Lord of Cyber War

In DSI on 9 January 2026, Stéphane Taillat analyses the return of American hack back and draws on Arnaud Orain's framework of "capitalism of finitude". His work documents a phenomenon that this series of articles places within a broader context: the collapse of the Western defensive model, America's strategic repositioning, and what the proposed legalisation of "digital privateers" reveals about the confrontation with China.

The last American letter of marque dates back to 1812. The war against Britain. Two centuries later, Congress considers reviving the instrument. To fight "scam farms" in Southeast Asia.

The official explanation does not hold. Something else is being prepared.

The anomaly

On 15 August 2025, David Schweikert, Republican representative from Arizona, introduced the Scam Farms Marque and Reprisal Authorization Act. The bill authorises the President to issue letters of marque, those commissions that once transformed merchant ships into legal privateers. Modern version: "cyber operators" licensed to attack foreign criminal organisations. Schweikert speaks of "licensed operators", not any freelance hacker. But the text remains vague on eligibility criteria and certification process.

The bill has not passed. Some analysts call it a "messaging bill", a text that sends a political signal rather than aiming to become law. But the signal itself deserves attention.

The narrative is simple. Americans lost $16.6 billion to cybercrime last year. Seniors are targeted. Traditional judicial tools fail against criminals based abroad. Solution: authorise private actors to strike back, recover stolen assets, dismantle networks.

This narrative poses a problem.

Why revive a mechanism abandoned for two centuries? Why now? And above all: why entrust this project to an economist from the Blockchain Caucus rather than a member of the defence or intelligence committees?

The false lead

Schweikert is not a national security specialist. He is a financier. Chair of the Joint Economic Committee, co-chair of the Blockchain Caucus, background in real estate and finance. His angle on hack back is economic: privateers as entrepreneurs, crypto asset recovery as a business model.

The timing also deserves attention. Schweikert announced his candidacy for Governor of Arizona two months after introducing this bill. "Tough on cybercrime" plays well in a campaign.

But these elements do not explain the Trump administration's support. The same administration that cut CISA's budget by 30%. That withdrew the United States from the GFCE, the Freedom Online Coalition, the Hybrid CoE in January. That lets the NVD accumulate 20,000 CVEs awaiting analysis.

Washington dismantles its defensive infrastructure while considering legalising private offence in parallel. The coincidence deserves examination.

The answer lies in what the Schweikert bill does not mention.

The evidence

While Washington debates "scam farms", federal agencies document something else.

Volt Typhoon. Microsoft and Five Eyes agencies identified this Chinese campaign in 2023. Targets: critical infrastructure in the United States and allied nations. Power grids, telecoms, water treatment. Method: "living off the land", using legitimate tools already present on systems to avoid detection. Result: dormant access, maintained over time, without massive exfiltration or destruction.

Salt Typhoon. Revealed late 2024. Penetration of telecom operators, including AT&T and Verizon in the US. Over 200 targets in 80 countries according to the FBI. Access to communication metadata, potentially to content.

These operations do not resemble classic cybercrime. No ransomware, no data resale, no visible monetisation. China accumulates access. It does not use it. It stores it.

For what purpose? The likely answer: Taiwan, South China Sea, or any future crisis where these dormant accesses would become disruption levers. Cut power on the West Coast during an amphibious landing. Blind military communications. Create civilian chaos to slow mobilisation.

This is strategic pre-positioning. Faced with this posture, American concern is legitimate. The question is not whether a response is justified, but which one.

Washington has two options.

Option 1: strengthen defence. Costly. Slow. And contradictory with ongoing budget cuts. CISA operated at 35% of its workforce during the autumn shutdown.

Option 2: prepare an externalised offensive response. With deniability. With scalability. With private actors who can be disavowed if necessary.

Hack back.

What it reveals

I put forward the following hypothesis: the Scam Farms Act is not a response to cybercrime. "Scam farms" are the pretext. The real target is the Chinese cyber ecosystem, where criminal networks and state operations often share the same infrastructure.

If this reading is correct, the fog that hack back generates is not merely a side effect. It is potentially a feature.

Today, the offensive landscape remains relatively readable. State actors (NSA, FSB, MSS) can be distinguished from criminal groups (LockBit, BlackCat). Attribution is difficult but the categories hold.

Tomorrow, with thousands of licensed privateers, everything blurs. Each private operator develops their own tools, their own signatures. How to distinguish a legitimately licensed privateer from a state operation using a privateer as cover? From a privateer exceeding their mandate? From a criminal posing as a privateer?

The adversary no longer knows who is attacking. Retaliation becomes hazardous.

Washington can then test red lines without formal commitment. "It wasn't us, it was a privateer who went rogue." If China reacts strongly, disavow. If it does not react, the precedent is established.

Clausewitz distinguished between fog endured, the uncertainty inherent to combat, and fog created, the confusion deliberately generated to blind the adversary. Privatised hack back belongs to the latter.

The image that comes to mind is the claymore, the directional mine that projects shrapnel in a cone without fine discrimination. You do not aim at a precise target. You saturate the operating space. You prepare the ground.

The scenarios

If fog is preparation, what does it prepare?

Taiwan. In a strait crisis, Chinese infrastructure would need to be targeted massively and rapidly. Cyber Command has its own capabilities, but they are sized for surgical operations.

Pre-trained privateers, with access developed over years against "criminal" targets linked to China, become a reserve force. Chinese cybercrime and state operations often share the same servers. Targeting one allows striking the other.

War of attrition. Rather than direct confrontation, permanent harassment of the Chinese cyber ecosystem. Network disruption, continuous degradation of capabilities, cost imposition without formal escalation. A digital war of the chase, like the maritime wars of the 17th century.

Red line testing. Privateers target "scam farms" in Southeast Asia, some of which have documented links to the Ministry of State Security. Escalation is "accidental". Each test that passes without response pushes the limit a little further.

These scenarios can combine.

What these facts suggest: Washington is not preparing to defend cyberspace. It is preparing to use it as a battleground.

The Orain framework

Historian and economist Arnaud Orain offers a reading that illuminates this repositioning. Taillat invokes it in his article.

Orain distinguishes two regimes of capitalism. Liberal capitalism: infinite horizon, continuous growth, positive-sum game. Everyone can prosper if competition rules are respected.

Capitalism of finitude: a world perceived as bounded, limited, zero-sum. What one gains, the other loses. Competition gives way to coercion. Common spaces are privatised and militarised.

Orain identifies three periods where this capitalism of finitude dominates. 16th-18th centuries: mercantilism, East India Companies, privateering wars. 1880-1945: colonial imperialisms. And since 2010.

His description of the current period: "privatisation and militarisation of the seas, appropriation of physical and cyber spaces by gigantic private companies with sovereign prerogatives".

Schweikert's privateers are the heirs of 17th century chartered companies.

Sovereign mandate: the presidential letter of marque. Extraterritorial coercion capabilities: the text explicitly mentions operations "outside the geographical borders of the United States". Rentier economic model: confiscated crypto assets fund the operation.

Schweikert's profile, economist from the Blockchain Caucus, then makes sense. Hack back is conceived as a market solution. Defence is a cost. Offence is a business model.

States that bought vulnerabilities on the black market to maintain their offensive advantage become states that commission privateers to outsource their operations. The loop closes.

Cyberspace is no longer the infinite space of 1990s libertarian utopia. It is perceived as finite, contested, to be seized.

Europe in the equation

Europe has a clear doctrine: opposition to private hack back, state monopoly on retaliation. This position has not changed.

The implications of American repositioning deserve examination, however. The Chinese threat existed before. What changes is the American response. It is this response that redefines the European equation.

Europe is caught between two expanding offensive systems, American and Chinese, without its own capability. Volt Typhoon and Salt Typhoon operations target the Five Eyes and beyond, over 80 countries according to joint advisories. Alerts are shared, but detailed intelligence circulates in restricted circles. If the Schweikert bill passes, American privateers would target networks transiting through the continent.

The KEV, the catalogue of actively exploited vulnerabilities maintained by CISA, becomes the main sharing channel after the closure of multilateral forums. It is a minimal flow: vulnerabilities with CVE, confirmed by American sensors, shared in declassified form. Rich intelligence on Chinese threats likely circulates between US federal agencies under TLP:AMBER. Europe does not have access.

The European framework prohibits hack back for private actors. European companies cannot strike back. If the bill passes, American privateers could operate on infrastructure hosted in Europe. A US privateer targeting a compromised server at OVH or Deutsche Telekom, what legal status? The extraterritoriality of digital letters of marque has no precedent.

If American privateers tested red lines with China, some tests would pass through European infrastructure. Would collateral damage from an operation against a Chinese target using a European host be a diplomatic incident or an acceptable cost?

What I do not know

Whether the Trump administration has a coherent strategy or whether these developments are the product of political opportunities and bureaucratic dynamics. Both readings remain compatible with the facts.

Whether the Schweikert bill will pass or remain a "messaging bill". Whether similar projects will follow.

Whether Europe will analyse the extraterritorial implications before an incident forces the question.

The assessment

The American hack back proposal is not a response to cybercrime. It is a symptom of strategic recomposition facing China.

The fog it would generate is a weapon. It would prepare the ground by multiplying actors, diluting attribution, normalising the offensive.

Digital privateers are the resurgence of an old model. Chartered companies, letters of marque, privatisation of common spaces. Capitalism of finitude applied to cyberspace.

Antifragility, designing architectures that depend neither on the American channel nor on Empire protection, remains a path. But it requires looking at what is being prepared.

The last American letter of marque dated back to 1812. Two centuries later, Washington considers bringing back the instrument. The facts are laid out. The fog thickens.

This article is part of a series analysing the structural flaws of Western cybersecurity (articles 1-5 in French):

• Article 1 : La vulnérabilité de la gestion des vulnérabilités
• Article 2 : La dépendance européenne aux standards américains
• Article 3 : Les États, architectes cachés du marché noir des vulnérabilités
• Article 4 : L'IA ou l'effondrement du modèle défensif occidental
• Article 5 : Desert Power — survivre sans l'Empire
• Article 6: I Am Altering the Deal
• Article 7: The Last Channel

References

¹ Schweikert, D. (2025). "Schweikert Introduces Cybercrime Marque and Reprisal Authorization Act to Combat Foreign Scam Syndicates", 20 August 2025 https://schweikert.house.gov/2025/08/20/schweikert-introduces-cybercrime-marque-and-reprisal-authorization-act-to-combat-foreign-scam-syndicates/

² The Register, "Bill would give hackers letters of marque against US enemies", 21 August 2025 https://www.theregister.com/2025/08/21/congressman_proposes_bringing_back_letters/

³ The Digital Chamber, "TDC Supports the Proposed Cybercrime Marque and Reprisal Authorization Act of 2025", 25 August 2025 https://digitalchamber.org/the-digital-chamber-supports-the-proposed-cybercrime-marque-and-reprisal-authorization-act-of-2025-h-r-4988/

⁴ Microsoft Security, "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques", May 2023; CISA Advisory AA24-038A, February 2024

⁵ Reuters, "Chinese hackers breached US telecom firms including AT&T, Verizon", October 2024

⁶ Orain, A. (2025). Le monde confisqué. Essai sur le capitalisme de la finitude (XVIe-XXIe siècle). Paris: Flammarion.

⁷ Taillat, S. (2026). "Penser le cyber. Hack back", DSI, 9 January 2026 https://www.areion24.news/2026/01/09/penser-le-cyber-hack-back/