Sometimes, the best defense is a good offense. That appears to be the motivating adage behind a recent report from the U.S.-China Economic and Security Review Commission which urges lawmakers to consider letting US-based companies hack Chinese hackers that have infiltrated their systems and stolen their data.
The report points out that cyber attacks originating from China have collectively cost US companies tens of billions of dollars in lost revenue and expenses related to investigating breaches and bolstering security after the fact. Stolen data such as trade secrets has been passed along to government-owned Chinese companies, the report claims.
This past September, President Barack Obama and Chinese President Xi Jinping agreed to a preliminary digital arms race treaty in which neither country’s government would conduct or knowingly support theft of trade secrets with the intent to provide a competitive advantage to their nation’s commercial sectors.
Nevertheless, the congressional advisory board’s report contends that China believes it has more to gain than lose from cyber attacks and that the costs incurred have been minimal compared to the perceived benefit. What’s more, the committee believes the campaign is likely to continue and could escalate.
Existing laws prohibit retaliatory attacks by private corporations and citizens, even if the intent is to simply recover or erase stolen data. FireEye Chief Security Strategist Richard Bejtlich told the Associated Press that there wouldn’t be much of an appetite for such a service in the private sector. Instead, he believes the US government should be responsible for any counter intrusions.