CybersecurityReport: U.S. companies should consider counter-hacking Chinese hackers

A group studying how the United States should respond to the sustained campaign of cyberattacks conducted by Chinese government hackers against U.S companies, said the United States should seriously consider a campaign of retaliatory cyberattacks against the hackers.

“Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information,” a report issued by the Commission on the Theft of American Intellectual Property said.

Members of the commission, a private task force,  included former U.S. ambassador to China Jon Huntsman and former director of National Intelligence Dennis Blair.

The Huffington Post notes that computer hacking is currently illegal, even in self-defense. The report’s authors argue that if cyber-retaliation were to become legal in the United States, “There are many techniques that companies could employ that would cause severe damage to the capability of those conducting [intellectual property] theft.

“These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking these activities in the first place,” the report said. “Only when the danger of hacking into a company’s network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance.”

Most of today’s hackers easily bypass firewalls and anti-virus software, so many high-tech and cybersecurity companies use several methods known as “active defense.” One of these methods is tricking hackers into stealing bogus files from victims.

Some security experts argue, however, that companies should be able hack the organizations which steal their data. This counter-hacking may focus on retrieving the stolen data, punishing the hacker, or both.

The Justice Department’s cybercrime manual notes that victims of hacking “should not take any offensive measures on its own, such as ‘hacking back’ into the attacker’s computer — even if such measures could in theory be characterized as ‘defensive.’”

The manual says that hacking back can end up damaging an innocent bystander’s computer system, especially because most hackers route their attacks through unknown third parties.

The IP Commission Report says that  the   commission “is not ready to endorse” hacking back because of the potential of collateral damage or misuse, and that  “further work and research are necessary before moving ahead.”

James Lewis, a senior fellow with the Center for Strategic and International Studies, called the idea “truly stupid” and added that allowing companies to retaliate could violate international law, undercut American cybersecurity initiatives, and “create the risk that some idiot in a company will make a mistake and cause collateral damage that gets us into a war with China.”

“The people who think this probably thought it was a good idea to invade Iraq,” Lewis told the Post.

Stewart Baker, a former DHS assistant secretary, sees  counter hacking as inevitable.

“It’s only a matter of time before counter hacks become possible,” Baker wrote in a blog post last year. “The real question is whether they’ll ever become legal.”

— Read more in The IP Commission Report (National Bureau of Asian Research, 2013)