“If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP [intellectual property] theft,” they wrote.
Marc Maiffret, chief technology officer at security firm BeyondTrust in San Diego, warns against private firms going on the offensive.
“There are a lot of people lobbying to ‘hack back’ but I think that is a disastrous idea,” said Maiffrett, who was a hacker of government sites before discovering the first Microsoft computer worm, “CodeRed.”
“Most of corporate America is failing to secure themselves, let alone become competent hackers to hack back against someone like a China,” he said.
Tim Junio, who studies cyberattacks at Stanford University’s Center for International Security and Cooperation, does not expect much to change because of the Xi-Obama talks.
“China benefits too much by stealing intellectual property from the US, so it’s really hard to imagine anyone convincing them to slow down,” he said.
Indeed, the payoff for successfully stealing critical information can be enormous. For example, if a company spends many millions of US dollars developing expensive intellectual property, such as a pharmaceutical firm investing in a new drug, it is very cost-effective for a Chinese firm or government entity to dedicate a small team of hackers to gain access to that company’s networks.
A patient approach of sending e-mails for months, hoping an employee eventually clicks on a link or opens an attachment that they should not, usually works. It is a probabilities game and the offense has the advantage, especially when targeting a company with thousands of employees. Sooner or later, someone will make a mistake.
Hackers then sell the stolen intellectual property to competing companies, which can try to replicate the product and sell counterfeits at a cut rate. For a developing country like China, this is a great way to stimulate domestic economic growth.
Junio suspects that China’s political leaders may not even be aware of the extent of hacking by their own cyberteams because corrupt government officials may also be using them for personal gain.
James Barnett, former chief of public safety and homeland security for the US Federal Communications Commission, said the US government’s role in fighting Chinese hackers should be to offer high-tech firms tax deductions, credits or liability limits.
“The private sector’s role is to continue to innovate, something it can do much better than the government, and something that Silicon Valley does better than just about anywhere in the world,” Barnett said.