U.S.
The bill does not give them protection under foreign law, which is why the focus is on hacking back from the safety of the U.S. Despite this, countries that share a border or are geographically close to the United States would have additional concerns beyond the potential of a cyber attack.
For neighbours like Canada, the risks could go well beyond cyberspace.
Would this disrupt Canada’s law enforcement activities?
It could.
Cybercrime crosses borders and usually requires many agencies working together.
In Canada, the RCMP lead these efforts, supported by the National Cybercrime Coordination Centre. Taking down a criminal group often means months of coordination to track servers, monitor suspects, and time arrests with other countries.
Advocates of hacking back argue that this process is too slow, which is why companies should be able to take action themselves.
But a private strike could easily get in the way of law enforcement. If a cyber attack shut down a server that police were monitoring, it could tip criminals off and delay a bigger takedown.
A lack of structure or oversight is concerning because if a private actor were to target and take down criminal infrastructure, it could disrupt the access law enforcement may have, or lead to criminals changing their methods and delaying a larger takedown by law enforcement.
That risk is one reason many experts oppose letting private actors operate on their own.
What about intelligence organizations and the military?
Law enforcement does most of the work against cybercriminals, but offensive cyber operations (a type of hacking designed to disrupt or dismantle) are normally left to intelligence and military agencies.
In Canada, the Communications Security Establishment (CSE) conducts the majority of Canada’s offensive operations against national security threats, which have included ransomware groups. Offensive operations are complex and labour-intensive, so only a limited number are carried out each year, with even fewer directed at criminal groups.
The time and labour required to perform offensive cyber operations are high, which can contribute to a low volume of such operations conducted by intelligence and military organizations. This gap is often cited by those who argue the private sector should be allowed to hack back.
But even for some of the staunchest supporters of this, the lack of oversight and the unilateral role of United States President Trump bring pause and concern.
What is the risk HR 4988 becomes law?
The chances are low.
HR 4988 is unlikely to pass, but it may be a signal of where things are heading.
The U.S. has shown growing willingness to act alone in cyberspace, even when cooperation might be more effective. And some tech companies appear to be preparing for a more aggressive future.
On August 26, CyberScoop attended the U.S.-based Center for Cybersecurity and Law’s event on Offensive Cyber Operations. One of the keynote speakers at this conference was Sandra Joyce, Vice-President of Google Threat Intelligence, who stated that Google will be creating a “disruption unit.”
She described it as a team that will look for ways to dismantle cyber threat operations. This could involve exploring methods to proactively prevent the criminal use of their products, rather than waiting for issues to arise.
Google has a massive footprint and has the reach and infrastructure to conduct such activities simply by working within its own cloud infrastructure.
That might mean preventing criminals from exploiting Google’s own cloud systems, but given the setting of the announcement — a conference focused on private-sector offensive operations — the scope could be wider.
Joyce stressed that Google wants to pursue “legal and ethical disruption,” but her language pointed toward more active measures.
Google received considerable attention for this speech, but the desire to be more proactive and conduct offensive cyber operations is one shared by many in the cyber defence industry. Supporters say this sends a strong message to criminals that attacks will not be tolerated. Critics argue that without oversight, there is no guarantee private actors will stay within bounds.
From a law enforcement perspective, a cyber attack by a private company looks no different from one carried out by criminals.
If HR 4988 were to become law, Canada and other countries would have to determine how to treat these new American threat groups, especially in the event that they target Canadians or disrupt Canadian law enforcement activities.
Unless the United States and these private actors conducting these operations establish some means to communicate and inform allied governments when such operations are to be undertaken, it may lead to some countries and government agencies thinking American private actors are another criminal group.
This would ultimately create greater confusion and fundamentally negate the intentions of reducing cybercrime by introducing more doubt.
Written By Alexander Rudolph
Alexander Rudolph is a cyber defense policy analyst and a Ph.D. Candidate in the Department of Political Science at Carleton University. Alex’s research explores grand strategy, conflict, and competition in cyberspace. His doctoral thesis, “Towards a Strategic Doctrine of Cyberspace,” explores the doctrine, force development, and force structures of offensive cyber capabilities by major cyber powers including the United States, Russia, and China. Alex's research seeks to improve existing research methods by introducing hacker-informed perspectives to explain how and why countries operate the way they do in cyberspace
On August 15, U.S. Representative David Schweikert, a Republican from Arizona, introduced House Resolution 4988, the Scam Farms Marque and Reprisal Authorization Act. The bill would let the President issue “letters of marque and reprisal” to private companies, authorizing them to go after cybercriminals outside U.S. borders.
Put simply, it would allow corporations to hack back or launch offensive cyber operations against criminals in places law enforcement cannot easily reach.
This kind of move is often called “active defence.” At its most aggressive, it means “hacking back” or breaking into systems run by cybercriminals to disrupt them. Earlier proposals on this idea have stalled in Congress, but HR 4988 goes further.
The bill states that an entity could “employ all means reasonably necessary to seize outside the geographic boundaries of the United States and its territories the person and property of any individual or foreign government, as applicable….”
That wording is broad. It wouldn’t just cover cyberspace, but could also allow private actors to take almost any action against people or groups abroad, while being protected from prosecution under U.S. law. Scam centres and criminal gangs are listed as targets, but the President alone would decide who or what could be hit. Even foreign governments could be labelled a “criminal enterprise.”
HR 4988 is unlikely to become law, but it signals a bigger shift. Even if it stalls, the fact that such powers are being proposed, and that major tech companies are exploring similar roles, shows how quickly the line between government and private cyber operations is starting to blur.
Normally, a bill like this would not get much attention. But with U.S. politics shifting and democratic norms collapsing, HR 4988 looks different. In particular, compared to the previous, stalled legislation addressing the same topic of hacking back, this new bill would authorize the President to decide who gets letters of marque. The bill explicitly defines “criminal enterprise” to include foreign governments, meaning they could be targeted under this authority.
Earlier this year, Nextgov reported that letters of marque were being looked at again in Washington. Letters of marque are government licences that date back more than 200 years. They allowed private ship owners to act as legal pirates during wartime, attacking enemy vessels, seizing cargo, and keeping part of the profits, all under the protection of their state.
American officials told Nextgov that bringing them back for cyberspace was unlikely, but they also made clear they were considering more aggressive options. That makes HR 4988 less of an outlier and more of a sign of where U.S. policy could be heading.
Is this legal?
The short answer is: it depends.
In the United States, only Congress can issue letters of marque. But HR 4988 would hand that authority to the President, without any oversight.
The U.S. hasn’t issued a letter of marque since its Civil War in the 1860s. One reason is the Paris Declaration of 1856, which pushed countries to give up privateering. The U.S. did not sign that treaty, but the practice fell out of use.
What makes this bill unique is that it introduces something called extraterritoriality. That is a legal term that refers to being exempted from local laws, which is most often associated with ambassadors receiving diplomatic immunity. . Extraterritoriality in HR 4988means a U.S. company could launch a cyber attack abroad and still be safe from prosecution in the U.S.
The bill does not give them protection under foreign law, which is why the focus is on hacking back from the safety of the U.S. Despite this, countries that share a border or are geographically close to the United States would have additional concerns beyond the potential of a cyber attack.
For neighbours like Canada, the risks could go well beyond cyberspace.
Would this disrupt Canada’s law enforcement activities?
It could.
Cybercrime crosses borders and usually requires many agencies working together.
In Canada, the RCMP lead these efforts, supported by the National Cybercrime Coordination Centre. Taking down a criminal group often means months of coordination to track servers, monitor suspects, and time arrests with other countries.
Advocates of hacking back argue that this process is too slow, which is why companies should be able to take action themselves.
But a private strike could easily get in the way of law enforcement. If a cyber attack shut down a server that police were monitoring, it could tip criminals off and delay a bigger takedown.
A lack of structure or oversight is concerning because if a private actor were to target and take down criminal infrastructure, it could disrupt the access law enforcement may have, or lead to criminals changing their methods and delaying a larger takedown by law enforcement.
That risk is one reason many experts oppose letting private actors operate on their own.
What about intelligence organizations and the military?
Law enforcement does most of the work against cybercriminals, but offensive cyber operations (a type of hacking designed to disrupt or dismantle) are normally left to intelligence and military agencies.
In Canada, the Communications Security Establishment (CSE) conducts the majority of Canada’s offensive operations against national security threats, which have included ransomware groups. Offensive operations are complex and labour-intensive, so only a limited number are carried out each year, with even fewer directed at criminal groups.
The time and labour required to perform offensive cyber operations are high, which can contribute to a low volume of such operations conducted by intelligence and military organizations. This gap is often cited by those who argue the private sector should be allowed to hack back.
But even for some of the staunchest supporters of this, the lack of oversight and the unilateral role of United States President Trump bring pause and concern.
What is the risk HR 4988 becomes law?
The chances are low.
HR 4988 is unlikely to pass, but it may be a signal of where things are heading.
The U.S. has shown growing willingness to act alone in cyberspace, even when cooperation might be more effective. And some tech companies appear to be preparing for a more aggressive future.
On August 26, CyberScoop attended the U.S.-based Center for Cybersecurity and Law’s event on Offensive Cyber Operations. One of the keynote speakers at this conference was Sandra Joyce, Vice-President of Google Threat Intelligence, who stated that Google will be creating a “disruption unit.”
She described it as a team that will look for ways to dismantle cyber threat operations. This could involve exploring methods to proactively prevent the criminal use of their products, rather than waiting for issues to arise.
Google has a massive footprint and has the reach and infrastructure to conduct such activities simply by working within its own cloud infrastructure.
That might mean preventing criminals from exploiting Google’s own cloud systems, but given the setting of the announcement — a conference focused on private-sector offensive operations — the scope could be wider.
Joyce stressed that Google wants to pursue “legal and ethical disruption,” but her language pointed toward more active measures.
Google received considerable attention for this speech, but the desire to be more proactive and conduct offensive cyber operations is one shared by many in the cyber defence industry. Supporters say this sends a strong message to criminals that attacks will not be tolerated. Critics argue that without oversight, there is no guarantee private actors will stay within bounds.
From a law enforcement perspective, a cyber attack by a private company looks no different from one carried out by criminals.
If HR 4988 were to become law, Canada and other countries would have to determine how to treat these new American threat groups, especially in the event that they target Canadians or disrupt Canadian law enforcement activities.
Unless the United States and these private actors conducting these operations establish some means to communicate and inform allied governments when such operations are to be undertaken, it may lead to some countries and government agencies thinking American private actors are another criminal group.
This would ultimately create greater confusion and fundamentally negate the intentions of reducing cybercrime by introducing more doubt.
Written By Alexander Rudolph
Alexander Rudolph is a cyber defense policy analyst and a Ph.D. Candidate in the Department of Political Science at Carleton University. Alex’s research explores grand strategy, conflict, and competition in cyberspace. His doctoral thesis, “Towards a Strategic Doctrine of Cyberspace,” explores the doctrine, force development, and force structures of offensive cyber capabilities by major cyber powers including the United States, Russia, and China. Alex's research seeks to improve existing research methods by introducing hacker-informed perspectives to explain how and why countries operate the way they do in cyberspace
.jpg)
No comments:
Post a Comment