A group assessing China's role in stealing trade secrets from American companies wants the U.S. government to consider a controversial method for protecting those firms from Chinese hackers: Let them hack back.
"Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information," said the report released Wednesday by the Commission on the Theft of American Intellectual Property, a private task force that included former U.S. Ambassador to China Jon Huntsman and former Director of National Intelligence Dennis Blair.
Computer hacking is illegal, even in self-defense. But the report's authors said if counterattacks against hackers became legal, "There are many techniques that companies could employ that would cause severe damage to the capability of those conducting [intellectual property] theft."
"These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking theses activities in the first place," the report said. "Only when the danger of hacking into a company’s network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance."
The "hack back" proposal shows how the escalating threat of cyber-espionage is forcing U.S. policymakers to consider more aggressive solutions.
Today's hackers often bypass traditional security methods such as firewalls and anti-virus software, experts say. In response, some cybersecurity companies now specialize in what is called “active defense," offering a wide range of new products. One such service tricks hackers into stealing bogus files from victims' computers.
But some experts suggest companies should go further, arguing that if they get hacked, they should at least be allowed to break into the hacker's computer and retrieve their stolen files.
Such a move is likely illegal under under the Computer Fraud and Abuse Act, and the Justice Department's cybercrime manual states that a hacked company "should not take any offensive measures on its own, such as 'hacking back' into the attacker’s computer -- even if such measures could in theory be characterized as 'defensive.'"
The manual notes that "hacking back" could damage the computer system of innocent bystanders, since hackers often route their attacks through the compromised computers of unwitting third parties.
The report notes the commission "is not ready to endorse" hacking back because of this potential for collateral damage or misuse, adding that "further work and research are necessary before moving ahead."
Still, James Lewis, a senior fellow with the Center for Strategic and International Studies, called the idea "truly stupid."
"The people who think this probably thought it was a good idea to invade Iraq," Lewis told The Huffington Post.
He said allowing companies to retaliate against hackers could undercut American cybersecurity initiatives around the world, violate international laws and "create the risk that some idiot in a company will make a mistake and cause collateral damage that gets us into a war with China."
But Stewart Baker, a former assistant secretary at the Department of Homeland Security, argued that preventing hacking victims from counter-hacking effectively grants immunity to attackers.
In a blog post last fall, Baker said that victims could, for example, "poison" the tools that hackers use to exploit computer networks -- known as Remote Access Tools, or RATs -- to identify the attackers and locate other unwitting victims.
"It’s only a matter of time before counter hacks become possible," Baker wrote. "The real question is whether they’ll ever become legal."