Congressional Commission Recommends Cyber Retaliation On China
A scathing report by a federal commission calls for a serious re-thinking of American cybersecurity policies.
Congress needs to examine the viability of allowing companies to digitally retaliate against nation-state actors that steal or copy their data, a report by the U.S.-China Economic and Security Review Commission concluded Nov. 17. Overall, the report added, the U.S. remains a “passive” cyber participant with an “inadequate” cyber strategy.
Chairman of the commission William Reinsch released a statement Nov. 18 saying “it is important for Congress to assess whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.”
Corporations are not currently allowed to retaliate—in any manner—against a malicious cyber actor without violating American computer hacking laws. The recommendation from the commission, which was established by Congress to report on the national security and economic relationship between the U.S. and China, will consequently involve invalidating or re-writing the law. (RELATED: Did Obama’s Oil Policy Create The Crisis With China?)
A response-hack could involve more than a company employing “counterintrusion” techniques like retrieving or destroying stolen information from the hacker. It could also include “retaliatory” methods such as “photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.’’ (RELATED: China, US Tell Pilots To Stop Flipping Each Other Off)
Currently, the ability to retaliate lies solely with the federal government. The Department of Defense articulated a doctrine in 2011 equating a cyber attack against public infrastructure with an act of war, requiring proportionate cyber retaliation.
The law reflects how the defense and intelligence agencies categorize cyber intrusions. At the lowest level, individual companies are responsible for “routine” cyber attacks. At the intermediate level, the Department of Homeland Security “is responsible for detecting more complex attacks” and providing assistance to the private sector to defend such attacks. At the apex of the hierarchy, are the most dangerous cyber threats, which are the responsibility of the NSA Cyber Command. (RELATED: US Healthcare Under Tidal Wave Of Chinese Hacking)
The report notes that overall, the U.S. “is ill prepared to defend itself from cyber espionage when its adversary is determined, centrally coordinated, and technically sophisticated” and that the “law has not kept up with the challenges posed by cyber attacks from government-sponsored hackers, nor does international law adequately address the issue.” (RELATED: Fool Me Twice … China Attacks Seven Companies After US Cyber Truce)
American policy “has relied on a passive defense, and the U.S. government has failed to create an overall strategy to counter the increasingly sophisticated cyber attacks on some of our most valuable technology companies,” the report states.
That “passive defense” has created a digital environment for the Chinese where the consequences of committing a cyber attack are heavily outweighed by the benefits of the information stolen. (RELATED: U.S. General: Pentagon Bombarded With Hacker Emails)
Nation-state cyber theft exacts a holistic financial cost—to the tune of tens of billions of dollars—on the U.S. including: loss of trade secrets, the costs of cyber defense, the loss of business and jobs, and the costs associated with repairing the damage to computer networks.
The hacks of the healthcare giant Anthem, the Office of Personnel Management, and the U.S. Postal Service are all attributable to Chinese actors.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact email@example.com.