Buried in a 100-page report issued last week by the Commission on the Theft of American Intellectual Property was a recommendation to copy a tactic cyber scammers use to extort money from innocent victims.
The IP Commission – a private panel of politicians, military and defence officials and technology leaders – is co-chaired by Jon Huntsman, former governor of Utah and former U.S. ambassador to China, and Dennis Blair, a retired U.S. Navy admiral and former Director of National Intelligence.
Among more than 20 recommendations, the commission suggested that companies be allowed to lock files and cripple computers.
Under a heading of “Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means,” the commission said, “Software can be written that will allow only authorised users to open files containing valuable information.
“If an unauthorised person accesses the information, a range of actions might then occur,” the commission continued. “For example, the file could be rendered inaccessible and the unauthorised user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.”
In a nutshell, that’s the same tactic used by scammers who try to panic users into paying a ransom fee to regain control of their computers.
Variously labeled “ransomware” and “scareware”, such malware cripples a PC or encrypts its files, then displays a ransom note demanding payment to restore control to the owner. The technique, flatly called “an extortion racket” by Symantec in late 2012, has been in use since at least 2006. Until last year, however, it was rare and ineffective, and seen mostly in Eastern Europe.
In fact, a common hacker stratagem is to deliver on-screen messages to victims that appear to be from law enforcement agencies, just as the commission proposed.
Last December, for example, Symantec described how messages displayed on Americans’ PCs by the “Ransomlock” malware masqueraded as warnings from the Federal Bureau of Investigation (FBI), while German users saw messages purportedly from the Bundesamt fr Polizei, Germany’s federal police.
The commission asserted that these ransomware-style techniques are legal. “Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilise a cyber incident to provide both time and evidence for law enforcement to become involved,” the report contended.
Critics quickly jumped on the ransomware comparisons, and bludgeoned the proposal.
“Now we have the IP Commission suggesting that firms be allowed to use basically this same technique – pop up on someone’s computer because you believe they’ve stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well,” said Lauren Weinstein, the co-founder of People For Internet Responsibility (PFIR), in a Friday post on his blog.
“What the hell are these guys thinking? Outside of the enormous collateral damage this sort of ‘permitted malware’ regime could do to innocents, how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net?”
While the commission acknowledged that even more aggressive measures – including so-called “hack-back” tactics – would require changes in U.S. law, it said an offence-is-the-best-defence solution should be studied. The commission, however, declined to make specific recommendations on how companies should be allowed to counter-attack the computers of cyber thieves and hackers.
“New options need to be considered,” the commission said.
The IP Commission report can be found on the organisation’s website ( download PDF).