Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed to fight back on their own, security experts say.
Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing U.S. companies to retaliatory strikes.
"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."
In commentary released by the CSIS this week, he said, "Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging."
Lewis was responding to a report from the Commission on the Theft of American Intellectual Property last week that floated the idea of allowing private companies retaliate against cyberthieves as a means of curbing IP theft.
The commission, co-chaired by Dennis Blair, former U.S. director of National Intelligence and Jon Huntsman, former U.S. ambassador to China, contends that current laws and trade agreements have failed to curb IP theft by state sponsored cyber groups, so U.S. companies should be allowed to respond on their own.
The report made clear that at some point in the future, companies should have the option of disabling or destroying hacker networks, or planting malware on them.
Lewis dismissed all such suggestions as bad ideas.
The U.S., he said, is trying to get countries to agree that longstanding international laws should be extended to include cyberspace. For instance, the U.S. has been working to build consensus around the notion that governments are responsible for the actions of their citizens.
Lewis noted that the U.S. government is a leading backer of the Budapest Convention on Cybercrime, which prohibits private retaliation in cyberspace. Under the convention, a victim of a retaliatory attack could bring suit against a U.S. company in federal court, or seek extradition of those responsible for such attacks.
Private retaliation would undercut U.S. efforts to get China, Russia and other countries to hold their citizens accountable for cyberattacks against U.S. companies, Lewis said.
Any U.S. refusal to cooperate with a Chinese request for help investigating a retaliatory attack, for instance, could prompt China to refuse to cooperate with the U.S. on cybersecurity issues, he said.
"In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People's Liberation Army in China. This is not a contest American companies can win," Lewis said.
Retaliatory attacks launched by companies without strong technology skills or judgment could lead to considerable collateral damage, he said.
"A nation has sovereign privileges in the use of force. Companies do not," argued Lewis, who chaired a committee that developed a set of cybersecurity recommendations for President Barack Obama during his first term.
Companies should focus more on shoring up their defenses, rather than on retaliation, said John Pescatore, director of emerging security trends at the SANS Institute. "The idea has no business or security merit, which is why even though it comes up every five years or so, it never gets adopted."
At the end of the day, a company that cannot adequately defend itself is hardly likely to be in a position to launch an effective counterattack, he said.
"Think about it. If you can't protect yourself in the first place, putting your resources towards retaliation means less resources on protection -- and more attacks against you. Not a smart mix," Pescatore said.
Richard Stiennon, principal at security consultancy IT-Harvest, agreed that companies should avoid the temptation to take on cyberattackers directly. "The realm of cybercrime and cyber espionage is already a free for all. Adding well meaning but easily misguided corporate efforts would be a disaster," Stiennon said.
"It is frustrating that there are no cyber police you can call when you are attacked," he noted. The best that a company can do is to quickly determine the nature of an attack, the likely source, and the likely data target. Then, it must take steps to enhance its own security.
"Take an attack as a penetration test you did not have to pay for. Learn from it and grow your defenses," he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.