Cybersecurity and Cyberwar excerpt: What real pirates can teach us.

What Can (Real) Pirates Teach Us About Cybersecurity?

What Can (Real) Pirates Teach Us About Cybersecurity?

The citizen’s guide to the future.
Jan. 1 2014 11:45 PM

Shiver My Interwebs

What can (real) pirates teach us about cybersecurity?

Treasure Island book cover illustration, 1911
Treasure Island book cover illustration, 1911

Illustration by N.C. Wyeth

This piece is excerpted from Cybersecurity and Cyberwar: What Everyone Needs to Know, by Peter W. Singer and Allan Friedman, published by Oxford University Press.

In 1522, three Spanish galleons left Havana, Cuba, on their way to Seville, Spain. Loaded onto the ships were literally tons of gold, emeralds, jade, and pearls, all the riches of the Aztec empire gathered into one massive shipment. Hernando Cortés has just conquered Mexico and was sending its treasure as a tribute back to his king, Charles V. But once the fleet set out on its long journey, five more ships appeared on the horizon. The lumbering treasure-laden ships couldn’t escape. A short fight ensued, and the Spanish lost to a squadron led by a French captain named Jean Fleury. By stealing the Aztec gold, Fleury had pulled the ultimate score. The episode would inspire generations to come and launch what is known as the “Golden Age of Piracy,” a period romanticized in books like Treasure Island and movies like Pirates of the Caribbean.

In centuries past, the sea was a primary domain of commerce and communication over which no one actor could claim complete control, much like the Internet today. While most just used the sea for normal commerce and communication, there were also those who engaged in bad deeds, again much like the Internet today. They varied widely, from individual pirates to state militaries with a global presence. In between were state-sanctioned pirates, known as privateers. Parallel to today’s “patriotic hackers” (or the private contractors working for government agencies like the National Security Agency or Cyber Command), privateers were not formally part of the state but licensed to act on its behalf. They were used both to augment traditional military forces and to add challenges of identification (attribution in cyber parlance) for those defending far-flung maritime assets.


These pirates and privateers would engage in various activities with cyber equivalents, from theft and hijacking, to blockades of trade (akin to a “denial of service”), to actual assaults on economic infrastructure and military assets. During the War of 1812, for example, the American privateer fleet numbered more than 517 ships—compared to the U.S. Navy’s 23. Even though the British conquered and burned the American capital city, the private American fleet caused such damage to the British economy that they compelled negotiations. As in cyberspace today, one of the biggest challenges for major powers was that an attacker could quickly shift identity and locale, changing its flags and often taking advantage of third-party harbors with loose local laws.

Maritime piracy is still with us, but it’s confined off the shores of failed states like Somalia and occurs on a miniscule scale compared to its golden age. (Only 0.01 percent of global shipping is taken by modern-day pirates.) Privateering, the parallel to the most egregious attacks we have seen in the cyber realm, is completely taboo. Privateers may have helped the U.S. against the British in the War of 1812, but by the time the American Civil War started in 1861,

President Lincoln not only refused to recruit plunderers-for-hire but also blasted the Confederates as immoral for opting to employ them.


The way this change came about provides an instructive parallel to explore for cybersecurity today. Much like the sea, cyberspace can be thought of as an ecosystem of actors with specific interests and capacities. Responsibility and accountability are not natural market outcomes, but incentives and frameworks can be created either to enable bad behavior or to support the greater public order.

To clamp down on piracy and privateering at sea, it took a two-pronged approach that went beyond just shoring up defenses or threatening massive attack (which are too often talked about in cybersecurity as the only options, again making false comparisons to the worst thinking of the Cold War). The first strategy was to go after the underlying havens, markets, and structures that put the profits into the practice and greased the wheels of bad behavior. Major markets for trading pirate booty were disrupted and shut down; pirate-friendly cities like Port Royal, Jamaica, were brought under heel, and blockades were launched on the potentates that harbored the corsairs of the southern Mediterranean and Southeast Asia.