American businesses are at a loss as to what they could do to end cyber-espionage and intellectual property theft. One Internet security firm estimates that an organization is hit by malware every few minutes, and there’s very little companies can do to protect themselves or seek recourse.
So how about putting into practice the old adage, an eye for an eye? It’s a divisive idea that is nonetheless gaining traction in some computer security circles. The Commission on the Theft of American Intellectual Property, a private task force that counted former U.S. Ambassador to China Jon Huntsman and former Director of National Intelligence Dennis Blair as its members, released a report recently that called for retaliatory counter-hacks against cyber attackers to be become legal.
"These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking these activities in the first place," the report said. "Only when the danger of hacking into a company’s network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance."
So-called “hack back” is illegal under the Computer Fraud and Abuse Act, which was passed in 1984. But some legal scholars argue that the law contains enough gray area to make the practice legal. Legal or not, opponents think giving companies the power to retaliate is just a bad idea. The American Bar Association is expected to weigh in on the debate with the impending release of a report on "hack back."
Stewart A. Baker, a partner at the law firm, Steptoe & Johnson; he is the former first Assistant Secretary for Policy at the Department of Homeland Security where he set cybersecurity policy
Stan Stahl, President of Citadel Information Group, which provides information security management to companies; President of the Los Angeles Chapter of Information Systems Security Association