Hacking back: A dialogue with industry

Event report

Mr Justin Vaisse (Director General, Paris Peace Forum) opened the dialogue by reminding of the roots of the discussion, i.e., the debates on the applicability of international law to cyberspace on the UN platform and other private sector initiatives. In 2018, during the first Paris Peace Forum, France, together with Microsoft, launched the Paris Call for Trust and Security in Cyberspace, which contains nine principles to which public, private, and civil sectors subscribed to. One of them was the ban on private sector hack-backs. This year, the third Paris Peace Forum took place, and brought the discussion to the next level, namely, how to deepen the work on each principle, and how to bring Paris Call closer to the formal UN multilateral negotiations.

Moderator Mr Trey Herr (Director, Cyber Statecraft Initiative, Atlantic Council) suggested the speakers unpack the notion of private hack-backs conceptually and legally. Ms Alissa Starzak (Global Head of Public Policy, Cloudflare) feels the question is about the limits of private action to address cyber-threats. Mr Seth Cutler (Chief Information Security Officer, NetApp) pointed to several grey zones in the question: active defence, how to distinguish offensive actions in retaliation, and what the actor’s initial intent was. Herr went in deeper to discuss the retaliatory nature of hack-backs, as well as their preventive nature. Starzak noted that it makes a difference what kind of actions one can take when hacking back, and whether they have a devastating nature, or look like signalling.

Ms Kaja Ciglic (Senior Director, Digital Diplomacy, Microsoft) pointed to the difficulties that platforms like Microsoft encounter when they can also be the victims of hack-back endeavours. Starzak added that we need a set of norms on what is acceptable and what is not, so that private actors do not think that if they are white hats, they can go out and do something against potential malicious actors. black hats. The question is where the limits are in cyberspace. Ciglic reminded that in many countries there are cybercrime laws that prohibit particular activities that can be seen as hack-backs, but this principle in Paris Call appeared just because there were conversations to allow hack-backs in particular situations. Mr Ed Cabrera (Chief Cybersecurity Office, Trend Micro) suggested to think of the costs and benefits analysis before a company makes decisions on hack-backs, and to avoid exposure to litigation domestically and internationally.

Herry asked whether the profile of a private company affects its attitude towards the hack-back option. Cabrera said, as a cybersecurity firm, Trend Micro is on the edge of cyber-threat analysis, and comes across evidences of criminal activity, and thus works with international law enforcement quite extensively. Cutler said it does not directly intersect with the business line of the company, and that, ultimately, this is a question of law and public-private partnership. He added that certain types of industries might need additional assistance (such as critical infrastructure, healthcare, and others sectors working for the well-being of individuals and societies), but again, this is a question of sharing information with law enforcement and letting them work.

Another question was about developing countries with less cyber capabilities who may intend to use third parties to hack back for them. Cabrera warned that this might lead to the discussion of private militia for such states. The focus must be on what kinds of support and help are needed by such states, and what are the outcomes of such support. Cultler agreed and added that it is similar to warfare and international assistance, though complicated by the attribution problem.

Lastly, participants discussed hack-for-hire issues, and the necessity to establish legal oversight frameworks for such scenarios. Ciglic noted that not every government subscribed to Paris Call, and acknowledged that hack-backs and hack-for-hire are problematic issues. So far, hack-for-hire may be legal in some states.

Eventually, the workshop concluded that within the next five years, discussions on the hack-back debate will continue, given the asymmetric nature of the cyber ecosystem.