It's no secret that major US companies have been victims of a growing number of hacks from overseas in recent years, allegedly by attackers looking to steal corporate information and intellectual property, such as patented software. The Department of Defense and US diplomats have also accused China's government and military of being behind some of these attacks. Now, a new report by a group of influential former government officials and private executives says that if intellectual property theft continues at future levels, Congress should consider passing laws allowing US companies to "counterattack" against such hackers, whoever they may be.
"physically disabling or destroying the hacker’s own computer or network."
The report, released today, calls this type of strategy "active network defense," and says it could include a wide range of tactics, such as "photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network." To be clear, the report specifically says it doesn't recommend Congress authorize such activities by companies "under present circumstances," but notes that "in the future, if the loss of IP continues at current levels, these measures ought to be considered." In the mean time, the report says Congress should increase cyber security information-sharing between companies and the government by passing the controversial Cyber Information and Sharing Protection Act (CISPA), which the House already did in April, but which the Senate has not moved forward on.
The recommendations come from the Commission on the Theft of American Intellectual Property, a private organization that carries no legal power, but which is co-chaired by former Utah Governor Jon Huntsman, Jr., previously the US ambassador to China, and Dennis Blair, the previous director of US national security. The group also includes a former Intel CEO and other former lawmakers and businesspeople. Huntsman and Blair penned an editorial in The Washington Post yesterday labeling China as the place where intellectual property theft is "most rampant," adding: "So far, our national response to this crisis has been weak and disjointed...The United States must make the theft of US intellectual property both risky and costly for thieves."
"I think it's an absolutely horrible idea."
But others disagree with this approach. "I think it's an absolutely horrible idea," said Jeffrey Carr, CEO of cyber security consulting firm Taia Global. "God forbid there be there should be some adoption of expanding the law to allow private companies to hack back." Carr told The Verge he was concerned that if such proposals were adopted by Congress or the White House, it could "trigger additional diplomatic problems." Carr pointed to the fact that the US imports many goods, including electronics from China, and said that the idea of hacking back against people based in China was "ridiculous when we rely on them so much."
James Lewis, director of the public policy and technology program at the Center for Strategic and International Studies, a think tank, is similarly wary of Congress greenlighting such private counterattacks. "This is a remarkably bad idea that would harm the national interest," he wrote in an essay shared with The Verge. "Our goal is to make cyberspace more stable and secure, not less."
The controversial idea of giving US companies legal protections to "hack back" against intruders on their networks has been proposed before by some legal experts and companies, and some companies are even alleged to already be engaging in the practice, despite the fact that there is no legal framework in the US permitting it. But the new recommendations from Huntsman's group may be the highest-profile yet, as they come from former Obama Administration officials. Meanwhile, the US and China's government have openly sparred in recent months over the issue of cyber attacks, accusing each other of perpetrating them. Two nations have also made gestures of cooperation on tackling the global problems of hacking and IP theft. It's unclear how the new report will impact these efforts, if at all. Still, these issues and more will certainly give President Obama a lot to talk about in his first meeting with Chinese President Xi Jinping in June.