Session
Organizer 1: John Hering, Microsoft
Organizer 2: Trey Herr, Atlantic Council
Speaker 1: Seth Cutler, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Kaja Ciglic, Private Sector, Eastern European Group
Speaker 3: Ed Cabrera, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Alissa Starzak, Private Sector, Western European and Others Group (WEOG)
Speaker 5: Justin Vaisse, Civil Society, Western European and Others Group (WEOG)
Seth Cutler, CISO for NetApp, will be replacing Kristen Verderame (also of NetApp)
Trey Herr, Civil Society, Intergovernmental Organization
John Hering, Private Sector, Western European and Others Group (WEOG)
John Hering, Private Sector, Western European and Others Group (WEOG)
Panel - Auditorium - 90 Min
Cybersecurity policy, standards and norms:
i) What are the risks and benefits posed by so-called “hack-back” activities?
ii) What kinds of activities by private industry should be considered “hacking-back” and off-limits, and which should not, in order to promote safety and security online?
In 2018, the Paris Call for Trust and Security in Cyberspace was launched and established 9 foundational cybersecurity principles for governments, industry and civil society to help promote a safe and secure online world. With over 1,000 supporting entities today – including over 75 governments and hundreds of industry and civil society organizations – the Paris Call is the largest multistakeholder agreement in the world focused on cybersecurity principles. One of these principles, number 8, creates a new expectation that Paris Call supporters will “take steps to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors.” This principle raises important questions about what activities constitute “hacking-back,” as well as which ones do not. As an enthusiastic supporter of the Paris Call, the Cybersecurity Tech Accord – a global coalition of technology companies committed to improving cybersecurity – has taken the initiative to clarify what, from an industry perspective, should constitute “hacking-back” under the principle and which activities should not.
This is a critical discussion as hacking-back can set dangerous precedents that invite escalations in cyberattacks and unintended consequences that can put technology users at risk. Meanwhile, it is just as important to be clear about what hacking-back is not, as painting with too broad a brush could prohibit valuable security practices, including so-called “active defense” measures employed widely by industry to keep users and customers everywhere safe. This session will give representatives from the Cybersecurity Tech Accord an opportunity to share both their consensus view as to how the technology industry broadly thinks about “hacking-back,” as well as the nuanced perspectives of their respective companies on the issue. It will also provide a valuable opportunity to seek input and feedback from other stakeholder groups in attendance as to whether this industry perspective seems consistent with the Paris Call principle ahead of the second anniversary of the agreement in November 2020.
GOAL 9: Industry, Innovation and Infrastructure
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals
Description:
This session will feature industry speakers from the Cybersecurity Tech Accord shedding light on what they believe should and should not be considered “Hacking-back” under the principle of the Paris Call for Trust and Security in Cyberspace prohibiting such activity. In addition, the session will seek to start a conversation and solicit input, in particular from the civil society and public sector officials in attendance, regarding what they believe should and should not constitute “hack-back” activities, in order to drive greater consensus on an important and nuanced topic.
Agenda:
Given the virtual setting, the 90-minute panel will be split roughly evenly into two sections, with the first 45 minutes dedicated to a moderated panel discussion, and the second 45 minutes being open to questions from those in attendance.
Participants should walk away with a nuanced understanding of what activities members of the technology industry regard as “hacking-back,” and which security practices should not be given that label. Meanwhile, this consultation with other stakeholders will provide invaluable input and feedback as the Cybersecurity Tech Accord works to finalize a consensus opinion and report on this topic to strengthen and clarify the expectations of the Paris Call for Trust and Security in Cyberspace to support its implementation and recognition.
Organizers will work to socialize this session with a wide audience in advance, in particular with those from civil society and government backgrounds likely to be invested in this discussion and with opinions that may challenge those presented by the speakers. The session organizers will also work to share a draft of the consensus Cybersecurity Tech Accord view on “hack-back” in advance of the session, to stimulate thinking and prompt robust and substantive dialogue during the session. Finally, the session will be structured so that a substantial amount of time is reserved for feedback, questions and discussion with those in attendance, both on site and online.
Relevance to Internet Governance: The Paris Call for Trust and Security in Cyberspace stands as a landmark achievement in establishing a new multistakeholder baseline, and forum for discussion, on principles to better protect the integrity and security of the online world. However, dialogues like this are essential for realizing the potential of this important agreement, as different stakeholders debate and discuss the particulars of what respective principles mean and don’t mean in concrete terms to reinforce clear commitments.
Relevance to Theme: Trust in cyberspace is based on no small part on clear expectations for responsible behavior on the part of all stakeholders, including industry, which are recognized and reinforced. While high-level principles, such as those included in the Paris Call, are essential to identifying what these different responsibilities are, they are not the end but rather the beginning of the discussion to define what specific commitments are consistent with those principles.
Usage of IGF Official Tool.
Given the virtual setting, the 90-minute panel will be split roughly evenly into two sections, with the first 45 minutes dedicated to a moderated panel discussion, and the second 45 minutes being open to questions from those in attendance.
Report
All of the speakers, representing different technology companies and signatories of the Cybersecurity Tech Accord, and seemingly also the majority of attendees, agreed with Paris Call principle #8 – that private industry should not be permitted to “hack back” against attackers for their own purposes. In addition, speakers agreed on a general definition of what types of activities should be considered “hack backs” – namely, the unlawful access to computer systems outside ones own networks in order to retaliate against bad actors.
Consensus that such activities were ill-advised was based on concerns about their legality, as well as the potential for unintended consequences and escalation of attacks with malicious actors, even nation state actors. The discussion also highlighted the dangers of a growing market of “hackers for hire” and those selling offensive tools to be used by states and other actors, with questionable legality.
While there was much consensus about definitions and what types of actions should be permitted, representatives from respective companies had differing standards when it came to the types of active defense measures they would pursue – including things like botnet takedowns.
The discussion went a long way in highlighting how industry understands its roles and responsibilities to promote security in cyberspace while not conducting “hack back” activities. For policymakers, a major takeaway should be a shared understanding that hack backs are activities that involve the illegal access to protected systems in order to retaliate against or steal back from an attacker. Policies should not seek to permit such activities, as they would promote vigilantism and greater instability in cyberspace. At the same time, policies should be careful not to prohibit necessary active defense measures that companies increasingly employ to keep themselves and their customers safe. Discussions of how to craft such policies should always seek to include the perspectives of the technology industry.
Speaker 1: Seth Cutler, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Kaja Ciglic, Private Sector, Eastern European Group
Speaker 3: Ed Cabrera, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Alissa Starzak, Private Sector, Western European and Others Group (WEOG)
Speaker 5: Justin Vaisse, Civil Society, Western European and Others Group (WEOG)
There was no particular discussion of gender issues in the workshop
Cybersecurity Tech Accord's whitepaper on hack back, released in advance of the workshop:
https://cybertechaccord.org/uploads/prod/2020/11/hack-back-update-13112…;