Panel: Use Hack-Back to Mitigate IP TheftChinese Blamed for More than Half of Intellectual Property Theft
A variation of hack-back - in which a victim of a cyber-attack assaults the assailant's computer or network - could be used to mitigate the theft of intellectual property. That's one of the takeaways of a just-released report from the Commission on the Theft of American Intellectual Property, a private group.
See Also: The Global State of Online Digital Trust
A major recommendation of the report, issued May 22, is that the federal government and business impose economic penalties against those accused of profiting from pilfered intellectual property. But the commission - co-chaired by former U.S. ambassador to China Jon Huntsman and former National Intelligence Director Dennis Blair - also suggests that the government be supportive of American companies that can identify and recover pilfered intellectual property through cyber means. Simply, the victims break into their assailants' computers to recover their intellectual property or disable it.
"Without damaging the intruder's own network, companies that experience cybertheft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information," the report says.
Collateral Damage Concerns
"Part of the basis for this bias against 'offensive cyber' in the law includes the potential for collateral damage on the Internet," the report says. "An action against a hacker designed to recover a stolen information file or to degrade or damage the computer system of a hacker might degrade or damage the computer or network systems of an innocent third party."
The commission doesn't recommend specific revisions to the law, at least not now. But, the report says, "informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken."
Most of the commission's recommendations do not deal with cybersecurity, but it recommends:
- Implementing prudent vulnerability-mitigation measures to provide a summary of the security activities that ought to be undertaken by companies. "Activities such as network surveillance, sequestering of critical information and the use of redundant firewalls are proven and effective vulnerability-mitigation measures," the report says.
- Reconciling necessary changes in the law with a changing technical environment. Technology and law must be developed to implement a range of more aggressive measures that identify and penalize illegal intruders into proprietary networks, but do not cause damage to third parties. "Only when the danger of hacking into a company's network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance," the report says.
Chinese Policy Encourages IP Theft
The report says the vast majority of intellectual property theft emanates from China, which its authors contend accounts for 50 percent to 80 percent of the problem. They see China's national industrial policy goals as encouraging intellectual property theft, adding that an extraordinary number of Chinese in business and government entities engage in this practice.
There are also weaknesses and biases in the Chinese legal and patent systems that lessen the protection of foreign intellectual property. In addition, the report says, other policies weaken intellectual property rights, from requiring technology standards that favor domestic suppliers to leveraging access to the Chinese market for foreign companies' technologies.