A bipartisan and independent commission studying corporate espionage’s impact on the American economy recommended passing the controversial Cyber Information Sharing and Protection Act (CISPA) in its report released Wednesday.
“. . .Corporations need better information, and thus an open, two-way communications flow between companies and U.S. government agencies is more necessary than ever before,” says The Commission on the Theft of American Intellectual Property’s report.
“Companies cannot be asked to share more information unless they have a reasonable expectation that they will receive useful information in return, and they need protections from lawsuits if they do provide information. The Cyber Information Security Protection Act is an example of a statutory effort to address this problem, and the Commission recommends its passage.”
While the commission’s report acknowledges IP theft is not limited to the digital domain, it argues “increasing trade-secret theft” is “in many ways enabled by emerging cyber capabilities.” CISPA would open a two-way cybersecurity data-sharing channel between private corporations and the government, which proponents say would help both parties deal with the secret-stealing hacks that are the focus of the report.
Privacy advocates, however, say CISPA would allow the government access to citizens’ data and are fiercely opposed to the bill.
CISPA passed the House of Representatives last month; its future in the Senate is uncertain. The White House has threatened to veto the bill on privacy grounds.
Where are intellectual property thefts coming from? China, says the report, is responsible for 50-80% of IP theft from American businesses, depending on the industry in question. It estimated Chinese theft costs the American economy $300 annually.
“National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice,” reads the report. “There are also weaknesses and biases in the legal and patent systems that lessen the protection of foreign IP. In addition, other policies weaken [Intellectual Property Rights], from mandating technology standards that favor domestic suppliers to leveraging access to the Chinese market for foreign companies’ technologies.”
Also acknowledged by the report is that hackers and corporations often operate on unequal legal footing: Hackers abide by few rules and are often in a different country than their victims, while the companies they target typically rely purely on defense and mitigation techniques for a defense.
The report considers several “hacking the hackers” techniques companies may be able to deploy, including entering a hacker’s system to delete stolen data or to use their system’s computer to take a photo of the hacker or hackers. However, it doesn’t go so far as to recommend that corporations actually start hacking back. It instead suggests policymakers begin a conversation on the topic.
“Informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken,” says the report.
Should companies be allowed to hack the hackers? Share your thoughts in the comments.
Image via Mladen Antonov/AFP/Getty Images