Establishment Support Builds for Sanctions and Active Defense in Cyberdefense

Anger at Chinese hacking continues to build in American business and government circles.  As a result, establishment figures have begun to embrace the idea of letting private companies do more than passively defend their networks.  The latest evidence is the report of a commission headed by two Obama appointees, former US Ambassador to China (and minor GOP Presidential candidate) Jon Huntsman and former Director of National Intelligence Dennis Blair. The report apparently names Chinese hacking as a major threat to intellectual property (it’s due out later today).  And according to early press reports the commission calls for an expansion of private companies’ authority to track their stolen data back to the attacker’s network:

“The commission argued that American companies “ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information” by designing their computer files to self-destruct if they fall into the wrong hands. But the authors of the report also say that if the damage “continues at current levels,” the government should consider allowing American companies to counterattack — essentially taking cyberwar private.

“If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability” of the Chinese or other groups committing computerized theft, the report said. But it added a qualifier: “while properly empowered law enforcement authorities are mobilized.” Many in the administration have opposed such ideas, fearing that they could lead to a cycle of escalation between the United States and other nations that could easily spin out of control.”

The commission also adopts another view first popularized here:  that attribution of attacks should be followed by retribution, and it comes up with at least one clever bit of retribution that I’d missed:  restrictions on access to US stock exchanges:

“The new report does propose specific remedies. One is to mandate that foreign companies that want to be listed on stock exchanges in the United States first pass a review by the Securities and Exchange Commission about whether they use stolen intellectual property. “They all want their shares to be traded here, so this would impose a real cost,” Mr. Blair said. Similarly, whether companies protect intellectual property would be considered by the Committee on Foreign Investment in the United States, which judges whether an investment in the United States could pose a security risk. Currently it looks only at national security implications of investments; this would add a new criterion.”

UPDATE:  The actual report has now been released and is available here.  It is not quite as aggressive as the early press coverage suggested, though it still represents movement away from the Justice Department’s conventional wisdom.  Here’s the recommendation, which appears under the heading “Reconcile necessary changes in the law with a changing technical environment”:

When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network…
Finally, new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited. Statutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers. Informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken.

 

Powered by WordPress. Designed by Woo Themes