A congressional commission is recommending that companies be granted the right to hack foreign adversaries back when their data is stolen.
“Congress [should] assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.” the U.S.-China Economic and Security Review Commission said in its annual report to Congress, released on Wednesday.
The concept of “hacking back” has been a subject of scrutiny for officials and experts concerned with commercial espionage perpetrated against American companies, generally protruding from China. The U.S. reached agreement with China in September that neither country’s government would support the activity. However, cybersecurity firms Crowdstrike and FireEye have said that Chinese malware has maintained a presence in the systems of American companies, which makes the question of how to respond a persistent one.
Many experts object to the idea of allowing companies to respond in-kind to cyberattackers, partially because it could lead to an escalation of conflict with foreign states, and because it can be difficult to identify the source of an attack with certainty.
“Attribution is very difficult to do,” White House cybersecurity coordinator Michael Daniel said in October. “The bad guys don’t tend to use things labeled ‘bad guy server.’ They tend to corrupt and use innocent third-party infrastructure. So we have always said you need to be really cautious about taking activities that are ‘hacking back’ or even what some people try to call ‘active defense.'”
Christopher Painter, the coordinator for cyber issues in the State Department, expressed a similar sentiment to the Washington Examiner. “There are some significant problems with ‘hacking back,’ Painter said. “If I’m a smart attacker, I’m going to route my attacks through innocent third party boxes.”
“States have right a to self-defense, particularly when there’s a use of force by another state,” Painter said. “If there’s a significant enough cyber incident, without describing what that is, we have a full set of tools that we can use.” However, he added, “Certainly companies need to protect themselves and make sure their data is secure.”
It can be even more difficult to attribute responsibility for attacks out of China, where major companies are owned by the government.
“I think any business entity in China would have a hard time saying that they are not state-sponsored,” William Evanina, the director of National Counterintelligence and Security Center, told the Examiner. “So the idea of having a hacker in China not coordinating their activities or being facilitated by the government of China is probably a stretch.
“The symbiotic nature of the government, the criminal elements and the private sector … they’re all the same,” Evanina said.
As part of the September agreement, the U.S. and China agreed to regular ministerial summits to review progress, the first of which will be held Dec. 1-2. The topics of discussion are not entirely clear, but officials have said the meeting doesn’t represent any sort of deadline.
“I would not characterize our first ministerial as any sort of deadline, and I think we will assess compliance with the written commitments as we go,” Homeland Security Secretary Jeh Johnson said at the Council on Foreign Relations this month. “But I do think that assessing compliance and assessing actions in accordance with agreements is fundamental to the agreement itself.”
In addition to the agreement with the U.S., China reached a similar agreement with the U.K. in October, and the G20 Summit held this week agreed to a deal containing even more comprehensive language.
The U.S.-China Commission report makes a number of additional recommendations, including suggestions that Congress take measures to assess the structure and functions of the Chinese military (and its role in facilitating attacks); commercial investment by the U.S. in China; and “the relocation of manufacturing, advanced technology and intellectual property” from American to Chinese companies.
The commission was formed by Congress in 2000 to “monitor, investigate, and submit an annual report … on the national security implications of the bilateral trade and economic relationship” between the U.S. and China
