IGF 2017 WS #192 The Government Hacks Back - Chaos or Security? A Debate

Short Title: 

The Government Hacks Back - Chaos or Security? A Debate

Proposer's Name: Ms. Isabel Skierka
Proposer's Organization: Digital Society Institute
Co-Proposer's Name: Mr. Sven Herpig
Co-Proposer's Organization: Stiftung Neue Verantwortung
Co-Organizers:
Isabel SKIERKA, Civil Society,Digital Society Institute
Sven HERPIG, Civil Society, Stiftung Neue Verantwortung


Session Format: Debate - 90 Min

Proposer:
Country: Germany
Stakeholder Group: Civil Society

Co-Proposer:
Country: Germany
Stakeholder Group: Civil Society

Speaker: Tatiana Tropina
Speaker: Zahid Jamil
Speaker: Maarten van Horenbeeck
Speaker: Msonza Natasha

Content of the Session:
This workshop will debate the motion „This house believes that governments should have authority, under certain circumstances, to ‘hack back’ devices which serve as attack tools in order to neutralize the threat posed to systems within their jurisdiction.”

Two teams of two speakers will each present statements favoring either very strict or loose safeguards concerning the motion. They will address government hacking, cyber security and related issues, such as civil liberties and human rights, encryption, technology vulnerability handling, and the future of internet security.

Consider the following cases:

- A peer-to-peer botnet consisting of hundreds of thousands of internet of things (IoT) devices is mounting unprecedented distributed denial of service (DDoS) attacks against critical infrastructure. They have already brought down a DNS service provider and threaten to attack hospital networks. The botnet can be rendered ineffective by remotely accessing and ‘hacking’ the IoT devices to make them unresponsive to the botnet malware.
- An online child pornography network is operating with Tor-hidden services in the dark net. The perpetrators’ identity and location are not known. The only way to identify them, break the child pornography network and put the perpetrators on trial is to indiscriminately and automatically install software on computers of all platform users worldwide through an unknown and unpatched exploit in the Tor browser bundle.
- A command and control server with an unknown location, probably on foreign territory, is spreading malware attacking critical infrastructure in a country.

These situations are not hypothetical. Similar cases have occurred over the past months and years, and will continue to occur in the future. In response to these new challenges, a growing number of governments are considering or already taking steps to authorize ‘hack backs’ by their law enforcement agencies (and the military) – albeit mostly under specific circumstances and with a warrant only. These steps are met with fierce resistance from experts, civil society, and politicians, who warn that the collateral damage in terms of security (e.g. through stockpiling of exploits) as well as a potential abuse of civil liberties and privacy through unauthorized access on individuals’ devices will outweigh any possible benefits.

Hence, the core question of this workshop is: should law enforcement agencies have the authority to hack back computer systems that pose a severe threat to individual and public safety, no matter where they are located, in order to protect their citizens’ and others’ security?

What would be the consequences for users, critical internet infrastructure operators and service providers, if governments start adopting rules allowing them to hack back more easily? Would this mean more or less collective security? What would it mean for international relations if governments across the world start hacking back without regard to jurisdictions? What could be an alternative?

AGENDA

5 minutes: The Chair introduces the speakers, context, and format of the debate. The Chair will pose the questions throughout the debate which each speaker has 4 minutes to respond to. The questions are provisional for now.

Question 1: Will an expanded practice of government hack backs result in more or less collective security?

16 minutes: Each of the four speakers has 3-4 minutes to respond to the question.

Question 2: Should governments refrain from expanding hack back authorizations and adopt alternative measures, if so, which ones?

16 minutes: Each of the four speakers has 3-4 minutes to respond to the question.

10 minutes: Speakers will respond to each other and specific points made throughout the debate. The Chair will facilitate the discussion.

20 minutes: The Chair opens the debate to all workshop participants. Participants can address questions to speakers which speakers have a maximum of 2 minutes to respond to. After 15 minutes, one speaker of each team will summarize the results in 1 or 2 minutes.

20 minutes: The Chair will open and moderate the debate among everyone. Each participant can make an intervention (original point or response) of a maximum of 2 minutes.

3 minutes: The Chair will briefly summarize and close the debate.

Relevance of the Session:
Cyber security is becoming an increasingly relevant Internet governance issue. Debates about 'hard' cyber security issues, including when governments launch computer based attacks against each other or third parties, have usually taken place behind closed doors. However, decisions about cyber security affect everyone, especially users, and the architecture of the internet as a whole. With this workshop, we aim to open up the debate about cyber security and specifically about the role of governments in the digital realm. We believe this debate is necessary in a multistakeholder format, as decisions taken about hacking today will affect the future online experience of every user on the internet, and the openness and security of the internet as a whole.

Tag 1: Cybersecurity
Tag 2: Human Rights
Tag 3: Cybersecurity Norms

Interventions:
The speakers will pair into two teams of two or three speakers each and present statements favoring either very strict or loose safeguards concerning the motion. All speakers are highly experienced in the field of cyber security and cross-border challenges for law enforcement, in particular, from their respective perspectives. The debate format allows speakers to frame their arguments as precisely and pointedly as possible from their respective perspective, but also keeping in mind more general aspects of the debate. Moreover, speakers will address both ‘pro’ and ‘contra’ aspects of the subject in question (expansion of government hacking authorities). Additional representatives from government or international organizations will be invited to join the debate.
The opening up of the debate after half of the workshop will ensure that speakers will actively discuss with workshop participants and be part of the broader debate.

Diversity:
The four speakers are renowned experts on cyber security, including human rights and technical security, and have written, spoken and consulted on this issue extensively. Coming from civil society, academia, the technical community and the private sector, and originating from Europe, Africa and Asia, they represent diversity in terms of stakeholder group and geography, as well as gender (with 2 female and 2 male speakers). Additional representatives particularly from government will be invited to join the debate.
Hence, the speakers will present diverse arguments and perspectives on the different and complex angles of the debate about government hack backs.

Onsite Moderator: Isabel Skierka
Online Moderator: David Krystof
Rapporteur: Lorena Jaume-Palasi

Online Participation:
The debate will be moderated by an on-site and by an online moderator. The event will also be promoted online in advance, including instructions on how to join the conversation remotely. The online moderator will ensure that online participants can directly communicate questions and statements to the Chair. The Chair will communicate via a laptop with internet connection. In the second part of the debate, every second or third question or intervention will come from a remote participant. The discussion will also be live-tweeted and remote participants can also join the discussion via Twitter.

Discussion facilitation:
The debate will be facilitated by the Chair of the debate. The Chair will first introduce the format, speakers and then actively moderate the debate. The Chair will also manage the allocated time among the two sides (see agenda). The first part of the workshop will be dedicated to a debate among speakers, inspired by the Oxford debating format. The second part of the debate will be ‘open floor’ among all participants of the workshop.
In the first part, speakers will answer to two questions, one after another and within pre-defined time slots of 3 to 4 minutes. Afterwards, the Chair will facilitate a 10 minute discussion among speakers in which they can respond to points made by the other teams in speeches of a maximum of 2 minutes. In the second section of the workshop, the debate will be opened to the floor. In the first 20 minutes of this part, workshop participants (on site and online) can address questions to speakers which speakers have a maximum of 2 minutes to respond to. During the last 20 minutes, the Chair will open and moderate the debate among everyone in the workshop. Each participant can make an intervention (original point or response) of a maximum of 2 minutes.
Polling: Before and after the debate, workshop participants will cast votes on the motion (for, against, undecided). The results will be communicated on-site and online at the end of the debate.
The overall goal of this plan is to enable a lively debate among all participants, on-site and online. The clear time management and moderation by the Chair will ensure that every participant should be able to contribute their argument and directly respond to others’ arguments.

Conducted a Workshop in IGF before?: No
Link to Report:

Additional Speakers: 

Natasha Msonza and Zahid Jamil will not be able to participate. In their stead, Leandro Ufficerri from DCA and Sven Herpig from SNV Berlin will speak.

 

Agenda: 

5 minutes: The Chair introduces the speakers, context, and format of the debate. The Chair will pose the questions throughout the debate which each speaker has 4 minutes to respond to. The questions are provisional for now.

Question 1: Will an expanded practice of government hack backs result in more or less collective security?

16 minutes: Each of the four speakers has 3-4 minutes to respond to the question.

Question 2: Should governments refrain from expanding hack back authorizations and adopt alternative measures, if so, which ones?

16 minutes: Each of the four speakers has 3-4 minutes to respond to the question.

10 minutes: Speakers will respond to each other and specific points made throughout the debate. The Chair will facilitate the discussion.

20 minutes: The Chair opens the debate to all workshop participants. Participants can address questions to speakers which speakers have a maximum of 2 minutes to respond to. After 15 minutes, one speaker of each team will summarize the results in 1 or 2 minutes.

20 minutes: The Chair will open and moderate the debate among everyone. Each participant can make an intervention (original point or response) of a maximum of 2 minutes.

3 minutes: The Chair will briefly summarize and close the debate. 

Report: 

Session Title:               

The Government Hacks Back - Chaos or Security? A Debate
 

Date:  20.12.2017
Time:  16:40 – 18:10
 

Session Organizer:  Isabel Skierka, Digital Society Institute, ESMT Berlin     

Co-Organizer: Dr. Sven Herpig, Stiftung Neue Verantwortung    

Chair/Moderator: Isabel Skierka    

Rapporteur/Notetaker: Isabel Skierka

List of Speakers and their institutional affiliations:       

Dr. Tatiana Tropina, Max Planck Institute, Freiburg

Dr. Sven Herpig, Stiftung Neue Verantwortung, Berlin

Maarten van Horenbeeck, Fastly and FIRST

Leandro Ucciferri, ADC Digital

         
Key Issues raised:          

Definition: The term “hack back” is only poorly defined and is used to refer to practices ranging from preventive cyber security measures to offensive hacking of foreign systems.

Legal basis: The legal basis for law enforcement-led “hack backs” (or: offensive cyber measures launched in response to a cyber attack) is unclear in most countries as well as internationally.

Systemic effects: Offensive ‘counter-strikes’ in the digital realm can have systemic and uncertain effects, which decision-makers might not be able to foresee.

Effectiveness: It is unclear whether and under what circumstances governmental hacking of foreign systems would be effective and how that effectiveness can be measured in terms of international, national, and human security.

Trust: The preventive and/or reactive use of cyber offense tools by law enforcement authorities and intelligence agencies can undermine trust in the reliability and security of the internet.

If there were presentations during the session, please provide a 1-paragraph summary for each presentation:   No presentations during the session.

Please describe the Discussions that took place during the workshop session (3 paragraphs):                

The workshop proceeded in an Oxford style debating format and discussed the motion „This house believes that governments should have authority, under certain circumstances, to ‘hack back’ devices which serve as attack tools in order to neutralize the threat posed to systems within their jurisdiction.” During the first half of the debate (approximately 40 minutes) two teams of two speakers each discussed the motion and related questions: Maarten van Horenbeeck and Leandro Ucciferri (Team 1) and Tatiana Tropina and Sven Herpig (Team 2). After the first half of the session, participants from the audience joined the debate by posing questions and making interventions themselves. For the sake of brevity, the following two paragraphs will summarize different positions of both speakers and audience participants in line with the team positions.

Team 1 argued that governments should under no circumstance have the authority to engage in ‘hack back’ acts, because

  • Malware can act unpredictably. Therefore, governmental hacking and ‘counter-strikes’ in the digital realm can have systemic and uncertain effects which can cause grave collateral damage for technical infrastructure, nation-states, and individuals.
  • Governmental hacking on foreign territory can harm the privacy and safety of individuals abroad.
  • The use of offensive tools for counterstrikes in cyberspace can undermine trust in the security of the internet and in international security.
  • Governments should focus on implementing measures that promote information security at a national and international level, and addressing root causes of cyber crime instead of investing personnel and financial resources into hacking capabilities.

Team 2 argued that if governments authorize hack backs, they should clearly and transparently define the parameters, legal basis, and ways of execution of “hack backs”, and implement very strict safeguards.

  • Team 2 agreed that hack backs can pose systemic risks and might have undesirable consequences for technical, human, and international security.
  • Therefore, IT security should always be prioritized over other national security interests.
  • Governments should only authorize measures on the preventive end of the scale, such as passive reconnaissance/intelligence gathering in foreign networks, DDoS attack mitigation, botnet takedowns and containment with assistance from national ISPs and in coordination with other nations.
  • More aggressive hack back practices, such as penetration of foreign systems to alter data, might make sense from a national security perspective, but will negatively affect international security and cause unforeseeable collateral damage.
  • Law enforcement agencies will need to comply with strict legal safeguards for hacking, whereas actions by intelligence agencies are much harder to control and oversee.
  • Any discussion of law enforcement or intelligence agencies’ use of offensive cyber measures needs to be realistic - governments around the world are already conducting or preparing to conduct ‘hack backs’/offensive ‘counterstrikes’/‘active defense’ measures in cyberspace. Hence, the question is not whether, but how and under which safeguards ‘hack backs’ should take place.

Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):    

Key takeaway 1: The topic of the debate, (governmental) “hack backs”, requires further and more detailed discussion. The debate raised a number of key issues, which each merit more nuanced debate from legal, technical, ethical, and political perspectives. This IGF 2017 debate contributed to kicking off discussions about the issue in a multistakeholder setting.

Key takeaway 2: The interactive Oxford-style debating format was well-suited for the discussion, according to feedback from panellists and participants from the audience. The debate made it possible for anyone to raise their own arguments after the first half of the session (starting around 17:20) and made the discussion livelier than a “conventional” panel format would have. Discussions at the IGF would benefit greatly from a growing use of this and other interactive discussion formats.

Way forward and potential next steps: As a way forward, participants suggested to provide a summary of the debate in form of a short paper that can inform future internet governance and cyber security discussions. Participants also suggested continuing the debate at the IGF 2018 and in other fora. Moreover, future debates should include participants from the law enforcement community or other relevant government agencies. The organizers had requested multiple former and current law enforcement officials as speakers and/or participants of the debate. Requested speakers took great interest in the issue, but were each unable to actively participate in the debate for institutional reasons.

Gender Reporting

Estimate the overall number of the participants present at the session:

60 persons

Estimate the overall number of women present at the session:

25 women

To what extent did the session discuss gender equality and/or women’s empowerment? 

The session did not discuss gender equality or women’s empowerment.

If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion:  /

 

 


Zircon - This is a contributing Drupal Theme
Design by WeebPal.