Has The Time Come For Cyber Bounty Hunters?
The Colonial Pipeline shutdown last week raised troubling questions. How vulnerable is our own infrastructure to cyber attacks? Should cyber pirates be paid, as they were by the Colonial Pipeline authorities?
Most importantly: What can we do to prevent such attacks?
Incentives usually work.
I wrote about this in Chapter 13 of my newest book, Scam-Proof Your Assets: Guarding Against Widespread Deception
A bounty hunter is someone who captures criminals for a “bounty,” a payment for providing a public service.
In the Old West, local sheriffs were sometimes unable to track down outlaws alone. They couldn’t do that and protect their town at the same time. So they put up wanted posters offering rewards for an outlaw’s capture, Dead or Alive. Bounty hunters responded, and tracked down the outlaws for the reward. For example, the reward for the capture of Jesse James was $5,000, an enormous amount of money at that time, equal to over $112,000 in today’s dollars.
Although the term “bounty hunter” evokes images of vigilantes in the Old West, the term “bounty hunter” was not in use in this context in the 1800s. Rather, the term relating to “one who tracks down and captures outlaws” arose around the 1950s in pulp fiction and Hollywood westerns. In 1954, Elmore Leonard published The Bounty Hunters. In the same year, The Bounty Hunter, a 1954 western film was released by Warner Brothers. The movie, starring Randolph Scott, was the first film to feature a bounty hunter as its hero. Have Gun-Will Travel was an American Western series that was broadcast by CBS on both television and radio from 1957 through 1963. The TV series featured Richard Boone as Paladin, a gentleman gunfighter who typically charged $1,000 per job and traveled around the Old West working as a mercenary for hire. Similarly, Wanted Dead or Alive was a CBS bounty hunting Western airing from 1958 through 1961. Recently, Leonardo DiCaprio played Rick Dalton, the fictional TV star of Bounty Law in Quentin Tarantino’s Once Upon a Time…in Hollywood.
In modern times, bounty hunters generally are known as bail enforcement agents, and they mostly carry out arrests of criminal defendants who have skipped bail and failed to appear at their trials. In some states there is no formal training for bail enforcement agents, and they are unlicensed. In other states, there are varying standards of training and licensing. The state of Nevada has very strict statutory and administrative requirements for bail enforcement agents. The risks can be great.
Local law enforcement agencies also offer rewards in high-profile cases. Funding sometimes comes from outside private donors who provide money to help solve specific crimes. As well, some cities and towns have set up Crime Stopper programs for anonymous tips.
Incentives also work in the field of cyber security. Governments and private companies offer “bug bounty” programs where monies are paid to ‘white hat hackers’ to identify weaknesses within a security or computer system.
A white hat hacker, or ethical hacker, is a good guy. They operate with the system owner’s permission to conduct penetration testing, vulnerability assessments and the like. Black hat hackers also harken back to TV Westerns, where the bad guy was easily identifiable by the black hat he wore. Black hatters are motivated by financial gain, anger at the system, the thrill of cybercrime, among other reasons. As we have learned throughout this book, the black hats wreak havoc in every corner of society.
Since not everything in life is just black and white there are also grey hat hackers. As an example of their work, they will search for system vulnerabilities without an owner’s permission. If they find an issue, they will ask the owner for a fee to fix it. If the owner won’t pay, they sometimes post the vulnerability for the web to see. While not black hat pernicious in their intent their hat is grey since they didn’t have the owner’s permission to begin with.
White hat hackers can be well compensated. In recent years the Department of Defense has paid out over $500,000 annually to white hatters for uncovering thousands of vulnerabilities under the Hack the Army, Hack the Air Force and Hack the Marine Corps programs. The Department of Homeland Security has established a bug bounty program to minimize internet security problems within their own systems.
Private companies also fund their own bug bounty programs. Apple offers a maximum payout of $1.5 million. In 2019, Google paid out $6.5 million to 461 researchers for their vulnerability assessments.
HackerOne is a founding member of Internet Bug Bounty (IBB), a bug bounty program designed for core internet infrastructure projects. IBB was started by hackers and security providers who were interested in making the internet safer. IBB partners with the global hacker community in order to discover security issues for its customers before these issues can be exploited by cyber criminals.
HackerOne claims to be the number one hacker-powered bug bounty platform in the country. They have launched more federal programs, including Hack the Pentagon, than any other service.
If bounty programs work for tech savvy hackers, why not for sophisticated hunters? Incentives work. The government could certainly expand existing bounty programs to bring in cyber criminals. To be certain there are legal issues to be worked out, but when compared to the lawlessness and impunity with which internet crime is committed, the legal issues seem small.
In fact, the U.S. Constitution allows for bounty hunters. Article 1, Section 8 gives Congress the power in Clause 11 to grant Letters of Marque and Reprisal. At the founding many sovereign nations issued such letters, which allowed private parties (or “privateers”) to engage in hostile, for profit acts against state enemies. In many cases, the state and the privateer shared the spoils. The most successful team was Sir Francis Drake, who scored lucrative hits on Spanish shipping, and Queen Elizabeth, who both feigned innocence to other monarchs and gladly took her cut of all the gold and silver. The difference between piracy, a hanging offense, and privateering (or benefitting from private ships of war) was having “letters of marque” sanctioning the bounty.
Article 1, Section 8, Clause 11 is often referred to as the War Powers Clause. It vests in Congress the power to declare war and grant letters of marque and reprisal. So Congress would have to approve the bounties.
But in a new world of extraterritorial threats, including terrorism and cyber havoc, the Constitution clearly allows a mechanism for the country to defend itself using sanctioned private actors. Letters of marque against a broad profile of hostile individuals, organizations and cyber bad actors would save the nation trillions in fighting undeclared wars and occupying countries that don’t want to be occupied. Letters of marque would target bad actors wherever they are found, offering great tactical flexibility. The U.S. has plenty of trained individuals to perform the work, privately defending the country and its citizens for a just reward.
Some commentators are adamantly against the idea of cyber bounty hunters. They note that active hacking, or going on the offense, is illegal under the Computer Fraud and Abuse Act. Even if someone in the private sector has been hit by a black hatter, opposing commentators claim there is no legal authority to hack back. As well, they ask who decides what is ethical, just and legally binding? A cyber bounty hunter with a financial incentive to find and accuse could destroy lives of innocents.
These commentators also argue that the government is already engaged in their own shadow form of bounty hunting. A majority of the personnel at the CIA’s National Clandestine Service are independents. They claim that 80% of the National Security Agency’s budget goes to paying private contractors. Are they privateers?
Governments will not warmly embrace digital vigilantism as they are already engaged in their own covert cyber criminality. A notable example of this, never confirmed, is the American and Israeli use of the Stuxnet computer worm to damage Iran’s nuclear program in 2010. While limiting an angry nation’s access to atomic capabilities seems worthwhile, it was also technically a violation of international law.
China’s military plans do not involve confronting the U.S. military directly. Instead, in what they call ‘systems destruction warfare,’ they will undermine American operations. At this point, no one will be arguing about technical violations of international law.
Christian Brose is the author of The Kill Chain: Defending America in the Future of High-Tech Warfare. In the May 23, 2020 edition of the Wall Street Journal, Mr. Brose wrote:
We must…redefine our objectives. If China continues to grow in wealth, technology and power, it will become a peer competitor to the U.S. Recovering our global military primacy is no longer a practical goal. We must instead pursue a more limited and achievable goal: denying military dominance to China. The U.S. military will have to focus less on projecting power and controlling territory than on preventing China (and other competitors) from projecting power themselves and committing acts of aggression beyond their borders. We must create defense without dominance.
This will require us to think differently about modernizing the U.S. military. The goal cannot be to accumulate more and better versions of traditional platforms in expensive pursuit of a 355-ship Navy or a 386-squadron Air Force. We must focus instead on developing networks of systems that enable U.S. commanders to understand the battle- space, make decisions and act – the process that our military calls “the kill chain” – and to do so better, faster and more dynamically than our adversaries. This battle network, not platforms alone, creates real military advantage.
Similarly, the Wall Street Journal reported in their June 2, 2020 edition:
The International Committee of the Red Cross in a letter last week signed by international political and business leaders called for governments to take “immediate and decisive action” to punish cyber attackers.
“There are more and more cyberattacks…on the healthcare sector and unless there are really strong measures taken, they will continue,” said Cordula Droege, chief legal officer at ICRC. “What we’re seeing at the moment are still indications of how devastating it could be.”
The next war or triggered economic collapse will involve taking out critical infrastructure, as well as military capabilities. The electric grid, telecommunications, healthcare, transportation, finance, water and waste water treatment, among other key resources are targets that will be attacked and must be defended. Having a corps of certified and licensed defenders may provide a crucial edge toward military advantage. They may also provide an immediate advantage to every American now suffering from the financial and emotional onslaught of scams.
The scamster in some small country who believes they are free to disrupt and ruin the lives of millions without consequence must see that other cyber criminals are being caught in the act, extradited to the United States, prosecuted and sent to jail for a very long time. When boastful American scamsters learn their friends not only dislike their criminality but like being paid for a tip off or learn that lesser confederates are now more likely to turn on them, a positive disrupting factor is introduced. These criminals must know that the new sheriff is willing to pay millions to trained, sophisticated hunters to bring order and justice to the Wild West of the internet. When criminals have to think twice about their criminality, when they witness other bad actors going to jail, crime does go down.
But the question remains: How can a government act against cyber bad actors when they also engage in cyber bad acts?
Other questions will arise. What if a cyber bounty hunter tries to collect on a government? And what if a government, in failing to pay, turns a white hat to black hat perdition? (Hopefully that last one is just an action adventure movie). To be certain, the issues will be complicated. But they pale in comparison to the billions in losses and social risks of not addressing widespread deception. Failing to act now only allows the monster to grow. Citizens will accept the cognitive dissonance that protecting the country with cyber criminality is different than protecting citizens from cyber criminality. Helping individuals to scam proof their assets is not inconsistent with collectively scam proofing the country. You can do both at the same time.
So either governments admit (as sheriffs in the Wild West did) that they can’t do the job and let the bounty hunters in. Or they step it up and actively protect their citizens from cyber criminality. Whatever course the people’s representatives choose it must be acted upon immediately. The threat to our country is great. The damage being inflicted upon millions of innocent Americans every day hollows out our core.
Cyber bounty hunters (either in house or contracted) will be utilized by all government in the future. Their citizens will demand it. The only question is what will come first: The real thing, or the TV show?
Scam-Proof Your Assets: Guarding Against Widespread Deception
If you enjoyed this chapter, visit RDA-Press.com to buy the book.
Available in print, ebook and audio!