A new report recommends a sliding scale of actions to stop Chinese adversaries from stealing American intellectual property – and legalizing “counterattacks” was among the more extreme measures proposed.
The Commission on the Theft of American Intellectual Property on Wednesday released the “IP Commission Report” (PDF) which offered several steps to curb data theft. These include enforcing a trade tariff on all products sourced from China. Its most controversial endorsement was that private companies should consider counterstrikes against foreign hackers, if all else fails.
But the Washington, D.C.-based bipartisan group, which was founded last year as an initiative to assess and curb international data theft, said that because of the possibility of collateral damage and misuse, it was not ready to fully “endorse” the counterattack recommendation, but that if “the loss of IP continues at current levels,” the government should consider authorizing “aggressive cyber actions against IP thieves.”
Dennis Blair, former U.S. director of the national intelligence, and Jon Huntsman Jr., former Utah governor and ambassador to China under the Obama administration, co-chaired the commission.
The report was released just weeks before Obama is scheduled to sit with China's President Xi Jinping to discuss foreign relations concerns and initiatives between the two countries. The New York Times first reported the story.
Less-extreme measures included companies using files capable of self-destructing if stolen, a technique that falls under what many security practitioners call "active defense."
Meanwhile, some of the advice is more policy-based than technical.
For instance, the U.S. Securities and Exchange Commission (SEC) might consider determining if international companies listed on the stock exchange are a threat to the U.S. Or, the government could increase the number of green cards available to college students obtaining science, technology, engineering and mathematics (STEM) degrees, in an effort to discourage them from passing along business secrets or other information to their native countries.
On Wednesday, Jason Healey, director of the Cyber Statescraft Initiative at the Atlantic Council, which researches cooperation, competition and conflict in cyber space, told SCMagazine.com that despite the more radical considerations, the report offers beneficial suggestions that shouldn't be overlooked.
“Most of the things in this [report] are just good, smart defense,” Healey said. “We've got to get ourselves used to the idea, and talking about those middle-of-the-range things that could be very useful – and I'm hopeful that the report [highlights] these things that we might do.”
Healey also said that the government should step in to curb foreign espionage threats by declassifying significant information it has on spy campaigns targeting U.S. companies and agencies.
Security firms like Mandiant, which published a detailed analysis in February on a Chinese government-backed group dubbed APT1 that stole massive amounts of data from U.S. companies, have begun to disclose these types of findings about advanced attackers, but the government should be providing this intelligence itself.
“To me, the most moderate response is declassifying information,” Healey said. “We've left it up to Mandiant and other companies like this to do it, but I think the government should come out with information on APT1 and other groups – and, if needed, be ready to show that the Chinese government knows this is happening."
The Chinese government regularly denies that Beijing is involved in any espionage operations and that the United States engages in its own hacking activities.