U.S. urged to let companies 'hack-back' at IP cyber thieves

Best defense against American IP theft may be legalizing cyber offense, U.S. commission says

U.S. companies should be allowed to take aggressive countermeasures against hackers seeking to steal their intellectual property, contends the private Commission on the Theft of American Intellectual Property.

The 100-page report, released this week, stops just short of recommending that the U.S. allow businesses to actively retrieve stolen information from within an intruder's network, and to disable or destroy it without any limitations.

However, the report does make clear that some so-called hack-back options be available if simpler attempts to deter IP theft fail, which will likely gain the attention of rights advocacy groups.

The commission is co-chaired by Dennis Blair, former U.S. Director of National Intelligence and Jon Huntsman, former U.S. Ambassador to China.

The report, released May 22, largely blames China for the what it says is the theft of hundreds of billions of dollars worth of U.S. intellectual property each year. Such theft is leads to significant U.S. revenue loss while hurting U.S. innovation and jobs, the report noted.

"The American response to date of hectoring governments and prosecuting individuals has been utterly inadequate to deal with the problem," the Commission said in the report.

Data from court cases, the U.S. Trade Representative and from specialized firms and industry groups show that Chinese cybercriminals account for roughly 70% of all IP theft today.

The stolen IP is used to help Chinese companies and the Chinese government close the current technology gap with the U.S. That finding is similar to one cited in the recently-released Department of Defense Annual Report to Congress.

Countries like India and Russia are also seen posing a strong threat to American IP, the reports said.

Existing laws and IP protection provisions in international trade agreements have failed to address the issue so far. Similarly, emerging cybersecurity laws and policies implemented by the Obama Administration to tighten U.S. economic espionage laws will only have limited effect, the IP Commission argued.

In order to better deter IP theft, American companies should be allowed to implement measures that make it much more costly for someone to steal their property, the latest report said.

"Effective security concepts against targeted attacks must be based on the reality that a perfect defense against intrusion is impossible," the IP Commission said. It argued that it's more important to raise the stakes for cybercriminals than to create more laws aimed at stopping all attacks.

For instance, the commission argues that U.S. laws should let American owners of intellectual property recover or render inoperable any IP that's stolen over the Internet. Such laws would allow companies to consider a broader use of "meta-tagging," "beaconing" and "watermarking" tools to digitally mark any files containing proprietary data.

The tools would alert companies to the theft of a protected file, and could help identify where it was stored by the cybercriminals. Such tools would also let IP owners render a stolen file inaccessible or lock down an authorized user's computer.

Such measures do not violate existing Internet laws and could reduce some of the incentive for hackers to steal IP, the commission said.

The IP Commission's report also cited what it said are growing calls to create a more "permissive environment" that allows American companies to launch offensive cyber actions against IP thieves. The offensives could help companies retrieve stolen information, alter it within an intruder's computer or network, or destroy it.

"Additional measures go further, including photographing the hacker using his own system's camera, implanting malware in the hacker's network, or even physically disabling or destroying the hacker's own computer or network," the report said.

The IP Commission acknowledges that cyber retribution measures are not currently legal under U.S. law, and should not be considered today and acknowledged that "An action against a hacker designed to recover a stolen information file or to degrade or damage the computer system of a hacker might degrade or damage the computer or network systems of an innocent third party."

Nonetheless, unless IP theft declines soon, the government may need to consider making at least some counterattacks legal..

Rights advocacy groups have in the past expressed concern over any move that would give content and IP owners too much leeway to hack back or take other private action against alleged IP thieves.

The main concern is that content owners could easily abuse such laws to go after a wide range of websites and entities that are deemed to engage in illegal activities.

The Stop Online Piracy Act (SOPA) bill, which would have let U.S. companies go after rogue foreign sites, was derailed early last year by concerns that it would give U.S. copyright and IP owners inordinate power to shut down rogue foreign -- and U.S. -- sites.

Supporters of the bill contended it was needed to counter the theft of billions of dollars worth of IP. Critics expressed fear that the law would be used by U.S. content owners to one day go after the likes of YouTube and Flickr.

Critics have also expressed skepticism over the claim that the U.S. is losing hundreds of billions of dollars in revenues and tens of thousands of jobs as a result of IP theft. They contend that the numbers are being inflated to drum up support for measures that would arm the content industry with unprecedented powers to police the Internet.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingCommission on the Theft of American Intellectual Propertysecurityintelprivacy

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place