That's one proposal contained in a report released last week by the Commission on the Theft of American Intellectual Property that outlined a number of measures for combating intellectual property theft. The commission is run by the former director of national intelligence, Dennis Blair, as well as Jon Huntsman, a former U.S. ambassador to China.
The commission's report gained immediate notoriety for recommending that businesses be allowed to hack back for the purpose of recovering stolen intellectual property. In particular, the commission recommended that policymakers "support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means." The report defines intellectual property as not just information targeted for economic espionage, but also software and music.
[ How would your company handle an all-out cyber war? Read Should CIOs Hire Cyber Pinkertons? ]
How could copyrighted software and music, as well as information targeted via espionage operations, be rendered inoperable? According to the report, software can be written that will allow only authorized users to open files containing valuable information. It explains, "If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user's computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account."
But according to Lauren Weinstein, founder of the Privacy Forum, that proposal bears a striking similarity to the ransomware campaign currently targeting PC users. Ransomware is malware that locks a PC and flashes a "threat of prosecution" warning -- often customized to appear to be from the FBI or local law enforcement agencies for targets in other countries -- that says access to child pornography or other illegal content has been detected. The notice then demands a fine be paid to unlock the PC.
According to the FBI, it's been inundated with complaints from consumers who've paid as much as $200 -- and sometimes more -- in response to what they believed to be a bureau-ordered fine.
"So now we have the IP Commission suggesting that firms be allowed to use basically this same technique -- pop up on someone's computer because you believe they've stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well," said Weinstein in a blog post.
The proposed lockdowns would be disproportionate to the alleged crimes being committed, he said, and might just as easily be exploited by fraudsters. "Outside of the enormous collateral damage this sort of 'permitted malware' regime could do to innocents -- how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net?" he asked.
The commission's proposal has been viewed by Canadian journalist and author Cory Doctorow as a recommendation that the entertainment industry -- which backed the controversial anti-piracy bill SOPA -- should be granted the ability to "legalize the use of malware in order to punish people believed to be copying illegally."
Malware is a hot-button topic where entertainment companies are concerned, owing to Sony's failed 2005 music CD copy-protection system, which hid a rootkit on CDs by 52 different artists. Sony's intention was to make it difficult for users to copy the CDs, but according to security experts, the rootkit transmitted users' IP address to Sony and was almost impossible to remove. In short order, online attackers adapted Sony's technology to design hard-to-detect malware.
"There is no good malware at all," said Christian Mairoll, CEO of Austrian anti-malware firm Emsisoft, via email. "Piracy is indeed a problem that has to be solved. But legalized and widely spread malware would lead to even more problems with unforeseeable consequences."
Deploying malware in the service of protecting intellectual property would also face challenges from the information security industry. Mairoll, for example, promised that his firm would never whitelist any form of malware, built by the entertainment industry or otherwise. His comments echoed those of other security firms that have pledged to detect the FinFisher spyware sold by U.K.-based Gamma Group, which is used by some autocratic regimes to spy on political dissidents.
Whether you call it "hacking back" or old-fashioned eye-for-an-eye retaliation, offensive security calls for profiling and, if possible, individually identifying an attacker and taking countermeasures to harm the attacker's systems. Read the Offensive Cybersecurity report today. (Free registration required.)