Is hacking back a cyber-theft deterrent option?

A new report from the Hudson Institute on economic espionage in cyberspace reflects a shifting conversation in Washington from passive to proactive cyber defense – to the point of suggesting that an “Economic Warfare Command” be set up at the Treasury Department for using offensive coercion against adversaries.

Cyber economic warfare is the pursuit of political and security goals through “cyber-enabled economic aggression,” and “in this type of warfare, the United States is particularly vulnerable,” said Samantha Ravich, the report’s editor and a chief executive of social media analysis firm A2P LLC. She spoke Aug. 3 at an event unveiling the report at the Hudson Institute.

American lawmakers have long railed against online intellectual property theft and the cost it imposes on the U.S. economy. The precise annual cost of IP theft to the U.S. economy was “unknowable” but exceeded $300 billion, said a report published in May 2013 by the National Bureau of Asian Research.

Focusing on vulnerability mitigation rather than proactive response simply doesn’t work, Steven Chabinsky, a former top official in the FBI’s Cyber Division, said during the panel discussion. By concentrating almost entirely on vulnerability mitigation, the U.S. government has “sunk billions of dollars of our budget into the least probable method of success for a cyber strategy,” said Chabinsky, who is now general counsel at cybersecurity firm CrowdStrike.

The Obama administration sought to turn the tide of cyber-enabled IP theft by indicting Chinese nationals on charges of espionage on two occasions last year. In April, President Barack Obama followed up with an executive order authorizing sanctions on individuals or groups that cause “a significant misappropriation of funds or economic resources" through cyber activity.

There is nonetheless a sense among cybersecurity experts and critical infrastructure firms that the U.S. government must do more to help the private sector defend itself from a steady barrage of threats.

Western banks are the target of ongoing distributed denial of service attacks, said Juan Zarate, a former Treasury official who is now chairman of the Center on Sanctions and Illicit Finance at the Foundation for Defense of Democracies. Multinational banks are “at the center of the cyber storm” because of their hordes of money and IP, and because they play a role in sanctioning governments such as Iran’s, he added.

Though it remains illegal for private firms to “hack back” against entities that attack those firms, Zarate floated the idea of the government issuing warrants that would allow firms to hack back on a case-by-case basis.

Another, less innovative option than the hack-back is for private firms to tap into “obfuscation” methods that make IP in software more resistant to reverse engineering by thieves. Recent breakthroughs in cryptography could present adversaries with puzzles that would take years or centuries to “de-obfuscate, even with the most powerful supercomputers available,” DAPRA program manager Michael Hsieh wrote in the report.