US lawmakers advised to consider hacking China back

  • Published
US-China relations have hardened somewhat as a result of hacking accusationsImage source, Getty Images
Image caption,
US-China relations have hardened somewhat as a result of hacking accusations

The United States should think about allowing US companies to "hack back" if data is stolen by Chinese hackers.

Data lost in such attacks could be recovered or wiped, suggests a new report from the US-China Economic and Security Review Commission.

It says lost sales and fixing hacking damage have cost US firms tens of billions of dollars, with trade secrets being given to Chinese companies.

The commission is typically very critical of the Chinese government.

The report, which is due to be released on Wednesday, describes the American response to hacking attacks on domestic firms as "inadequate" and says the US is "ill-prepared" to defend itself from cyber-espionage.

'Escalation possible'

"The Chinese government appears to believe that it has more to gain than to lose from its cyber-espionage and attack campaign," says the report.

"So far, it has acquired valuable technology, trade secrets, and intelligence.

"The costs imposed have been minimal compared to the perceived benefit.

"The campaign is likely to continue and may well escalate."

China has frequently denied involvement in hacking attacks such as the data breach that affected the government's Office of Personnel Management (OPM).

Information on more than 22 million federal employees was affected and the White House is reported to be preparing a retaliation against China.

Drawing the line

Sean Sullivan, security adviser at information security firm F-Secure, said: "This report about investigating the ability to hack back I think is less about Congress wanting the ability to hack back and more about clarifying, 'These are the rules, this is the line - you cross this line, this is the retaliation you will get.'"

Mr Sullivan told the BBC, however, that there might be problems with such an approach.

For one thing, data may not just be breached in the future, but covertly manipulated. Such alterations might not be noticed for many weeks or months after the incident.

And when manipulations or breaches are detected, it might be very hard to attribute the attack to a specific Chinese competitor or state actor, Mr Sullivan added.

"We can point towards Chinese IP addresses but we don't have a good idea as to which party within China was motivated and did the hacking," he said.

Still, "normalising" the practice of back-and-forth cyber-attacks might clarify the situation and "give people a firmer handle on international norms and what they should expect", according to Mr Sullivan.