Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed to fight back on their own, security experts say.
Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing U.S. companies to retaliatory strikes.
"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."
In commentary released by the CSIS this week, he said, "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging."
Lewis was responding to a report from the Commission on the Theft of American Intellectual Property last week that floated the idea of allowing private companies retaliate against cyberthieves as a means of curbing IP theft.
The commission, co-chaired by Dennis Blair, former U.S. director of National Intelligence and Jon Huntsman, former U.S. ambassador to China, contends that current laws and trade agreements have failed to curb IP theft by state sponsored cyber groups, so U.S. companies should be allowed to respond on their own.
The report made clear that at some point in the future, companies should have the option of disabling or destroying hacker networks, or planting malware on them.
Lewis dismissed all such suggestions as bad ideas.
The U.S., he said, is trying to get countries to agree that longstanding international laws should be extended to include cyberspace. For instance, the U.S. has been working to build consensus around the notion that governments are responsible for the actions of their citizens.
Lewis noted that the U.S. government is a leading backer of the Budapest Convention on Cybercrime, which prohibits private retaliation in cyberspace. Under the convention, a victim of a retaliatory attack could bring suit against a U.S. company in federal court, or seek extradition of those responsible for such attacks.
Private retaliation would undercut U.S. efforts to get China, Russia and other countries to hold their citizens accountable for cyberattacks against U.S. companies, Lewis said.
Any U.S. refusal to cooperate with a Chinese request for help investigating a retaliatory attack, for instance, could prompt China to refuse to cooperate with the U.S. on cybersecurity issues, he said.
"In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People's Liberation Army in China. This is not a contest American companies can win," Lewis said.
