Report: U.S. Should Fight Back When China Cyber-Attacks

A map of China is seen through a magnifying glass on a computer screen showing binary digits. Reuters

The U.S. is inadequately prepared to defend itself against China's sophisticated cyberintrusions and should consider hacking back in response, a congressional advisory body said Tuesday.

The recommendations come as part of a new report from the U.S.-China Economic and Security Review Commission, created by Congress in 2000 to advise on the national security implications of the two world powers' relationship and propose action.

China has breached both U.S. government and private company computer networks, the commission notes, costing tens of billions of dollars in both lost business and expenses related to repairing hacked systems.

"The United States is ill-prepared to defend itself from cyber espionage when its adversary is determined, centrally coordinated, and technically sophisticated, as is the [Chinese Communist Party] and China's government," the report says.

Since the U.S. is currently unable to prevent such infiltrations and has, thus far, provided "inadequate" responses, the commission suggests allowing U.S.-based companies to "hack back" to recover or erase stolen data, making these attacks more costly to China.

"The Chinese government appears to believe that it has more to gain than to lose from its cyber espionage and attack campaign. So far, it has acquired valuable technology, trade secrets, and intelligence," the report continues. "The costs imposed have been minimal compared to the perceived benefit. The campaign is likely to continue and may well escalate."

The report notes that U.S. law does not allow corporations or private citizens to carry out retaliatory cyberattacks. Instead, the authors suggest that Congress should look into establishing a foreign intelligence cybercourt to hear evidence from breach victims and consider hacking China back on their behalf.

China is a prime suspect in the infiltration of the U.S. Office of Personnel Management's (OPM) systems, which was revealed in April. It is considered to be one of the largest breaches in U.S. history. More than 21 million prospective, current and former government employees' personal information was compromised. The hacked information was collected as part of background checks, dating back to at least 2000, and includes Social Security numbers, sexual history, drug use and fingerprints.

Though China denies involvement in the OPM hack, President Barack Obama and China's President Xi Jinping agreed in a September meeting that neither country would conduct or support cybertheft of intellectual property, such as trade secrets, for commercial advantage. The two leaders also pledged to work together, along with other countries, to advocate for international rules for conduct in cyberspace.