A scathing report by a federal commission calls for a seriousre-thinking of American cybersecurity policies.
Congress needs to examine the viability of allowing companies todigitally retaliate against nation-state actors that steal or copytheir data, a report by the U.S.-China Economic and Security ReviewCommission concluded Nov. 17. Overall, the report added, theU.S. remains aâ€œpassiveâ€ cyber participant with anâ€œinadequateâ€ cyber strategy.
Chairman of the commission William Reinsch released a statementNov. 18 saying â€œit is important for Congress toassess whether U.S.-based companies that have been hacked should beallowed to engage in counterintrusions for thepurpose of recovering, erasing, or altering stolen data inoffending computer networks.â€
Corporations are not currently allowed toretaliateâ€”in anymannerâ€”against a malicious cyber actor withoutviolating American computer hacking laws. The recommendation fromthe commission, which was established by Congress to report on thenational security and economic relationship between the U.S. andChina, willÂ consequently involve invalidating orre-writing the law. (RELATED: Did Obamaâ€™s Oil PolicyCreate The Crisis With China?)
A response-hack could involve more than a company employingâ€œcounterintrusionâ€ techniques likeretrieving or destroying stolen information from the hacker. Itcould also include â€œretaliatoryâ€methods such as â€œphotographing the hacker usinghis own systemâ€™s camera, implanting malware inthe hackerâ€™s network, or even physicallydisabling or destroying the hackerâ€™s owncomputer or network.â€™â€™(RELATED: China, US Tell Pilots To Stop FlippingEach Other Off)
Currently, the ability to retaliate lies solely with the federalgovernment. The Department of Defense articulated a doctrine in2011 equating a cyber attack against public infrastructure with anact of war, requiring proportionate cyber retaliation.
The law reflects how the defense and intelligence agenciescategorize cyber intrusions. At the lowest level, individualcompanies are responsible forâ€œroutineâ€ cyber attacks. At theintermediate level, the Department of Homeland Securityâ€œis responsible forÂ detecting morecomplex attacksâ€ and providing assistance to theprivate sector to defend such attacks. At the apex of thehierarchy, are the most dangerous cyber threats, which are theresponsibility of the NSA Cyber Command. (RELATED: US Healthcare Under Tidal Wave OfChinese Hacking)
The report notes that overall, the U.S. â€œisill prepared to defend itself from cyber espionage when itsadversary is determined, centrally coordinated, and technicallysophisticatedâ€ and that the â€œlaw hasnot kept up with the challenges posed by cyber attacks fromgovernment-sponsored hackers, nor does international law adequatelyaddress the issue.â€ (RELATED: Fool Me Twice â€¦ ChinaAttacks Seven Companies After US Cyber Truce)
American policy â€œhas relied on a passivedefense, and the U.S. government has failed to create an overallstrategy to counter the increasingly sophisticated cyber attacks onsome of our most valuable technology companies,â€ thereport states.
That â€œpassive defenseâ€ hascreated a digital environment for the Chinese where theconsequences of committing a cyber attack are heavily outweighed bythe benefits of the information stolen. (RELATED: U.S. General: Pentagon Bombarded WithHacker Emails)
Nation-state cyber theft exacts a holistic financialcostâ€”to the tune of tens of billions ofdollarsâ€”on the U.S. including: loss of tradesecrets, the costs of cyber defense, the loss of business and jobs,and the costs associated with repairing the damage to computernetworks.
The hacks of the healthcare giant Anthem, the Office ofPersonnel Management, and the U.S. Postal Service are allattributable to Chinese actors.