As the volume of cyberattacks aimed at stealing commercial secrets from U.S. companies has grown over the last several years, government officials have grasped for solutions. One proposal that has garnered renewed attention is that idea that companies be allowed to engage in “counterintrusions,” in which they seek to hack intruders with the aim of destroying or altering their stolen data.
“Hacking back” is illegal under the Computer Fraud and Abuse Act of 1986. In addition to circumscribing limits on private enterprise, federal law does the same to many law enforcement agencies. As a result, sophisticated foreign adversaries will often leverage access into American systems, like those belonging to universities, in order to increase the difficulty of counteracting their activity.
“What we are discovering, I think, is that countries are beginning to realize the tools we have now are not adequate for the job that needs to be done,” William Reisch, chairman of the U.S.-China Economic and Security Review Commission, told the Washington Examiner. “We need some new tools that will allow us to do some different things.”
In November, Reisch’s commission issued its annual report to Congress. It suggested, in part, that companies be allowed to hack back, and recommended that Congress “assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.”
The commission made the suggestion in response to what it described as the “increasing harm” done by China’s “coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises.”
Government estimates corroborate the commission’s assessment. In July, the FBI estimated the number of commercial espionage cases had increased by 53 percent over the preceding year. Of companies the FBI surveyed, 95 percent attributed the attacks to hackers in China.
However, the Obama administration has positioned itself against allowing companies to engage in offensive cyberactivity. Many experts are similarly opposed because of the complexity inherent to conducting international cybersecurity.
“First and foremost, how do you know who hacked your company?” asks Tony Cole, a vice president and chief technology officer at cybersecurity firm FireEye, told the Washington Examiner. “Does the company have definitive proof of who the adversary is sitting at the keyboard? If you do have that definitive proof, did the attacker use a number of hopping points across other compromised systems under their control?”