Private sector ‘hack back’: Where is the limit?

Event report

[Read more session reports and live updates from the 13th Internet Governance Forum]

Legal limits to the ability of businesses to counter cyber-attacks online remain blurred. Though most actors agree that retaliatory hack-backs should be illegal, clarifications appear necessary to define the conditions and safeguards for companies to resort to other active forms of cyber defence. Co-operation between private actors and public authorities on these issues is crucial for establishing new rules, and to clarify the scope of action for businesses.

This open forum, moderated by Mr Laurent Bernet, Policy officer, OECD Secretariat, featured discussions on the complex nature and legality of hack-backs – active measures taken by companies to defend themselves against cyber-attacks. The session was organised by the OECD in preparation for the Global Forum on Digital Security for Prosperity inaugural event, which will take place 13-14 December 2018 in Paris. This meeting will address the roles and responsibilities of private sector actors for digital security, and in particular the challenges raised by hack-back measures.

Mr Alp Toker, Founder, NetBlocks, first explained what hack-back practices mean from a technology perspective. Such measures can be differentiated into three categories: exploratory measures, in order to passively access services for attribution purposes; preventive, in order to prevent an actor from doing harm; and retaliatory, which consists in revenge hacking, and is the most contentious form of attack. Toker added that the Internet being a global network built on trust, and since all protocols rely on the good will of their users, the very principle of hack-back challenges the co-operation needed for the good functioning of digital networks.

Mr Leandro Ucciferri, Researcher, Association for Civil Rights, Argentina, presented his main concerns on these practices from a human rights perspective. For Ucciferri, the very definition of hack-back is against the core principles of cybersecurity, and could have significant human rights impacts on the privacy and freedom of expression of users. Companies should not be allowed to act as private prosecutors by means of hack-backs. On the one hand, they lack the necessary technical capabilities for conducting accurate attributions, and could therefore attack the wrong entities, resulting in further escalation. On the other hand, and more importantly, companies have a responsibility to respect human rights, and prevent or directly mitigate their human rights impacts.

Ms Kaja Ciglic, Director, Government Cybersecurity Policy and Strategy, Microsoft, started by emphasising that though most actors believe hack-backs are inherently a bad idea, the main difficulty is to agree on the same definition of these practices. In the Cybersecurity Tech Accord launched in April 2018, Microsoft, along with other leading companies, committed to not conducting offensive activities in cyberspace. When Microsoft needs to intervene, for instance in the case of a botnet takedown, it does it only in co-operation with relevant public law enforcement agencies. Ciglic also argued that there is wide support from the industry behind the Paris Call, which is a good step in the direction of fighting threats such as cyber-attacks.

Ms Karine Bannelier, Associate Professor, University Grenoble Alpes, France, explained why allowing hack-backs could result in greater legal and economic risks for private and public actors. If left only to the discretion of private companies, hack-backs can create risks for the authority of states, risks in terms of attribution, collateral damage for users and companies alike, and eventually lead to an uncontrolled escalation of violence in cyberspace.

Mr Yves Verhoeven, Head of Department, French National Cybersecurity Agency, acknowledged that despite the mobilisation of states to fight cybercrime, the efficiency of public policies has been relatively limited. It is thus tempting for companies to promote hack-back practices as a way ahead. But Verhoeven strongly argued that, ‘It will only add chaos to chaos’. Hack-back is illegal under French law, and as defined by the Budapest Convention on Cybercrime. The French government believes it should remain so, as emphasised in the Paris Call, in which a specific measure explicitly rejects such practices. Though public actors should refrain from the use of cyber-attacks, the failure of the UN GGE in this illustrates that it remains a sensitive issue.

Reported by Clement Perarnaud