The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources they want to discover, and companies whose secrets they want to steal, all without (gasp!) court orders or Jim Sensenbrenner’s consent.
Perhaps even more interesting, the Commission offers moral support and an open Overton window to those who advocate much more active defenses than the Justice Department has been willing to countenance under the Computer Fraud and Abuse Act. Among the policy options it treats seriously are watermarking and beaconing of documents for evidentiary purposes as well as authorizing private victims to conduct a host of active responses to intrusions:
Encourage the U.S. government, military, and cleared defense contractors to implement measures to reduce the effectiveness of Chinese cyber operations and increase the risk of conducting such operations for Chinese organizations. For example, the IP Commission recommends measures such as ‘‘meta-tagging, watermarking, and beaconing,’’ because they can help identify sensitive information and code a digital signature within a file to better detect intrusion and removal. These tags also might be used as evidence in criminal, civil, or trade proceedings to prove data was stolen.
Clarify the legal rights of companies, and the types of action that are prohibited, regarding finding and recovering intellectual property that is stolen through cyber intrusions. Mr. Kamphausen said U.S. companies ‘‘need the right tools that afford them the protections, legal and otherwise, so that they can do what’s in their own interest.’’
Pass legislation permitting U.S. companies to conduct offensive cyber operations in retaliation against intrusions into their networks. Such operations could range from ‘‘actively retrieving stolen information’’ to ‘‘physically disabling or destroying the hacker’s own computer or network.’’
NOTE: As usual, I’ll post interesting comments (with attribution unless asked not to) sent to email@example.com.