The U.S.-China Relationship - Should We “Hack Back?”

By Mary Kathryn Curry

Last week, the U.S.-China Economic and Security Review Commission released its annual report to Congress. One big take-away from the economic perspective of the report is the Commission’s recommendation that Congress take steps to defend U.S. companies against “unrelenting” Chinese cyber attacks: in other words, allow the U.S. to hack back on behalf of companies.

With a mandate to monitor, investigate, and report on national security implications of our relationship with China, the 600-page report covers a wide range of topics. The 2015 report reviews manufacturing, research and energy resources in China, provides insight and analysis on the developments in the U.S.-China trade relationship, implications of U.S. investment in China and the impact of China’s cyber capabilities.  As one might expect, the issue of cyber attacks on U.S. interests originating from China weighs heavily on the relationship.   

“As the largest and most web-dependent economy in the world,” the Commission’s report notes, the U.S. is the biggest target for cyber espionage. Meanwhile, the Chinese government is passing comprehensive laws and regulations on cybersecurity that will negatively impact digital goods and services in many industries, including banking , credit card transactions, online retailers, media, and telecommunications. For example, Beijing is currently considering a requirement that U.S. technology companies and their customers turn over source code, encryption software, and create “backdoor entry points into otherwise secure networks.” Other rules would have the effect of requiring servers that contain information about Chinese citizens and companies to be located exclusively in China, and that companies provide encryption keys to allow government entry into their databases. 

The report also highlights China’s propensity to “turn regulations into a weapon against competitors,” by attracting foreign investment, while favoring locally based industry, and refusing to protect intellectual property of U.S. companies. Noting the alleged theft by Chinese hackers of 22 million U.S. citizens’ personal records, and the state-sponsored cyberespionage against U.S. companies, the report suggests that the U.S. adopt measures that properly respond to this kind of Chinese misbehavior.  

Up against these types of risks, the Commission has determined the U.S. – and its companies – ill prepared to defend itself from cyber espionage. That is why the Commission is recommending that Congress consider whether to allow U.S. companies that have been hacked to “engage in counter intrusions for the purpose of recovering, erasing, or altering stolen data” from the offending computer networks. This is another way of saying that we should be allowed to “hack back.” (The report further notes that International law is equally lacking in its address of cyber warfare, with no consensus on how to attribute or properly respond to cyber attacks). Another suggestion in the report details tying Chinese investment in the U.S. to its willingness to open up its own markets, in an attempt to gain a level playing field. Finally, though U.S. companies have strongly opposed requirements to disclose to the public or to the Securities and Exchange Commission (SEC) any “intrusions” on their computer networks, the Commission is suggesting legislation that would to do just that. The report finds that the SEC should “make clear to publicly traded companies and their investors the circumstances under which the theft of intellectual property through a computer network intrusion may be a material fact that might affect a company’s revenues and should therefore be required to be disclosed to the SEC.”  

Government sponsored cyber theft has become an increasing cost to U.S. companies, with more sophisticated and harder to detect operations in place. The financial damage to companies results from the loss of valuable technology, trade secrets, manufacturing processes, and the expense of cyber defense and repairing the damage done to computer networks.  According to the Commission, China’s activity will not be curtailed anytime soon; to the contrary, the Chinese government appears “to believe that it has more to gain than to lose from its cyber espionage and attack campaign.” It is, therefore, evermore important for us to keep a watchful eye on China, and what Congress will do with these latest recommendations from the Commission.  

If you or your organization have questions or concerns about data security in international trade or the creation and/or implementation of a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.