Evgeniy Mikhailovich Bogachev is a cyber privateer. Since 2014, he has sat smugly atop the FBI’s cyber most wanted list with a $3 million bounty on his head for the cyber theft of millions of dollars from Western businesses and sensitive government information from Georgia, Turkey, and Ukraine. He was last reported leading a cybercrime organization called the Business Club with tacit Russian government approval from the comfort of his luxury apartment in a Black Sea resort beach town where his exploits have made him a local folklore hero.
Bogachev and his Business Club have state-sponsored hacking colleagues from all over the world. Their impact has been felt in business, journalism and even the recent U.S. presidential election. These hackers function within a symbiotic relationship with their respective host states: hackers steal information (intellectual property, military secrets, critical infrastructure vulnerabilities, and dissidents’ information, etc.) on behalf of states, giving them plausible deniability for the theft; in return, states grant hackers a safe sanctuary from which to operate and typically overlook their profitable criminal side gigs.
“Although the victims, loot, and mediums are different, the relationship between privateers and states has not changed much since Sir Francis Drake and the Sea Dogs or Piet Hein and the Watergeuzen partnered with England and the Dutch Republic.”
Although the victims, loot, and mediums are different, the relationship between privateers and states has not changed much since Sir Francis Drake and the Sea Dogs or Piet Hein and the Watergeuzen partnered with England and the Dutch Republic. The tradecraft of English, French, and Dutch privateers who stole Spanish gold and ships on the high seas is essentially the same as that of their Chinese, Iranian, and Syrian successors stealing U.S. information in cyberspace. The comparison, noted by several others, is compelling and worth examining because it sheds light on why cyber privateers proliferated, why they are effective, and why they will eventually disappear.
As was the case in the 16th and 17th centuries, a single state currently dominates the international system (then Spain; now the United States), a new technology has opened access to a vast ungoverned space (caravels; the Internet), and less powerful rivals covet the wealth and power of the hegemon (the Dutch, English, and French; the Chinese, Iranians, and Russians).
Privateers are uniquely positioned to thrive in such a situation because less powerful states use them as a cheap, effective, and plausibly deniable way to augment their capabilities to prey on the soft economic underbelly of the most powerful state, which can do little to stop them. Like an invasive species without a natural predator to cap their population growth, little is keeping cyber privateers from multiplying.
Victims of privateering have been attempting to counter state-sanctioned piracy for centuries, but typically have been more effective at treating the symptoms rather than the underlying disease. Their tactics have included increasing defenses on merchant shipping, flushing out privateer-friendly harbors, and formally protesting to host governments. Some of these solutions were more effective than others, but ultimately privateering would always resurge; privateers circumvented defenses, safe harbors moved or grew back, and host governments deflected and continued to secretly support the lucrative practice of privateering.
The U.S. government is engaging in all of these behaviors today, with similar results. The Department of Homeland Security established the Einstein network defense system in an attempt to protect federal government servers while former U.S. President Obama and Congress created executive orders and laws to improve cyber security in the private sector through largely ineffective information sharing.
“The historians of tomorrow will almost certainly look upon the present day as a golden age of cyber privateering, but Bogachev and his companions’ days are numbered.”
The Federal Bureau of Investigation has repeatedly shut down botnets, servers, and more botnets hosting criminal malware only to have them return with a vengeance. The State Department and Department of Justice have raised cyber issues in diplomatic talks with China multiple times throughout the years and even have gone as far as to formally charge five members of the Chinese military for hacking private U.S. companies and organizations, although the Chinese government has maintained its innocence and protected the five.
With all that said, it is not all doom and gloom. The 2015 handshake agreement between the U.S. and Chinese governments to reduce commercial cyber espionage was a promising development that has had a measurable positive impact. Although much of this activity was simply redirected elsewhere and the truce may not last long, it demonstrated that states are capable of reining in cyber privateers when they so desire.
The era of ocean-going privateers is now a distant, romanticized memory. How did these privateers become obsolete? The answer is complex, but privateering initially died a slow death from the marching forces of tectonic power shifts in the international system, increasing operational costs, the formal organization of modernizing sea warfare, and changing views of the morality and utility of the practice.
Suffocating under an ever-growing entanglement of bilateral agreements, privateering took a fatal blow during international negotiations in 1856 when the rising hegemon, Great Britain—now with more to lose than to gain from privateering—proposed and passed the outlawing of privateering to great acclaim of the vast majority of formerly privateering nations. Hold-outs, loose interpretations, and outright violations continued for some time, but by the beginning of the 20th century privateering had largely perished.
The historians of tomorrow will almost certainly look upon the present day as a golden age of cyber privateering, but Bogachev and his companions’ days are numbered. Cyber privateers will face many of the same forces as their forebears and states will reach a tipping point where they will decide that unhindered commercial activity in a privateer-free cyberspace is more valuable than the ability to employ privateers. As China’s relative economic clout grows, cyber defenses outpace cyber privateer’s offensive capabilities, and cyber privateers overextend the welcome of their hosts, it will likely be the highly capable Russian FSB, not the FBI, that will be hunting Bogachev.
Patrick Cirenza graduated as a political science major with distinction and honors from Stanford University before obtaining his MPhil in international relations from the University of Cambridge. He has written two theses on cyber warfare and cyber espionage and has publications in the Bulletin of the Atomic Scientist, Slate Magazine, and the Royal United Services Institute Publications. He is currently a presidential management finalist.