But soon afterwards, journalists and bloggers started observing that the report includes highly aggressive and potentially controversial measures, such as recommending the use of ransomware to attack suspected copyright abusers, as well as retaliatory hacking attacks to retrieve stolen data.
Sorry? This sounds crazy. Can this report seriously be recommending that businesses and governments use malware and hacking to fight back against corporate snooping and copyright dodgers?
The bulk of the report is pretty sensible. It's only at page 80 that we hit the interesting part, in a chapter entitled "Cyber Solutions".
Alongside reasonable ideas like improving vulnerability protection and intrusion detection systems, or using digital ‘watermarks’ to tie documents to their rightful owners, there are several sections discussing ‘threat-based deterrence’, which include this:
Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.
Yes, you read that right. It continues:
...software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.
That's pretty clear then - they've heard of the ransomware approach, and they think it's a great idea. Further down there are some more off-the-wall moments, discussing ideas like hacking into an intruder’s network to retrieve or destroy stolen data, taking photos of suspects using their webcams, "or even physically disabling or destroying the hacker’s own computer or network."
Now the authors don't directly back these wackier ideas, at least not as directly as they support the use of ransomware. Instead they use some complex shilly-shallying and weasel words - they try to make it look like they're just mentioning them as concepts, without actually recommending them. But later on, they clearly suggest that changes in the law to allow such things are a good idea:
Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves.
Shortly afterwards they backtrack again, saying they're "not ready to endorse this recommendation" - so why mention it at all? Simply by including it, they give the concept of cyber-vigilantism legitimacy.
Imagine a high-profile report on real-world theft that urged people to break into the homes of suspected thieves, steal their stuff back and maybe smash up a few other bits and bobs on the way out. How have such crazy ideas made their way into a major study?
The commission, proper title The Commission on the Theft of American Intellectual Property, calls itself an "independent and bipartisan initiative of leading Americans". It is a group of heavyweight figures including a former CEO at Intel, a university president and a former Ambassador to China.
The report is a serious and scholarly study for the most part, with plenty of interesting data and some sensible ideas and suggestions. It claims to have consulted several "remarkable specialists" along the way, but from the instant outcry, it's clear that there are plenty of people who could have steered it away from its blunderings over cyber security measures. Were any actual security or anti-malware experts asked for input?
The outrage sparked by some of the suggestions in this report has completely overshadowed the rest of its hard work.
In short, the moments of lunacy popping up in the last few pages are tainting the entire study.
Maybe the general ridicule being plastered on this report might just open the eyes of the political classes to the need for proper, considered engagement with cyber security issues; these knee-jerk 'just hack 'em back' attitudes are simply embarrassing.