US urged to permit self-defense retaliation on hackers

US urged to permit self-defense retaliation on hackers

Summary: Would retaliatory attacks make hackers think twice?


Throwing money at creating cyberpolice forces and technology to keep up with digital threats may not be the only tactics the U.S. will employ in the future.

As a meeting between President Obama and the new president of China, Xi Jinping, draws near, former senior officials in the Obama Administration will recommend a series of steps to deter hackers from the country from stealing U.S. industrial secrets.

As reported by The New York Times, Dennis C. Blair and Jon M. Huntsman Jr., leaders of the private Commission on the Theft of American Intellectual Property, suggest that if less forceful measures to deter hackers fail, then companies should be granted the right to protect their systems on their own terms.

The right to retaliate against cyberattackers is detailed in the commission's report, due for release today.

China and the United States have constantly clashed over the prevalence of cyberattacks. A recent report issued by the U.S. Department of Defense laid the blame for widespread cyber espionage campaigns against U.S. targets squarely at the Chinese government and military's feet, just as security firm Mandiant claimed that China is responsible for an "overwhelming number" of cyberattacks in February.

China denies these claims, and has said that accusations are "groundless."

Recently, former and current government officials said that a Chinese attack on Google servers in 2010 resulted in the exposure of data relating to U.S. surveillance targets.

Huntsman commented:

"China is two-thirds of the intellectual property theft problem, and we are at a point where it is robbing us of innovation to bolster their own industry, at a cost of millions of jobs. We need some realistic policy options that create a real cost for this activity because the Chinese leadership is sensitive to those costs."

The new report proposes that in order to stop the theft of intellectual property, foreign firms that wish to be listed on the stock exchange would have to pass a review by the Securities and Exchange Commission to make sure they are not using stolen technology. In addition, Congress should "greatly expand the number of green cards available to foreign students who earn science, technology, engineering and mathematics degrees in American universities and who have a job offer" in the United States. This may encourage students to stay in the country, rather than take their skills and knowledge elsewhere and later work for U.S. competitors.

When dealing with cyberattacks, the former senior officials propose allowing American companies to "be able to retrieve their electronic files or prevent the exploitation of their stolen information" by either including self-destruction capabilities within files, or counterattack directly.

If hacking counterattacks are made legal, the report argues, then "there are many techniques that companies could employ that would cause severe damage to the capability" as long as law enforcement agencies are aware of what's going on. However, if attacking becomes the best defense, then some government officials fear that the cyberwar between nations will quickly escalate and could end up out of control.

As a last resort, the report says that tariffs or restrictions could be placed on the import of Chinese products, a measure that Senators have already considered. This month, a new bill was proposed that would block the import of products which contain U.S. technology stolen through cybercrime.

Topics: Security, Government US, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well

    What would be an example of retaliation?
    • Well...

      If nothing else, I am working on a new API that would be helpful. It includes the function voltageToKeyboard()
      • This was in a "copier chain letter" in the 1970s.

        A list of suggested machine language instructions distributed as a joke included about thirty op-codes with their explanations. One of them was:

        EXOI = EXecute Operator Immediate

        The others had to do with shredding tape or punch cards, losing files, etc.
  • I thought the US was all about 'rule of law'.

    When did 'vigilantism' become acceptable?
    • Not Vigilantism...

      More like a "stand your ground" type of self-defense.
      • Which would not include retaliation

        Defending ones own system is one thing. Attacking someone else's because you *think* he attacked you is quite another.
        John L. Ries
        • re: Which would not include retaliation

          If you can make the counterattack directly on the system that invaded yours (as opposed to intermediaries, dupes, people who happen to be on the same ISP, etc.), then the *think* part really doesn't come into play. I suspect that that's still a big "if".
          rocket ride
          • But you have to be d**n sure.

            You could get in big legal trouble (civil, anyway) if you retaliate and harm an innocent relay-bot system. Besides which, that innocent system might be owned by someone who thinks YOU were the original attacker. It could become the cyber equivalent of the Hatfield-McCoy feud or a "circular firing squad" with each intended retaliation becomes the excuse for another.
    • The U.S. is run by hypocrites.

      The U.S. government commits all of the same acts as China. Because they're just as guilty, it's disgusting to hear them complain about anything China is doing.

      It also makes me sick that our government keeps making it legal for corporations to do things which a citizen would go to jail for doing. Want an example? What about the recording industry raids on people's homes where they confiscate all of their equipment? The law should apply the same to everyone. All of the artists who were ripped off by the recording industry should be allowed to raid their offices and confiscate all of their equipment in the same manner.

      The ONLY thing this vigilante policy will accomplish is to jam up Internet traffic to the point of unusable. There is already an immense amount of bandwidth used up by attacks. Where is the logic in increasing the number of attacks?
      • And you know this how?

        @BillDem: Can you give some examples? Do you know for a fact that we are cyber attacking China? So, how do you think we should handle the cyber-attacks if "retaliation as a deterrent" isn't the answer?

        BTW...if we all are honest with ourselves, we are all hypocrites. If you think you aren't, then you are probably the biggest of all.
        • Woops Splunge

          Head in sand.
    • Perhaps the administration should enforce the law...

      When the governments of the world failed to protect their citizens and their property.
  • self_defense

    We need a process to attack spammers as well. Something simple that will flood their mailbox with spam.
    • re: self_defense

      I keep hoping for someone to figure out how to retaliate with something more definitive and nasty than a mere DDOS attack.
      rocket ride
    • Spammers don't have mailboxes

      Spammers usually don't have any mailboxes, unless you are talking about scams that want you to reply. They mostly use a non-existent email address or the mailbox of your hacked friend who has you in his contacts. You can't retaliate against the non-existent senders and spamming a hacked person will either turn into more retaliation or a lawsuit. Spammers are more easily defeated by just ignoring them.
      Christopher Mettin
    • That was already tried by Blue Frog

      but spammers retaliated via attacks on innocent third parties that they tried to blame on Blue Frog, etc:
  • what the?

    You have to have permission to retalitate on thieves? Our workers who've lost their jobs due to these crooks' shenanigans are living on food stamps while the chicoms are eating their lunch, and we're asking them to smile pretty and pretend it's all fair play?
    • The thing about retaliation is...'s not guaranteed that you're retaliating against the right person (unless, of course, you catch him in the act). If I catch a burglar breaking into my house, I'm within my rights to detain him until the police arrive, but not to attack him on the street or to break into his house; and I certainly wouldn't be justified in retaliating against someone I only thought broke into my house.
      John L. Ries
      • It's not the same thing

        i understand your comment and agree in part but Cyber Attacks are a little bit different than some handjob breaking into your house. BTW...if someone broke into my house and threatened my family...there would be alot more than detaining going on. Best call the meat wagon to haul off the parts.
        • How do you know for sure who attacked you?

          You cannot catch someone cyber attacking you in the act and you absolutely won't be sure who it was because you will mostly only have an IP address which could be from a hacked computer.
          Also if someone breaks into your house, you can arrest them, tell them what they are arrested for and then you have to call police. If "there would be a lot more than detaining going on," you would booked together with that guy. We are not barbarians, we don't need a pre-civilization "an eye for an eye". Splunge, you sound sort of backward-thinking to me. Maybe we should instead stop buying anything Made in China (matter if its some Chinese company or Apple) and instead pay an extra buck for a phone that was made with American labor. If your company manufactures in China, then it is probably more likely to be copied there, than someone downloading the blueprints off your server in the US (provided the server is password-protected and in a firewalled or offline area). Most counterfeit products are made in the same facility as the originals if they are made in China. I don't know if US companies still haven't given the idea that their cheap Chinese contractor could be leaking something.
          Christopher Mettin