Congressional Commission Recommends Cyber Retaliation On China

A scathing report by a federal commission calls for a seriousre-thinking of American cybersecurity policies.

Congress needs to examine the viability of allowing companies todigitally retaliate against nation-state actors that steal or copytheir data, a report by the U.S.-China Economic and Security ReviewCommission concluded Nov. 17. Overall, the report added, theU.S. remains a“passive†cyber participant with an“inadequate†cyber strategy.

Chairman of the commission William Reinsch released a statementNov. 18 saying “it is important for Congress toassess whether U.S.-based companies that have been hacked should beallowed to engage in counterintrusions for thepurpose of recovering, erasing, or altering stolen data inoffending computer networks.â€

Corporations are not currently allowed toretaliate—in anymanner—against a malicious cyber actor withoutviolating American computer hacking laws. The recommendation fromthe commission, which was established by Congress to report on thenational security and economic relationship between the U.S. andChina, will consequently involve invalidating orre-writing the law. (RELATED: Did Obama’s Oil PolicyCreate The Crisis With China?)

A response-hack could involve more than a company employing“counterintrusion†techniques likeretrieving or destroying stolen information from the hacker. Itcould also include “retaliatoryâ€methods such as “photographing the hacker usinghis own system’s camera, implanting malware inthe hacker’s network, or even physicallydisabling or destroying the hacker’s owncomputer or network.’’(RELATED: China, US Tell Pilots To Stop FlippingEach Other Off)

Currently, the ability to retaliate lies solely with the federalgovernment. The Department of Defense articulated a doctrine in2011 equating a cyber attack against public infrastructure with anact of war, requiring proportionate cyber retaliation.

The law reflects how the defense and intelligence agenciescategorize cyber intrusions. At the lowest level, individualcompanies are responsible for“routine†cyber attacks. At theintermediate level, the Department of Homeland Security“is responsible for detecting morecomplex attacks†and providing assistance to theprivate sector to defend such attacks. At the apex of thehierarchy, are the most dangerous cyber threats, which are theresponsibility of the NSA Cyber Command. (RELATED: US Healthcare Under Tidal Wave OfChinese Hacking)

The report notes that overall, the U.S. “isill prepared to defend itself from cyber espionage when itsadversary is determined, centrally coordinated, and technicallysophisticated†and that the “law hasnot kept up with the challenges posed by cyber attacks fromgovernment-sponsored hackers, nor does international law adequatelyaddress the issue.†(RELATED: Fool Me Twice … ChinaAttacks Seven Companies After US Cyber Truce)

American policy “has relied on a passivedefense, and the U.S. government has failed to create an overallstrategy to counter the increasingly sophisticated cyber attacks onsome of our most valuable technology companies,†thereport states.

That “passive defense†hascreated a digital environment for the Chinese where theconsequences of committing a cyber attack are heavily outweighed bythe benefits of the information stolen. (RELATED: U.S. General: Pentagon Bombarded WithHacker Emails)

Nation-state cyber theft exacts a holistic financialcost—to the tune of tens of billions ofdollars—on the U.S. including: loss of tradesecrets, the costs of cyber defense, the loss of business and jobs,and the costs associated with repairing the damage to computernetworks.

The hacks of the healthcare giant Anthem, the Office ofPersonnel Management, and the U.S. Postal Service are allattributable to Chinese actors.

Follow Steve Ambrose on Twitter