Officials from the United States and China met earlier this month to discuss issues relating to “international norms of state behavior and other crucial issues for international security in cyberspace.” The meeting was the first since the two countries agreed on an anti-hacking pledge, and should continue on a biannual basis.
Hacking allegedly conducted by China costs United States companies large sums of money, exposes the personal data of millions of citizens, and threatens our civil liberties.
The answer to state-sponsored hacking may be meeting of high-level officials between the offending and victim countries, or it may be unleashing the U.S. economy on these state actors. A report issued by the U.S. – China Economic and Security Review Commission, summarized current cybersecurity threats from China faced by the United States and United States companies.
One of the Commission’s recommendations, in particular, is worth highlighting. Current federal law prohibits U.S. companies from retaliating against foreign entities that engage in cyber espionage. It recommended that
“Congress assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counter intrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.”
In other words, the Commission recommended allowing the free market—companies—to defend themselves from foreign-based cyberattacks. Defense mechanisms may include using hackers to retrieve, or delete, stolen information, remotely installing software designed to investigate hacks, and even destroying the hacker’s computer or network.
A number of cyberattack problems originate, allegedly, from China. Hacking organizations linked to the Chinese government have targeted, over the past few years, United States’ businesses and government entities. These attacks have impacted the Office of Personnel Management, health insurance companies, engineering schools, and even journalists who have been critical of the Chinese government.
Damages from cyberattacks pose real threats to United States citizens and corporations. In addition to accessing personal information such as birthdates and social security numbers, cyberattacks cause increased corporate spending and lost jobs.
The Commission’s Report postulates that cyberattacks “could result in a permanent reduction of as many as 200,000 U.S. jobs.” Similarly, it estimates the “average annual cost” to companies is around $12.7 million.
In many respects, the breadth of the problem begs the solution. Foreign actors, whether from China or Russia, have little incentive to stop hacking. Meetings between governments represent nothing in the way of actual consequences. The United States government can indict the foreign actors, but indictments mean little if foreign governments refuse to arrest them.
Allowing companies to defend their properties may be different. As quoted by the report, companies may cause foreign actors and foreign governments to think twice before hacking into U.S. companies.
“Deterrence is partially a function of perception. It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, and by decreasing the likelihood that a potential adversary’s attack will succeed.”
The Commission’s recommendation to enable corporations to defend themselves seems like a sensible, affordable solution. It does not create a government entity. It does not levy additional taxes for defense, but relies on companies to invest in protecting their assets.
While allowing companies to defend themselves may be a sensible, affordable solution, there are questions needing answers. Is this the best solution? Would this solution result in collateral damage to innocent third parties? Can the law be changed in a way to prevent companies from “hacking back” against U.S.-based individuals? Can any potential collateral damage be prevented? Should Congress make companies liable for collateral damage?
The implications and potential consequences need to be discussed. And they need to be discussed in the greater context of doing nothing to confront the threat of foreign cyberattacks.
Removing barriers preventing companies from defending themselves from foreign cyberattacks is a logical, and seemingly low cost, solution—a solution that is likely to result in real changes rather than merely in high-level meetings. While there may be some challenges to address before changing the law, the U.S.-China Economic and Security Review Commission’s changes represent a true, free market cybersecurity solution to the problem of state-sponsored cyberattacks.
Jonathon Hauenschild, J.D., is a legislative analyst for the American Legislative Exchange Council Task Force on Communications and Technology.