By Rafal Rohozinski

The last time the United States issued letters of marque was during the War of 1812, when privateers supplemented the fledgling American navy against British sea power. Two centuries later, the Trump administration appears determined to resurrect this relic of pre-industrial warfare for the digital age. That Congress is actively building the legislative architecture to enable cyber privateering—even as Russia’s nuclear doctrine explicitly identifies cyberattacks on critical infrastructure as potential triggers for nuclear response—suggests a strategic myopia that borders on the reckless.

As reported in Bloomberg, the forthcoming national cyber strategy reveals an administration seduced by a deceptively simple proposition: America’s formidable private sector cyber capabilities represent an untapped strategic asset. They do. But unleashing them without adequate command, control, and escalation management is not strategic innovation—it is strategic negligence dressed in the language of deterrence.

The Legislative Architecture of Digital Privateering

What makes this moment particularly alarming is the systematic construction of legal infrastructure already underway. The forthcoming strategy document, expected in early January 2025, will not emerge in a vacuum—it will codify an approach already being implemented through a constellation of legislative actions.

The numbers tell the story. The One Big Beautiful Bill Act (Public Law 119-21), enacted in July 2025, allocates $1 billion over four years to boost offensive cyber operations, primarily for U.S. Indo-Pacific Command. An additional $250 million flows to Cyber Command for “artificial intelligence lines of effort.” Yet the same legislation that funds offensive expansion simultaneously slashes approximately $1.2 billion from civilian defensive cybersecurity budgets—money that once protected hospitals, municipalities, and critical infrastructure.

The asymmetry is striking: enhanced capacity to attack abroad while degrading the ability to defend at home.

Representative David Schweikert’s Scam Farms Marque and Reprisal Authorization Act of 2025 (H.R. 4988) goes further still. It would grant the President authority to issue letters of marque against anyone determined to be “a member of a criminal enterprise or any conspirator associated with an enterprise involved in cybercrime who is responsible for an act of aggression against the United States.” The language includes foreign governments. It imposes no limits on the number of cyber privateers the President could commission. The breadth of this authorization is staggering—an open-ended mandate for private cyber warfare with minimal oversight.

The most recent legislative initiative, Representative August Pfluger’s Cyber Deterrence and Response Act of 2025 (H.R. 6309), introduced on November 25, 2025, establishes the bureaucratic framework necessary for coordinated offensive action. The bill would direct the National Cyber Director to designate foreign agencies, individuals and organizations that pose a cyber threat to U.S. interests, creating a “national attribution framework” that explicitly incorporates private sector intelligence into government targeting decisions—a formal pathway for private firms to influence, and potentially benefit from, the designation of targets for offensive operations.

The False Novelty of Private Sector Involvement

Private companies have always been integral to cyber operations. Defense contractors, cybersecurity firms, and technology companies have long provided tools, infrastructure, and intelligence enabling government action. The critical distinction lies in the nature of the proposed relationship. Previous arrangements maintained clear chains of command and legal accountability flowing through government agencies. What is now emerging is fundamentally different: the delegation of warfighting authority to commercial entities operating with substantial autonomy.

The administration has been explicit. NSC senior cyber director Alexei Bulazel told the Billington Cybersecurity Summit in September that the Trump administration is “unapologetically unafraid to do offensive cyber.” At RSA Conference in May, he argued the administration wants to “destigmatize and normalize” offensive cyber as a tool of national power, contending that “not responding is escalatory in its own right.”

The private sector has not waited for formal authorization. Google Threat Intelligence Group VP Sandra Joyce announced in August the formation of a “disruption unit”—”intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation.” The administration’s strategy would provide legal cover for precisely this kind of expansion.

The Nuclear Shadow

This is where the strategy’s architects appear to have committed their most consequential oversight.

Russia’s November 2024 revision to its nuclear doctrine explicitly expands conditions under which nuclear weapons might be employed. As the Arms Control Association reported, Putin signed Decree 991 on November 19, 2024, updating the “Basic Principles of State Policy of the Russian Federation in the Field of Nuclear Deterrence.” Paragraph 19c states that Russia reserves nuclear options in response to “attack by an adversary against critical governmental or military sites of the Russian Federation, disruption of which would undermine nuclear forces response actions.”

As analysis from the European Leadership Network confirms, there is wide consensus within the Russian expert community that this includes cyber threats.

The implications are stark: a cyber operation by a U.S. private entity—operating under a letter of marque with substantial autonomy—could be interpreted by Moscow as targeting infrastructure linked to nuclear command and control.

The threat of cyberattack against Nuclear Command, Control and Communications (NC3) has been discussed at length among all five nuclear weapon states, each apparently factoring this threat into their deterrence policies. The United States itself has similar provisions - the 2018 U.S. Nuclear Posture Review identified cyberattacks on NC3 as one form of non-nuclear strategic warfare that could trigger nuclear response. Russia is believed to have planted malware in the U.S. electrical utility grid, possibly intending to cut electricity to critical NC3 facilities during a crisis. Every major power is believed to have crafted cyberweapons aimed at critical NC3 components.

As the United States Institute of Peace analysis notes, Putin’s November 2024 decree dramatically lowered the trigger from “existential threat” to “critical threat to Russia’s sovereignty or territory.” The potential for catastrophic miscalculation is obvious.

The Commercial Blowback

Even setting aside existential risks, instrumentalizing American technology companies as agents of offensive military action will have severe commercial consequences.

The logic is inescapable. The same justification that led the Department of Commerce’s Bureau of Industry and Security to ban Kaspersky from U.S. markets in June 2024—that the company is “subject to the jurisdiction of the Russian Government and must comply with requests for information”—will be applied to American firms once they are formally enlisted in offensive operations. The concept of “military-civil fusion” that the United States has used to justify sanctions against Chinese firms now describes precisely what the administration proposes for American companies.

From 2020 onward, the U.S. imposed sanctions and visa restrictions on Chinese officials and companies for various offenses. Huawei was banned and added to restricted lists. American technology firms can expect reciprocal treatment once they are formally designated as instruments of U.S. cyber warfare.

Any operations to take down adversary infrastructure could put private firms in the crosshairs of foreign government entities, whose intelligence services often use affiliates to carry out their cyberattacks.

The global technology market will respond accordingly. American firms will face sanctions, bans, and accelerated searches for alternatives in markets representing billions in revenue.

A Strategy in Need of Second Thoughts

There is currently no legal basis for private firms to conduct their own offensive cyber operations. The proposed letters of marque mechanism—borrowed from an era when the greatest danger was a boarding party, not thermonuclear war—is woefully inadequate for governing cyber conflict in a world where escalation ladders terminate in extinction-level events.

A general principle of allowing the private sector to hack back would emulate a model previously favored only by adversaries - Russia, China, and Iran. If this alone does not hint that it is probably a bad idea, consider that licensed hack-back policy could throw up paralyzing legal questions, greatly increase the threat of inadvertent escalation between states, and undermine the system of international law that has been the bedrock of U.S. influence for decades.

The legislative trajectory is troubling. The One Big Beautiful Bill Act has already allocated $1 billion for offensive operations while cutting defensive capabilities. The Scam Farms Marque and Reprisal Authorization Act awaits action. The Cyber Deterrence and Response Act would formalize private sector involvement in targeting decisions. Together with the forthcoming strategy, these measures constitute a comprehensive framework for privatized cyber warfare.

The cyber domain desperately needs enhanced deterrence mechanisms and more effective responses to persistent adversary campaigns. But the answer lies in better interagency coordination, clearer rules of engagement, and international frameworks - not in privatizing the authority to conduct acts of war while simultaneously degrading defensive capabilities.

The window for reconsideration remains open, but it is closing. One hopes the feedback period the administration has invited, and the legislative process still to unfold, will produce the sober second thoughts this moment demands.

The consequences of proceeding as proposed range from severely damaging American commercial interests to potentially catastrophic escalation. Neither outcome serves American national security. The stakes could not be higher.

Rafal Rohozinski is the founder and CEO of Secdev Group, a senior fellow at the Centre for International Governance Innovation (CIGI), and co-chair of the Canadian AI Sovereignty and Innovation Cluster.

The Risk Ahead

SecDev’s geopolitical risk practice - builds on three decades of fieldwork across 120+ countries industrialized into on-demand strategic advantage. The era of treating geopolitical risk as an externality is over. Supply chains now span hostile borders, critical technologies depend on adversarial states, and market access hinges on diplomatic whims. What was once the domain of foreign ministries has become every CEO’s problem. SecDev’s Intelligence as a Service delivers tiered, contract-free engagement: from real-time assessments that move faster than markets to deep-dive analysis that uncovers the networks and contacts buried in geopolitical complexity. The question isn’t whether geopolitical shocks will hit your business - it’s whether you’ll see them coming.

Learn More