Bruce Schneier read the 2026 Cyber Strategy for America document the way a lawyer reads a contract: one clause at a time, looking for the load-bearing sentence. In a post published April 1, 2026, he flags a single line — the strategy “will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities” — as a quiet policy shift toward authorizing private offensive cyber operations. Also known as hackback.
The sentence that does the work
On first reading, the sentence sounds innocuous: incentivize private disruption of adversary networks. Read again. “Disrupt” is an offensive verb. “Adversary networks” is attribution the private sector cannot independently verify at the standard a criminal court would require. And “unleash” is the word a strategy document uses when it wants to announce a permissions change without announcing it.
Schneier’s argument is that this one line deputizes corporations as instruments of state action without the statutory scaffolding — no warrant process, no independent attribution standard, no after-action review, no civilian oversight, no limits on collateral damage. The framework that exists for government offensive operations has, whatever its faults, decades of legal infrastructure behind it. The private-sector equivalent does not.
The letters-of-marque analogy
The historical parallel Schneier reaches for is the letter of marque — a 17th and 18th-century instrument by which sovereigns authorized private shipowners to attack enemy vessels in wartime. Privateering was legal, strategically useful, and eventually discredited. It blurred the line between piracy and state action, produced attribution disputes that lingered for decades, and was formally abandoned by most maritime powers by the mid-19th century. The US never ratified the 1856 Declaration of Paris abolishing privateering, but it stopped issuing new letters. Schneier’s read is that the Cyber Strategy’s “unleash” language is a quiet attempt to revive the concept in packet form.
The harder question he raises is second-order. Once a private-sector hackback regime is normative in the US, it becomes a template other jurisdictions will copy — and the legal regime that governs cross-border intrusion is already strained. When a US-incorporated vendor hacks back at infrastructure in a non-treaty country and gets it wrong, whose law applies, whose insurance pays, whose diplomat takes the call?
What this means for practitioners
For security teams whose employers might read the Cyber Strategy as a greenlight:
- Do not act on this sentence alone. A strategy document is not statute. Until Congress authorizes private offensive operations with the specificity that any serious attorney would insist on, the legal exposure of hacking back is what it was yesterday — substantial, and borne personally by the people who push the packets.
- Pressure your counsel for a written read. The right response to “unleash” language is a formal memo from General Counsel that says whether your security team is authorized to conduct any disruptive action beyond the target’s own network. Most memos will still say no.
- Watch the implementation vehicle. The sentence will not matter unless it shows up in an executive order, a new Title 50 authority, or a DoJ policy letter that explicitly limits prosecution for cross-border intrusion by US vendors. Track those artifacts, not the press release.
- Separate your defensive posture from the debate. The everyday work — telemetry, detection, patching, credentialing, training — is unchanged either way. Schneier’s companion post on AI-accelerated vulnerability exploitation is the more important read for Q2 operational priorities.
The policy conversation will take years. The tradecraft that makes hackback either viable or dangerous is moving faster than the statute book can keep up.
