The U.S.-China Economic and Security Review Commission has finished its nearly 600-page annual report to Congress for 2015. The Commission's report is, as usual, a thoughtful and detailed assessment of the US-China economic relationship. So it's no surprise that the Commission addresses the problem of commercial cyberespionage.
More surprising -- and satisfying -- is the Commission's interest in allowing US companies to "hack back" against Chinese intrusions. This is an approach I've long believed should be on the table, though with limitations.
The Commission comes to the same posture, notably avoiding the stiff-necked cant displayed by the Department of Justice when the idea comes up. The Commission recommends that
Congress assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks. In addition, Congress should study the feasibility of a foreign intelligence cyber court to hear evidence from U.S. victims of cyber attacks and decide whether the U.S. government might undertake counterintrusions on a victim’s behalf.
The first idea is now fairly widespread in policy circles. The second not so much. There are plenty of people who think the US intelligence community should help US companies when they're under attack, but the Commission heard testimony that the intelligence community may be reluctant to do so:
Asked at the June Commission hearing to comment on one suggestion that U.S. intelligence agencies could aid U.S.-based companies whose IP or competitive bids had been stolen by a Chinese company, Mr. Poindexter responded: ‘‘We have a lot of restrictions on what the Intelligence Community is allowed to supply a business, and the Intelligence Community doesn’t want to supply that because they know what the problems are going to be. . . . Who do you support? Do you support BAE, a big British company? They are in the United States. They get hacked. What do we do then? Do we do the same kind of work?
I'm more skeptical that there's a lack of IC authority to help companies under attack. If a US company is losing trade secrets to a foreign government's cyberspies, identifying both the foreign government and the recipients of the stolen IP is a task that fits comfortably under the rubric of counterintelligence, for which the intelligence community has plenty of authority. And I certainly don't think we need a special court to say so. But it is nice to see creativity creeping into discussions of the cyberespionage problem.
Most importantly, the Commission's recommendation is another sign of growing government openness to active defense measures. The Commission members aren't full-time government officials, but the Commission is established by statute, and its members are appointed by the Republican and Democratic leadership of Congress. So there's real significance in having such an establishment group put this option on the table.
No policy proposal succeeds in Washington until it has become humdrum. With the Commission's report, the idea of letting companies step outside their networks to defend themselves can't be dismissed as beyond the pale. It is now entering the sweet spot of policy entrepreneurship -- vetted but still edgy.