Instead of rehashing the Commission on the Theft of American
Intellectual Property's account of the billions in IP stolen by Chinese
hackers every year -- something you've read about ad nauseum -- we'll cut
straight to the chase and give you its recommendations.
(The private commission -- loosely affiliated with the National Bureau of Asian Research -- was led by Dennis Blair, who served
as President Barack Obama's first director of national intelligence, and former
Utah Governor Jon Huntsman, who served as U.S. ambassador to China from 2009
Basically, it recommends that U.S. businesses invest in
cyber defenses that allow them to monitor their networks in real-time, buy technology
that could freeze someone's computer if they access stolen documents with it.
The commission stops short of recommending that private businesses hack back
against cyber thieves but warns such actions may be necessary in the future.
Here are those suggestions in greater detail.
First up, it recommends corporations hire what amount to
full-time IT security guards who patrol their networks -- assisted by automated
systems that scan for software behaving strangely, a telltale sign of malware --
looking for intruders. This is pretty much the only way to deal with advanced
hackers, who will find their way through any firewall or cyber Maginot Line.
Despite their limited utility against skilled and persistent
targeted hackers, computer security systems still need to maintain not only the
most up-to-date vulnerability-mitigation measures, such as firewalls,
password-protection systems, and other passive measures. They should also
install active systems that monitor activity on the network, detect anomalous
behavior, and trigger intrusion alarms that initiate both network and physical
actions immediately. This is a full-time effort.
Organizations need network operators "standing watch" who
are prepared to take actions based on the indications provided by their
systems, and who keep a "man in the loop" to ensure that machine responses
cannot be manipulated. Organizations need to have systems-software, hardware,
and staff-to take real-time action to shut down free movement around the house,
lock inside doors, and immobilize attackers once the alarms indicate that an
intrusion has started.
The report also recommends that companies purchase software
capable of quickly analyzing email attachments and links to malicious websites
to weed out well-crafted spear-phishing emails before a human is tricked into
Next, the report encourages businesses to tag their data,
allowing them to be tracked if stolen -- kind of like Find
My iPhone for intellectual property -- or even loading data with self-destruct
devices or software that locks the computer of an unauthorized user.
"Companies should consider marking their electronic files
through techniques such as ‘meta-tagging,' ‘beaconing,' and ‘watermarking',"
reads the report. "Such tools allow for awareness of whether protected
information has left an authorized network and can potentially identify the
location of files in the event that they are stolen."
It goes on to say that a "file could be rendered
inaccessible and the unauthorized user's computer could be locked down, with
instructions on how to contact law enforcement to get the password needed to
unlock the account. Such measures do not violate existing laws on the use of
the Internet, yet they serve to blunt attacks and stabilize a cyber incident to
provide both time and evidence for law enforcement to become involved."
Significantly, the report does not recommend that companies
hack back against their cyber adversaries, despite calls from some in the
private sector who want to be allowed to do just that (yours truly has been in
the room for plenty of conversations with private IT security types who have
called for this). While it may be nice to punch back at a hacker and take down
his or her networks or even computers, there's a big potential for collateral
damage, especially if the hackers are using hijacked computers belonging to
"The de facto sanctioning of corporate cyber retribution is
not supported by established legal precedents and norms," states the report.
"Part of the basis for this bias against ‘offensive cyber' in the law includes
the potential for collateral damage on the Internet. An action against a hacker
designed to recover a stolen information file or to degrade or damage the
computer system of a hacker might degrade or damage the computer or network
systems of an innocent third party. The challenges are compounded if the hacker
is in one country and the victim in another. For these reasons and others, the
Commission does not recommend specific revised laws under present
That last sentence echoes numerous U.S. government
officials, including House Intelligence Committee Chair Rep. Mike Rogers, who warn
against companies hitting back at their enemies in cyberspace.
Still, the document states that while it doesn't recommend
hacking back, U.S. law may need to be changed in the future to allow such
actions if Chinese theft of American IP continues unabated.
The Commission considered three additional ideas for
protecting the intellectual property of American companies that it does not
recommend at this time. In the future, if the loss of IP continues at current
levels, these measures ought to be considered.
Recommend that Congress and the administration authorize
aggressive cyber actions against cyber IP thieves.
Currently, Internet attacks against hackers for purposes of
self-defense are as illegal under U.S. law as the attacks by hackers themselvee.
As discussed in the cyber recommendations above, if counterattacks against hackers
were legal, there are many techniques that companies could employ that would
cause severe damage to the capability of those conducting IP theft. These
attacks would raise the cost to IP thieves of their actions, potentially
deterring them from undertaking theses activities in the first place.
The Commission is not ready to endorse this recommendation
because of the larger questions of collateral damage caused by computer
attacks, the dangers of misuse of legal hacking authorities, and the potential
for nondestructive countermeasures such as beaconing, tagging, and
self-destructing that are currently in development to stymie hackers without
the potential for destructive collateral damage.
It goes on to urge lawmakers to clarify exactly what
aggressive steps businesses can take to defend their intellectual property
while defending against full-on cyber vigilantism. It also calls on Congress to
pass legislation, such as the Cyber Information Security Protection Act,
allowing businesses to rapidly share intelligence on cyber threats with each
other and the government without fear of lawsuits. It also calls on the
government to ensure that the
Pentagon, the Department of Homeland Security, and other law enforcement
agencies have the legal authority to use very aggressive cyber
deterrence systems to protect national security and critical infrastructure
networks from attack.
Here's the whole report:
IP Commission Report 052213