‘Anything you can do, I can do better’, or so says the song. And this may soon become the US policy on hacking. A report published this week says “The U.S. Department of Defense in 2011 published a doctrine equating the most damaging cyber attacks – those directed against public infrastructure – with an act of war, and theoretically allowing equivalent retaliation.”
In other words; hack us, we’ll hack you back.
The report, written by the US-China Economic and Security Review Commission says Chinese cyber attacks have cost US firms tens of billions of dollars plus trade secrets lost to rival Chinese companies and outlines an ‘eye for an eye’ revenge plan.
The Review Commission was set up as an advisory committee to focus on the national security infrastructure of the two superpowers of the world. It advises the US could ‘hack-back’ the Chinese hackers, in order to retrieve lost information, but if individuals or companies did this themselves they would be breaking anti-hacking laws. To carry out the hack-back legally congress could establish a ‘foreign intelligence cybercourt’ which might hack-back China on their behalf after hearing from the companies affected.
Richard Bejtlich, chief security strategist at FireEye was in favour of a hack-back: “We need to get our hackers to go after their hackers to put pressure on them and disrupt their operations.”
However, the report says the US is underprepared to carry out the hack-back and is vulnerable to the loss of more information to chinese hackers.
“The United States is ill-prepared to defend itself from cyber espionage when its adversary is determined, centrally coordinated, and technically sophisticated, as is the [Chinese Communist Party] and China’s government” says the report.
Sean Sullivan, security adviser at information security firm F-Secure, said the report was trying to send a message to potential hackers: “This report about investigating the ability to hack back I think is less about Congress wanting the ability to hack back and more about clarifying, ‘These are the rules, this is the line – you cross this line, this is the retaliation you will get.'”
The report comes just days after the G-20 nations agreed not to hack each other for commercial aims at the G-20 summit in Turkey.
Whitehall Media is hosting an event for Infosec, cyber security and risk management professionals across every major business sector on 26 April 2016 at Victoria Park Plaza, London. For more information or to register for a free delegate pass, visit the website.