NCFCATeam Policy SourcebookTheSource©2016-2017

Affirmative Case: Allowing U.S. Companies to “Hack Back”

For the past several years, cyberattacks attributable to Chinese hackers have increased and have targeted important trade secrets and national security information held by top companies in the United States. Because we need to empower American companies to protect themselves against digital crime in a quickly-changing world, my partner and I stand firmly Resolved: The United States Federal Government should substantially reform its policies toward the People’s Republic of China.

Before we look at the policy we should adopt, let’s begin by defining a few key terms:

Section 1: Definitions

Substantial: “Considerable in importance, value, degree, amount, or extent.” - (The American Heritage Dictionary of the English Language, Fifth Edition, © 2016 by the Houghton Mifflin Harcourt Publishing Company. )

Reform: “To improve by alteration, correction of error, or removal of defects; put into a better form or condition.” - (The American Heritage Dictionary of the English Language, Fifth Edition, © 2016 by the Houghton Mifflin Harcourt Publishing Company. )

Policy: “A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters.” – (The American Heritage Dictionary of the English Language, Fifth Edition, © 2016 by the Houghton Mifflin Harcourt Publishing Company. )

People’s Republic of China: The People’s Republic of China is the formal name of the government of what is commonly referred to as China, with its capital at Beijing. Throughout this round, we may refer to it simply as “China.”

Hack-back: “What does hacking back actually mean?The lighter, legal version advocated in the report suggests that companies could load up sensitive data with a sort of self-destruct device:If, say, plans for a new kind of jet engine are stolen, then special code embedded within the plans might cause the file to become unreadable or even lock up the thief's computer. Think of it kind of like the dye packs that some banks will toss in with cash if they're being robbed: The pack explodes, covering the cash in ink and making it far less useful for the robber.” – (The Washington Post, “Should the U.S. allow companies to ‘hack back’ against foreign cyber spies?” by Max Fisher, May 23, 2013. )

The United States has tried to work out an agreement with China, but those efforts have not fixed the problem. Let’s take a closer look in:

Section 2: Background

1)Diplomatic efforts have failed to deter Chinese cyber attacks

The New York Times,“Cybersecurity Firm Says Chinese Hackers Keep Attacking U.S. Companies,” by reporter Paul Mozur,October 19, 2015.

“With President Xi Jinping of China beside him at a news conference in the White House Rose Gardenlast month,President Obama said the two had come to an agreement that China and the United States would refrain from attacks aimed at pilfering company intellectual property or trade secrets for commercial advantage. Less than a day after that announcement and after Mr. Xi had met in Seattle with the executives of leading American technology companies, a hacking group accused of having links to the Chinese government attacked one such company, looking for trade secrets.”

2)Retaliatory cyberattacks are not allowed under current law

PCWorld Magazine, “Hacking back: Digital revenge is sweet but risky,” by Executive Editor Melissa Riofrio,May 9, 2013.

“Even if we skip the obvious moral issues around vigilante justice, hacking back quickly runs afoul of the Computer Fraud and Abuse Act. This law has undergone numerous revisions since it was first enacted in 1986, but Title 18, Sec. 1030 is clear on the point that using a computer to intrude upon or steal something from another computer is illegal. ‘There is no law that actually allows you to engage in an attack,’ says Ray Aghaian, a partner with McKenna Long & Aldridge, anda former attorney with the Department of Justice’s Cyber & Intellectual Property Crimes Section. ‘If you attack an attacker, you’re in the same boat,’ he says. The only kind of hacking back that's considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.”

Section 3: Harms

1)Chinese hacking hurts American economic interests

International Business Times(business newspaper based in the United Kingdom), “China’s ‘Great Brain Robbery’ hacking of U.S. companies a national security emergency,” by reporter James Billington,January 18, 2016.

“The US Justice Department is calling China's alleged hacking of its corporations the ‘Great Brain Robbery’ as wide-scale espionage targeting military and trade secrets has resulted in the loss of billions of dollars from its economy and millions of jobs. John Carlin, assistant attorney general for US National Security, gave an interview on 60 Minutes focusing on how the Chinese government has allegedly been employing an army of hackers and spies whose day job it is to steal ideas, secrets and intellectual property of American companies. The result of this state-sponsored theft is described as a ‘national security emergency’ with the US economy suffering and industrial growth at risk as China is believed to have hit ‘thousands’ of companies to take designs, ideas and technology to make its own.”

2)Chinese hacking hurts American national security interests

The Washington Free Beacon, “NSA Details Chinese Cyber Theft of F-35, Military Secrets,” by Bill Gertz, January 22, 2015.Bill Gertz is a senior editor of the Washington Free Beacon, and was formerly a national security reporter and columnist for 27 years at the Washington Times.

“China obtained more than 50 terabytes of data from U.S. defense and government networks, notably the Joint Strike Fighter’s stealth radar and engine secrets, through cyber espionage, according to newly disclosed National Security Agency documents. A NSA briefing slide labeled ‘Top Secret’ and headlined ‘Chinese Exfiltrate Sensitive Military Data,’ states that the Chinese have stolen a massive amount of data from U.S. government and private contractors.”

Section 4: Plan

Mandates:

1)Entities that are based in the United States and are victims of cyberattacks may conduct retaliatory cyberattacks if the following three conditions are met:

  1. The entity certifies to the Attorney General and to the Secretary of State that, based on generally-accepted standards in the field of cybersecurity, it believes the attack originated from within China, or at the request of the Chinese government;
  1. The entity certifies to the Attorney General and to the Secretary of State that any “hack back” operation is reasonably proportional to the original cyberattack and is targeted to prevent hacking of innocent entities; and
  1. The entity reports to the Attorney General and to the Secretary of State the details and status of any ongoing “hack back” operations every thirty days until the attacks are concluded.

2)The Attorney General and the Secretary of State may jointly disapprove of or halt any “hack back” operation if they believe it is a disproportionate response to the original attack, is not sufficiently targeted, or endangers the interests of the United States.

3)The Attorney General and the Secretary of State will issue a joint report to Congress every year detailing every “hack back” operation taking place under this law during the previous year.

Agency: Congress will pass and the President will sign into law a bill containing this plan’s mandates.

Enforcement: The appropriate Congressional committees will review the annual reports of “hack back” operations to ensure that such operations are appropriately conducted and are not contrary to the interests of the United States.

Funding: This plan will not result in direct costs, as private entities will be the ones empowered to conduct “hack back” operations. Any incidental costs to the government related to reporting and oversight by the Attorney General and the Secretary of State will be funded through the normal budgetary process.

Section 5: Results

The Washington Post,“Should the U.S. allow companies to ‘hack back’ against foreign cyber spies?” by Max Fisher, May 23, 2013.

“Advocates of ‘hacking back’ say companies should be allowed to actively deter or punish hackers by inserting malicious code into their machines or even publicly outing them. Here's one example, which the New Yorker's John Seabrook cited in a recent article on cybertheft:

In one instance, which Dmitri Alperovitch, of [cyber-security firm] CrowdStrike, cited approvingly to me, the government of Georgia lured a Russian hacker, who had been breaking into government ministries and banks for more than a year, to a machine that planted spyware on the hacker's computer and used his Webcam to take his picture; the photographs were published in a government report. ‘The private sector needs to be empowered to take that kind of action,’ Alperovitch said.”

Empowering companies in the United States to take appropriately protect themselves from Chinese cyberattacks not only protects economic and national security interests, but it deters foreign cyberattacks in general by increasing the potential risk to hackers. As more and more information is digitized and accessible through internet-based hacking, this plan is crucial to helping the United States protect its interests and stay ahead of the digital curve.

Thank you, I am now open to answering any questions from the Negative Team.

The Source: Official Team Policy Source Book Published by NCFCA