As the volume of cyberattacks aimed at stealing commercial secrets from U.S. companies has grown over the last several years, government officials have grasped for solutions. One proposal that has garnered renewed attention is that idea that companies be allowed to engage in “counterintrusions,” in which they seek to hack intruders with the aim of destroying or altering their stolen data.
“Hacking back” is illegal under the Computer Fraud and Abuse Act of 1986. In addition to circumscribing limits on private enterprise, federal law does the same to many law enforcement agencies. As a result, sophisticated foreign adversaries will often leverage access into American systems, like those belonging to universities, in order to increase the difficulty of counteracting their activity.
“What we are discovering, I think, is that countries are beginning to realize the tools we have now are not adequate for the job that needs to be done,” William Reisch, chairman of the U.S.-China Economic and Security Review Commission, told the Washington Examiner. “We need some new tools that will allow us to do some different things.”
In November, Reisch’s commission issued its annual report to Congress. It suggested, in part, that companies be allowed to hack back, and recommended that Congress “assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.”
The commission made the suggestion in response to what it described as the “increasing harm” done by China’s “coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises.”
Government estimates corroborate the commission’s assessment. In July, the FBI estimated the number of commercial espionage cases had increased by 53 percent over the preceding year. Of companies the FBI surveyed, 95 percent attributed the attacks to hackers in China.
However, the Obama administration has positioned itself against allowing companies to engage in offensive cyberactivity. Many experts are similarly opposed because of the complexity inherent to conducting international cybersecurity.
“First and foremost, how do you know who hacked your company?” asks Tony Cole, a vice president and chief technology officer at cybersecurity firm FireEye, told the Washington Examiner. “Does the company have definitive proof of who the adversary is sitting at the keyboard? If you do have that definitive proof, did the attacker use a number of hopping points across other compromised systems under their control?”
“If so, do those compromised hopping points sit within other countries under different laws and jurisdictions?” Cole continued. “Are you possibly breaking their laws by following an attacker through those systems? Did you just create a liability within that country for your company?
“These are just a few of the questions a company’s legal team should consider before allowing a team to hack back an adversary,” Cole said.
The questions he raised boil down to “attribution,” a term commonly used to describe the difficulty of identifying the real culprit behind an attack. Experts seeking to attribute responsibility for an attack will look at a range of factors, including the language that malicious code is written in and the time that activity generally takes place. If it usually occurs within Beijing’s standard office hours, an investigator may draw an inference.
“Attribution may be difficult, but it’s not impossible, particularly when you have prolonged conduct,” Christopher Painter, the coordinator for cyberissues at the State Department, told the Washington Examiner. “You don’t only look at technical attribution, you really look at the full suite of attribution. Back when I was a prosecutor, I didn’t just look at the logs, I looked also at where the money was going.” (Earlier in his career, Painter prosecuted cybercrimes as an assistant U.S. attorney in Los Angeles.)
The technical ability to engage in attribution, in addition to advanced capabilities and traditional legal norms, favor the role of government when it comes to national cyberdefense, Painter suggested. “States have a right to self-defense, particularly when there’s a use of force by another state,” he said. “If there’s a significant enough cyberincident, without describing what that is, we have a full set of tools that we can use.”
However, he added, “You don’t have to meet cyber with cyber.”
To that end, an agreement reached between President Obama and Chinese President Xi Jinping on Sept. 25 stated that neither government would back commercial espionage, and would cooperate in working to deter it. “The question now is, ‘Are words followed by actions?’ ” President Obama said at the time. “We will be watching carefully to make an assessment as to whether progress has been made in this area.”
Of course, if the agreement does not produce favorable results, and the U.S. fails to respond, there could be more calls by private actors who are ready to take the law into their own hands. “My reaction when Xi and Obama agreed on this was that it would take about six months to decide whether the Chinese have stopped,” Reisch said. But, he said, “It’s not a rule.”
In the meantime, Reisch said, his commission’s report was not meant to end the discussion, but he did hope that it would serve as an inspiration. “There’s a long list of arguments against it,” he acknowledged, but added, “I think it will be healthy to have the debate.”
