The Exceptionalist's Approach to Private Sector Cybersecurity: A Marque and Reprisal Model Open Access
Downloadable ContentDownload PDF
As practitioners and academics debate our nation's cybersecurity policy the focus remains upon our national security interests as the federal government lacks the resources and people to protect all areas of society. However, this approach largely ignores the private sector despite an estimated global loss of one trillion dollars annually to cyberattacks and exploitations. Moreover, current domestic and international law do little to provide self-defense options for the private sector. Private entities cannot utilize Article 51 of the U.N. Charter as they are not a member of the United Nations. The European Convention on Cybercrimes lacks the global acceptance required to provide enforcement of its provisions and deterrence from future attacks. The Computer Crimes and Fraud Act, designed to protect computers from cyberattacks and cyber-exploitations, does not exclude computers engaged in illegal conduct from the definition of a "protected computer." Further, the act does not provide any self-help remedy for those victimized by an attack. These shortcomings leave victims of cyberattacks and exploitations helpless in defending against such attacks.To respond to this cybersecurity gap, this article uses Professor David Post's Exceptionalist and Unexceptionalist as a framework in the debate over cybersecurity. This article notes that previous cybersecurity policies were based upon an Unexceptionalist approach; that is, applying laws of the physical world to cyberspace. These policies have failed to gain wide acceptance because the laws in the physical world do not scale to cyberspace. I propose an Exceptionalist approach to the private sector cybersecurity gap. I recommend the government authorize private entities to engage in uses of force, consistent with the Constitution and international law, to provide the private sector adequate means to defend against cyberattacks and exploitations. This model is patterned after letters of marque and reprisal used effectively in the infancy of the United States, but long-since outmoded in the world today. This article argues that modeling a policy after letters of marque and reprisal results in a body of law scalable to the uniqueness of cyberspace. In reaching this opinion, I examine the prior use of letters of marque and reprisal by the United States. In regulating "cyberteers," Congress should limit responses to three levels of force that could be regulated by of an agency under the Department of Homeland Security. The three levels of authorized force would correspond to increasing evidentiary burdens before action could be taken, ranging from probable cause to clear and convincing evidence. This article then examines the legality of the proposal under international and domestic law. Under international law, I examine the applicability under the U.N. Charter and the Hague Convention (V). Under domestic law, I examine concerns regarding individual privacy rights pursuant to the Fourth Amendment and other relevant privacy acts. Finally, this article concludes that while the proposal is constitutional and conforms to international and domestic law, the major hurdle to its implementation is the Unexceptionalist's unwillingness to recognize that cyberspace is unique and requires an Exceptionalist's approach.