The U.S. should consider new laws to let American companies better defend themselves against cyberattacks from Chinese-based hackers, said a commission led by two former advisers to President Barack Obama.
The Treasury Department should be empowered to deny access to the U.S. banking system to companies from China and other countries that benefit from stolen data, and sanctions could be imposed on those found to benefit from theft, the commission said in a report released today.
“New laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited,” the Commission on the Theft of American Intellectual Property said. The commission is headed by Jon Huntsman, Obama’s former ambassador to China who ran as a Republican for president, and Dennis Blair, Obama’s first director of national intelligence.
The commission didn’t conclude that U.S. companies should be able to conduct retaliatory cyberattacks, known as hacking back, which has been the subject of a policy debate among U.S. policy makers and computer security experts.
The Pentagon this month for the first time directly accused the Chinese military of intruding into U.S. computers to steal sensitive data. The Alexandria, Virginia-based computer security company Mandiant Corp. released a report in February concluding that the People’s Liberation Army in China may be behind the hacking of at least 141 companies worldwide since 2006.
Obama will meet Chinese President Xi Jinping June 7 and 8 at the 200-acre Walter and Leonore Annenberg estate in Rancho Mirage, California, in their first face-to-face talks since China’s power transition ended in March. Obama’s national security adviser, Tom Donilon, is scheduled to be in Beijing next week.
In a March speech, Donilon said China’s campaign of cyber espionage threatens to derail Obama’s goal of improving ties. He warned that it was time to hold the country accountable for “a growing challenge” to economic relations.
Hong Lei, a Chinese Foreign Ministry spokesman, told reporters May 21 the U.S. has no hard evidence China is behind cyber attacks. He said cybersecurity is an issue faced by both countries.
The group in China identified in Mandiant’s February report continues its intrusions after being identified publicly, Richard Bejtlich, the company’s chief security officer, said in an interview.
Shawn Henry, president of CrowdStrike Services based in Palo Alto, California, told a conference in Washington in April that U.S. laws should be clarified regarding what companies can do to protect their networks from attacks and raise the cost for hackers.
“In the perfect world there’d be the equivalent of a cyber 911, where once you had a breach you’d dial 911 and you’d have a response,” said Henry, a former executive assistant director at the Federal Bureau of Investigation. “How do we operate in a civilized society in a way that allows people to take legitimate measures to protect themselves that doesn’t violate the law?”
Representative Mike Rogers, a Michigan Republican and chairman of the House Intelligence Committee, cautioned against allowing companies to hack back during a speech at a separate conference in Washington in April.
Most companies don’t have the defenses to handle an escalating confrontation with sophisticated hackers, he said.
Editors: Bernard Kohn, Elizabeth Wasserman