You are here

IGF 2018 - Day 1 - Salle IX - OF33 PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR:  Good morning, everybody.  We will start this on time.  This is 9 o'clock in the morning.  And I'm very pleased to ‑‑ this morning on Private Sector hack back:  Where are the limits.  I work for the OECD secretariat in Paris and I will say a few words about this open forum and the context for it and then we'll go with panelists.

This was proposed by the OCD for the IGF meeting as a kind of first step towards imaging that will take place in 2019.  It will be part of a large forum on security forum on digital security for prosperity.  It will bring a community of experts addressing digital security for prosperity.  That is digital security from the prospective ‑‑ and this first meeting in December of the global forum will address the roles and responsibilities of digital security.  In particular, those and responsibilities of Private Sector.

And in this event in December, we will have a session on active defense, hack back, by the Private Sector, what are the challenges they raise, what are the issues they raise at international level, how should we address it.

And we thought it would be a great opportunity at the IGF this year which takes place in Paris to have a discussion on these issues.

So, let me just say on the scope of this discussion that we'll have this morning.  When we talk about hack back in the context of this session, I don't know elsewhere, but in the context of this session, we're talking about Private Sector so businesses basically who face digital security attacks and who may have in response or in the cross of these attacks may take measures to address these issues that are of an active nature.  We'll discuss what that may mean or may not mean.  It may take actions that have an active nature or that can be considered as hacking back.

These type of measures raise a number of concerns, challenges, but they can also be seen as something positive that should actually be anchorage.  We should have a discussion on this.

So to have this conversation, I am very pleased to have five distinguished panelists that I will very briefly introduce and then I will give them five minute time slot to give perspective on this issue.  We'll have questions from the audience after each of them and then we'll go into a discussion with and you the panelists until 10 o'clock, which is the end of our panel.

So I will immediately turn to Alp Toker who is director and founder ever the net blocks global Internet.  He's a contributor to Internet protocols at Internet engineering task force.  And second fellow will speak from I guess the citizen safety technical side perspective of this issue at what is your perspective on this issue.

>> ALP TOKER:  Thank you.  Two weeks ago, I was in Taiwan and I was talking with the congressman.  He gave me a shocking statistic about the situation of cybersecurity in his country.  He told me that there are on average 30,000 cyber attacks daily coming from the mainland alone.

And this in content, you look at statistics and you see this isn't so much nation state sponsored attacking.  It is a mix of many stakeholders making many factors of attacks.  Looking through the figures you see some 17% can be attributed to nation states with the rest being attributed to either the Private Sector or lone wolfs or different stakeholders.

I is in that context, today's session is extremely valuable because it is a less discussed side and it's the majority of the problems that we see.

So that's really what I am trying to add here is to look at what is the nature of hacking back?  What does it mean?  Then you have the terms that Laurent discussed.  Some of the terminology is quite outdated.  We find that the whole field of cybersecurity and, you know, or information security depending on perhaps the dictionary or lexiecon that you use varies.  It is a refresher in seeing what this means in the current lexicon.

So what I see as a technologist is that the incident is a global network that's actually built on trust.

So today we're discussing the incident of trust.  In fact, digital networks, computer networks are built on the fact that you trust your peer.  You are asking for that to be relayed to the next (inaudible).  So you are not sending something so much as you're asking for that information to be shared.

In that respect, I think we see a lot of problems with this idea of hacking back.  You have questions about what does it mean?  Who is meant to carry this traffic on the most fundamental level.  We're talking about the transform of information.  Nobody has to carry that data including the next hop, the next peer.

If you look at protocols like BGP, ITCP, they're all built on good will of network users.  In the case of hacking back, does that good will still exist if you are trying to exploit plans somebody that's exploited you.  Or most simply, is it okay to Rob somebody's house if they robbed your house?  As a victim of crime, you might think that's a reasonable thing to do, but it is probably not the legal thing or ethical thing to do.

So three types of hacking back in we characterized.  There are sometimes four, but this is the one we used at net marks.  We have the exploratory or validation, which is an active measure very mild or modest.  We're talking about trying to go through data and perhaps passively accessing services.  This means entering a URL.  Plans a hidden URL to get attribution to an attack.  This kind of exploratory hack back seems to be the kind that's the least problematic from a legal perspective.  I'm sure we'll have a look at that in a bit.  And then you have the preventative type.  You have networks that have been high‑jacked and somebody needs to log in or divert IP addresses so they can regain control over those machines.

This is a fairly invasive approach.  It does have collateral damage, a word you will hear a lot.  It is the impact to people who report at fault, who aren't part of the attack itself.  They are bystanders essentially.

So, thirdly, you have the retaliation attack.  Some of the most recent moves have sought perhaps to make this more acceptable as well.  This is the most contentious type of attack that is going to be discussed today.  Those are the three and they're huge relevant to what we are going to talk about.

>> LAURENT BERNAT:  This is a first step to the area explorative.  It is a first categorization of this type of active measures or hack back activities.  Let me turn to Leandro Ucciferri.  He is working in the association for civil rights ADC in Spanish and independent non‑for profit NGO in Buenos Aires.  He will give perspective into this issue.

>> LEANDRO UCCIFERRI:  Thank you, I wanted to start by saying that it's good to start framing this conversation in terms of what we actually mean when we talk about hacking back and proactive cyber defense measures.

It was great to have Alp's insight.  Otherwise we will talk about very different things.  For the purposes of my notes and different comings I will make, I will address specifically the problem of corporations hacking back in that specific mention as Alp mentioned.

Basically to start from our concerns from Civil Society from a human rights perspective that we tried to issue on these issues, I would first like to address that the simply action of hacking back is against what we understand by cybersecurity itself.  As they put in one of their working Groups in identifies concepts, they defined cybersecurity as the preservation through policy, technology and education of the availability, confidentiality and dignity of information and underlying infrastructure.  It wouldn't be far off to agree that the very simple concept of hacking back would be against even the core principles that uphold cybersecurity itself.

It's also worth noting that when we're talking about corporations and human rights, the UN already has guiding principles on this saying that corporations are also dependent on respecting human rights and they should avoid costing or contributing to produce human rights, impacts through their own activities and they must seek to prevent or mitigate human rights impact directly ‑‑ they are directly linked to their operations, product or services and different business practices.

So with that said, when we're talking about hacking back, what would be the specific human rights impact?

On one hand and we're talking about specifically Alp mentioned the collateral damage and most of the impact on the social perspective comes from that collateral damage.  And there are different concepts linked and we're going to talk about the attribution problem as well.  All of the different concepts and terminologies are intertwined in a way that allows us to put out an argument on how human rights are impacted.

So when we're talking about collateral damage and attribution, when companies go on hacking back corporations and they interfere with other institutions, other corporations, other individuals systems, they may be putting other people's rights at risks.  Maybe privacy is a more easy one to spot in a way because we would be dealing with ‑‑ I don't know.  For example, collecting private data, deleting that data, but also there are risks to the freedom of expression as well.  For example the infrastructure and different systems from the target that is hacked back is disrupted.  And this happens.  There are a few cases that we can discuss with the panel that had happened where a corporation may be hacking back another corporation and they would disrupt their systems and different businesses depending on those systems are not allowed to function properly.

So coming back to the attribution problem which is basically at the core of when we discuss cyber attacks and cybersecurity itself, when we're analyzing online activities, the nature of those activities don't necessarily become obvious when we discover them.

So when we're talking about attribution and hacking back, one of the things that needs to come to mind in the discussions is what happens to due process?  We have already legal systems set in place where there's ‑‑ there needs to be a specific procedure to follow in order for the rule of law to be complied.

So in this regard when we allow corporations to hack back, in a sense, it's worth discussing if we are allowing corporations to act as private judges and prosecutors, for example.

One of the things that is related to attribution is basically understanding what's the purpose of the attack?  So again, its nature may not be obvious at first glance.  It's a clear ‑‑ there's a clear need to understand if the hack was to conduct surveillance, to steal information, to interfere with a political institution, for example, and even more difficult is identifying who the actor behind it is.  I would suggest ‑‑ I would really recommend reading work on this.  He basically classifying the attribution in three different layers.

A traceability aspect in identifying an IP address.  The social aspect which is connecting that technical infrastructure used to a specific person using that technology and then the political aspect, which is the most important one.  Attributing a cyber attack and attributing a hacker operation is mostly a political act and that is important in this discussion because when we talk about corporations hacking back against other corporations, we need to take into account where those ‑‑ where that other ‑‑ where the target of that hacking back corporation is based and that companies acting on their own will may be putting diplomatic relationships from their own base country to the targets country at risk.

In terms of the whole debate, I would say that again having corporations hacking back would be our modern version of a wild west in a way and it is worth that kind of analogy in terms of again legal procedures that need to be followed and there is respecting different legal frameworks.  Not only human rights, but also data protection, for example, and just to close a simple statement in terms of ‑‑ when we're talking about these hacking operations, when companies show this kind of strength in terms of having the measures to go after the targets, they are in a way inviting challenge.  And then challenge insights further conflict.

So this is also a problem that needs to be addressed in terms of the escalation of first are conflict that may not be ‑‑ that might be, um, event worse for diplomatic tensions and human rights.

>> LAURENT BERNAT:  I would like to turn to the audience and have questions for these two interventions and then we'll continue with the panelists.

Are there any questions to any of them or to the panelists?  It is always the first one, which is the most difficult.  There you go.

>> AUDIENCE:  Basically with hack back legal actions for private companies, basically hack back is one of some actions.  It seems to me it is illegal.  Hacking is not allowed in your legal systems especially for foreign targeted attack for hacking.  There will be two different sides.  Basically private hack back is not allowed based on the cyber crime ‑‑ it would be more complex like involving international lure or some diplomatic relations.

Before going to that issue, do you think hack back is legally permitable or allowable, is my question?  Thank you.

>> LAURENT BERNAT:  Anyone?

>> AUDIENCE:  I think we addressed these issues in my contribution in 10 minutes.  But yes.  Exactly, this is the issues whether hack back is legal and there are national and international low.  As we will see, there is many aspect of hack backs that could be a violation of international law and voice of legislation and there are examples put up as convention on cyber crime that also under many obligations first steps to not allow that to be used against the rights of other states.  But let me see this further.  Thank you for your question.

>> LAURENT BERNAT:  Thank you.  Perhaps we'll go with the next speaker.  Karine, I will let you introduce yourself and what is your perspective on Microsoft.

>> I am Kaia from Digital Diplomacy team at Microsoft.  I think I find always find it interesting because there's a lot of discussions online around hack back and whenever I am in a panel and we're in wide agreement and we all think it's a bad idea, but, um, I think some of the challenges there are to both of your points, I think definitional.  I think it means a lot of different things to different people and, um, even ‑‑ we talked a little bit about sort of what the different aspects could be, but even the difference between how you talked about private actors between you two.  We don't even know what that means.  You can be corporations to corporations.  It is largely private individuals and sort of cyber crime.  So it's a vast ‑‑ it is a confused topic, I would say.  And when it comes to the industry perspective, I think the industry there is no one perspective.  Right?

When we ‑‑ last year, this year, cybersecurity has a line and it talks about a commitment about not anything often.  That was a highly, highly, highly debated topic point in that type of cord partly because everybody has different definitions of it.  The cord now is up for consultation, a work stream definitions.  But because for us, it was for Microsoft perspective, you shouldn't go out and attack.  It is just bad for the environment.  It further increases sort of instant in cyberspace.  Also not a lot of people can do it accurately.  And the worry that we have is if you open it up, people would be like oh, I think it's this person to your point about attribution, but do they really know?  Do they really have the capability?

The second point is what does it actually help?  There's one thing, preventative type of hack back and whether they fall under definitions or not.  That actually works towards stabilizing and improving cybersecurity, just retaliation doesn't help.  Does it do anything?

And then the other conversation that came up was the ‑‑ I think the law of security research firms are really concerned about throwing a name of their hack back and trying to ban it partly because ‑‑ I feel it is banned, but as per the conversations, they worry that it will close down their ability to do pin testing.  That is an offensive action, if you look at it.  It is normally allowed and it's in conversation with your client, but you do actually sort of try and intrude into a system.  It sort of ‑‑ it is actions of security researchers.

So I would say it's a confused space, but it is because we kind of talk for cross purposes a lot of times.  In reality under most national law and under I think partly international law, it is ‑‑ and you will talk about it ‑‑ it is not something that is legal.  I think from a Microsoft perspective, we don't encourage T. we don't want to see it expanded.  The thing someone will ask me a question on, we do do bot net take downs, but we don't ever do it ourselves.  We do it ourselves, but we do it in corporation with law enforcement agencies.  It is coordinated and there's court orders involved and it's not just us being like oh, we'll take this down.

So I think I would just sort of as we have this discussion, keep those points in mind.

>> LAURENT BERNAT:  Thank you, Kaia.  Which raises the question of which concepts should we use to get the proper conversation on this that would get us somewhere.

Perhaps is there any question after this third speaker?  Yes, please.

>> AUDIENCE:  Hi.  I wanted to ask.  To what extent is this a real problem we're trying to solve because you talked about private individuals and I was very relieved to hear you say it was a very confused space.  Although we started off with what sounded like quite clear categories.  I think most people find it quite a bit confusing in space and quite confusing to find, but it would be helpful to find what is the real problem, if there is one, with corporations taking over this activity?  Thanks.

>> LAURENT BERNAT:  Thank you.  Anyone wants to take that?  I will keep it for later.

>> SPEAKER:  There are two kinds of problem.  One is the collateral damage that I think we have briefly mention already which is the bystanders, but also the types of loss.  So you have information loss.  If somebody is hacking and releasing information, it is not just the targets money that is lost.  It's not just the target's resources, but also their customers and users and people who they track.  This is a very wide potential for collateral damage.

Another that should be focused in Internet governance is the technical impact that the networks aren't designed to carry the type of traffic.  This is relevant for denial of service attacks where you are bringing down every single pathway in between yourself and your target including your neighbors.

We always see this as ‑‑ I think in current discussion, there's a lot of folks on end point hacking and end point attacks, but we have to remember that it is also very large and perhaps one of the largest forms of attacks.  I would say these are the two main points of harm that are real problems that we see.

>> AUDIENCE:  With your point, how much does it happen.

>> SPEAKER:  I would say given dates are legal.  I feel established corporations like names that you recognize don't do it.  I think there's an appetite and that's why you have a discussion.  I don't think it ‑‑ it is sort of as an established level and I don't think it happens very much.

>> LAURENT BERNAT:  I would, if I may add one point.  I think perhaps there is a problem related to uncertainty whether you in the legal or in the illegal if I further the categorization we had.  Exploratory preventative.  There is an intention in the three year ‑‑ an intention to prevent, but in your action to prevent, perhaps you are using a technique that will be the same as the one used for every category.  There is some uncertainty in the pattern of the company facing the attack and trying at the end of the day protect itself.  And that can be part of the complexity of the issue.

Perhaps we'll go with our next speaker.  Can you hold your question?  The professor of international of the cybersecurity institute at university Grenoble in France.  You will provide us with a legal perspective and the low perspective.  Thank you.

>> KARINE BANNELIER:  First of all, I would like to say that it is impressive to see how many arguments have been raised to use to praise the virtues of hack back.  Hack back who compensate for short comings in governor action.  It would have an effect and last but not least, it would be good for business and it is true that given a cry of cybersecurity markets looks extremely promising for private sector.

Relying on these arguments, some thinks of advanced ideas that active cyber issues by the Private Sectors should be placed into the corporations to ‑‑ and it is this in mind that a build in ACDC active cyber defense certainty act has been with the U.S. congress in 2017 in order to legalize for the first time certain acts of hacking back.

However, this initiatives was for example French and working in cyberspace working this morning to prevent non‑state actors from hacking back.

In a book on cyber attacked, we published last year and tracking for the French conference here on cybersecurity and a role of public and private actors who have shown the strong opposition to hack back is due to the risk force, but what we called the wide hack back that is to say hack back that is left with the anti‑discretion of private actors.

Also this hack back must be distinguished from what we have called a wide cyber difference based on the corporation between public and private actors and control of the states.  So I would then briefly address issues to the risk and problems of wide hack back and second, what extent can the wide difference be more acceptable.

As we know hack back involves various risks for the security of the cyberspace, risk for the authority on the states, risk of an LFS cyber difference lasts until the end of the most powerful companies, risk of missed attribution, missed of significant collateral damages and all the risk together could lead to uncontrolled escalation of violence into cyberspace.  Let's just imagine what could happen if now the 200 million of enterprise on the wall launched cross broader attack in hack back?  This wide hack back also raised many legal problems.  It's hacking.

[Laughter]

>> LAURENT BERNAT:  Someone doesn't like what you're saying.

[Laughter]

>> KARINE BANNELIER:  They don't like it.  I would like ‑‑ I will continue.  I will try to continue.  First of all, I think that from an international perspective, we have to say that international law does not a low the Private Sector to conduct hack back, but it is also true that international law does not private hack back as search.  However, hack back could violate many different legal rules.  For example on international law, the risks responsibility of a state can be treated for the rich of its obligation of due diligence if he has not taken the necessary measures in order to prevent the harmful cross‑border hack back launched by a private company from its ICT.  A private company will conduct hack back with national consequences can also violate several states.

First the state where hack back causes damages, but also second from which it act.  Indeed, it does in place at the Budapest convention on cyber crime and states have elected legislation in order to criminalized attacks or computer system.  Incorporate hack back who can then face criminal prosecution in several countries.

It is necessary to consider to what extent could a wide cyber difference be more acceptable.  Can it rely on the private sector?  The answer is yes.  As we have explained in our book, the corporation mechanism between state and the private sector is well known in many legal system.  We then suggest a scenario where a state can authorize a limited number of certified companies to act on the cross control.  Such a legal framework could trust the concern of the victim and at the same time, it will avoid a large number of risks associated with hack backs.

But now if we want to achieve that partnership, we need to be extremely cautious and acting step by step so as not to open or reopen a Pandora Box.  Thank you very much.

>> LAURENT BERNAT:  Thank you, Karine.  This is extremely interesting and another perspective to the issue is if so many Private Sector stakeholders have the possibility to hack back.  If it becomes legal, how does it scale?  We have a problem at the Internet as a whole.  I know I underline the notion of public, private corporation here in a very, very specific and tell all context.  Is there any question and then we'll turn to our last panelist.  Yes, please.

>> AUDIENCE:  You're talking a lot about companies hacking each other.  If a hacker would hijacking your server or whatever, would you see that as hacking back your own server or restoring your own infrastructure?

>> SPEAKER:  If we were to go out and sort of take action, we told it together with law enforcement.  We wouldn't do it by ourselves.  I don't know if that answers the question, but I think we would not consider that.  We would have to have the authority do something like that.

>> LAURENT BERNAT:  Did you mean if somebody hacks my server which is hacked already by someone else, should I consider that as integration or some positive action towards me?

>> AUDIENCE:  If it's illegal to hack, is it also illegal to hack your own server back if it is being hijacked or anything because it is your own infrastructure.  You're trying to protect your own system and you're trying to restore it to get it back.

>> LAURENT BERNAT:  Is hacking your own system hack back?

>> I don't think you would have to hack it.  I would say no.

>> SPEAKER:  One perspective is IoT devices.  You have the client and was the device done by their own by the customer?  Perhaps almost ‑‑ well, the president is maintained by the company.  They mitigate the harm by the machines if the devices have been compromised.  I think this can have an additional aspect ifs company has gone bust, for example.  Who would switch off the switches which are now causing massive tax across the world.  That is really unsolved question and it does also ask the question:  Should there be a master key when a company goes bust, for example, somebody can go in and fix the mess afterwards.  This can be unsolved problems.

>> LAURENT BERNAT:  Send who really own toss intervene.  There may be chains or actors involved in contractual complexity on the various stakeholders to maintain the system.

Perhaps to switch over to the last panelists.  We have Yves Verhoeven.  He will provide us with the perspective of the government agency on this issue.

>> YVES VERHOEVEN:  Thank you very much.  So I will start by elaborating a bit on the hardest form of hack back meaning cyber attacks in response to cyber attacks.  I will take a slightly broader perspective.

If you look at what has happened in the past years, it is true to say that despite the mobilization of states to fight cyber crime, it is true to say the efficiency of public policies to discourage cyber attackers has been limited.

So we can understand that it has been tempting for a certain number of persons to promote hack back as cyber attacks to answer cyber attacks as a warhead; however, from the very beginning, I will say from our perspective, we believe it was only add chaos to chaos.  For a certain number of reasons that have been touched upon earlier, I will come back to it.  We believe if you try to answer as a Private Sector to cyber attacks for yourself or for the benefit of those other non‑state actor, then there is a high risk of aggravating the situation because of the various possible ways to have misperception.

The first one is the victim who wants to answer may in fact target an innocent third party.  When you look at originators, it is a challenge that even states struggle to address and they have access to intelligence.

The second point is that hack back corporations can have disproportionate and unwanted consequences and side effects.  If you think about conducting a cyber attack, then it is very difficult to imagine a cyber attack having some very precise contained consequences.  It is also definitely a challenge.

And also since the value start will certainly be hosted in different countries, there is also risk of misperception concerning who are the actors, what are the intents and it can trigger an escalation between states about hosting the value sectors.

So we believe that all this would be with a very high level of probability to having a system increase stability at the global level.  We believe cyber attacks would definitely be the result of accepting hack back, hard form of hack back as acceptable and we believe the legitimate user violence because we are talking about violence.  So the legitimate use of violence should remain in the states.  So today, hack back is clearly legal in French low.  It is legal in many national lows conforming to the best convention and many stakeholders believe it should remain.  And this is why this morning in the very school that was released for trust and security in cyberspace, rejecting hack back from non‑state actors is one of the specific measures which is promoted.

So this is for the hard form of hack back and, of course, there are many other ways to react which could be imagined as not strictly passive.  And then the issue is, okay.  So if we exclude cyber attacks as a form of answer to cyber attacks, could I do anything which may be a bit on the border.  In fact, we believe that the debates which have risen from the topic of what is called the gray zone in particular by Carnegie Endowment.  We believe this is a good debate.  Even so, these debates can sometimes stumble in precise concerns and terms like passive and active cyber defense measures and we believe we should be big on that and analyze clearly what is definitely legal.  What is definitely legal and what is perhaps in between.  So some measures, which may be in some conditions be recognized as legal, but it should not be obvious and depend on the way it would be conducted and perhaps on who conducts them.  So this is our view on the ‑‑ let's say the gray zone.  We believe that we should conduct risk analysis for each kind of measure, for each kind of answer to cyber attacks in order to find the analyze the risk and conduct of such a measure is acceptable and it should all be based on a risk analysis.  The same risk analysis that I conducted on hard form of hack back and should also be conducted on less hard form of hack back.  We believe that we should all work all together around the table work on the framework to put on this kind of analysis and it can certainly make the conclusions there should somebody guidance for a certain number of forms offenser.  And there should perhaps be some regulation over some actors who can be allowed to conduct some specific measures.  But still not conduct cyber attacks.  That's all from me.

>> LAURENT BERNAT:  Thank you.  Let's have questions from the floor, please.

>> AUDIENCE:  Hi.  Thank you.  My question ‑‑ I have two of them.  The first is public actors are due to hack back.  Question would be:  Is it efficient the way it is connected today?  Do they have the means to did their job and the second one is:  I understand the legal framework is not really clear.  So would it be desirable to develop an international framework?  Is it going to happen in the next couple of years?

>> SPEAKER:  I feel I should answer.  So welcome ‑‑ when it comes to public actors, it is obvious that public actors have over the years worked upon the issue of conducting cyber attacks for different reasons, which can be ‑‑ which in times, many occasions from public policy point of view.

So there is some kind of experience, some specific means I mentioned having access to agencies, for instance and other specificities to public actors.  They should refrain from the use, from the excessive use of cyber attacks definitely.  Which has been debated in the past.  Even so, consensus is not at risk and the failure of it is locked.  This is not an easy issue.

Concerning the legality of the value sections, what I meant was not that there is uncertainty in the legality.  In each national low, it is often clear what is legal and illegal.  What I meant is perhaps there is some space because we would like some legal precedence to elaborate and to pride some background to a certain number of actors.  So if that is the intent to use some measures, which are not clearly completely legal in any circumstances, that perhaps you send them to do them and then they should put that into the proper framework and conform to some specific guidance to make sure they are still on the right find.

>> SPEAKER:  I would say the legal aspects are quite clear.  I would say not only in terms of human rights perspective and international framework of human rights, but also specific national laws in data protection and so on that states may implement in their own context.

In those aspects, it is quite clear that hacking back is illegal in terms of those frameworks.

>> SPEAKER:  I really liked your framework.  It talks about preventative retaliatory in particular.  I think a lot of the conversations now is focused on retaliation.  I think the gray area is that preventative space.  This is sort of slightly more out there with examples, but in the discussions, it's been raised that even patching could be actually offensive because they own the system.  So do you ‑‑ do we have a right to patch their system or the other, which I feel is on the extreme argument, the other suggestion that sort of people are playing with is the creation of honey pots.  If you create a vulnerable to lure in attackers specifically to catch them, you know, you don't aggressively attack a system, but it is an active defense.  Another example that I think people also talk about on the extreme are sandboxes illegal where you close off the attacker in a specific space.  So I think that's where more of the gray areas are.  The actual is going after a different system.  I think we're all in agreement.  It's not legal.

>> SPEAKER:  Yes.  If you want now to reinforce the banning of hack back, I think that you can act step by step and first one, you can try to universalize with the best convention, which is really important.  It is a clear answer to the prohibition of hack back.  There is a crime and a convention, but I think and I think the Paris call is also a step, an important step to see international community is against hack back.  I think there's a series also of many other steps that you can reach.

For example, we have to work together on the question of the prevention of issues, ICT.  You know the black market today which is increasing concerning which product companies launch cyber attacks.  It is something we need to address.  We have now the agreements, but I think that we need to go forward with this question.  So there are many aspects and I think it's illegal, but also at the economic level, it will show the companies that the best difference is not hack back.

>> SPEAKER:  So on the Paris call, you know like you said, the international legal communities endorse it as a single step.  You will see there is a boss number of actors that will endorse it and have endorsed it.  So I think there's wide agreement that it is the step in the right direction.

>> LAURENT BERNAT:  Thank you.  If I can add a couple of folks to what I heard, it seems that everybody agrees that hack back is a bad idea and should be illegal, but at the same time, this is also a consensually confusing.  We need to clarify it.  We have types of measures that can help, but at the same time, I'm wondering.  Are these the right categories?  I could do something with the intention of being exploratory and create damages.  It should not be the criteria, perhaps the criteria to identify whether we're on the bad side or good side.  Should it be my intention or the potential consequences or the consequences and perhaps here we're touching on the gray zone.  That would be what we would need to clarify and just one last point.  It would need to be clarified internationally if one country clarify its for itself, it is probably not enough.  The Eco‑system is global.  We end up with another Internet Governance issue to put it very, very broadly.  A collective issue at the international level.  Any reaction to this?

>> SPEAKER:  I feel I speak a lot, but Budapest can clarify about intent, I think.  A lot of legal frameworks have intent in there as qualifying structure.

>> SPEAKER:  You should look at the idea, for example, of patching the network that could be vulnerable and going in to attack the infrastructure.  If you have no contractual connection to the owner of in infrastructure, you are not allowed.  In French load, it is illegal and this is not retaliatory.  This is your preventative action and today, it is illegal.  It can be made legal in the close future because it would have many consequences.  So having the differentiation between explorer toy and retaliatory is a good BASIS to discuss the strongest form of hack back.  At some point, you will go further in the debate and then we have to go into some sort of risk analysis measure by measure based on a certain number of risks.  The risk of disturbance of networks and force inside effects.  The escalation and the risk of triggering a political escalation between states.  And perhaps also risk than is once.  I think we still have some room to elaborate a lot about the classification in order to have some fully rational debates.

>> LAURENT BERNAT:  Thank you.  We're reaching the end.  I would like to go over this with you with a very yes or no answer and the question is:  Is there any form for international work in this area?  That's the yes‑no question.  And last, what is your last point?

>> SPEAKER:  I would answer that definitely resounding yes.  And I would just note that if we don't make the right decisions, there is a very real risk that at some point, a digital attack will be responded to with a connected response.  And perhaps the end game of what we're looking at here.  We need is to combine the regulatory efforts and human rights angle as well to really get to the answer.  This is really a critical time to keep moving forward on this.

>> LAURENT BERNAT:  Leandro?

>> LEANDRO UCCIFERRI:  We made very good progress.  I would say that it is good we're debating here in a multi‑stakeholder forum.  If not, we would then be leaving this to governments and corporations discussing it by themselves and we would lose that aspect from the technical community and Civil Society which is also important.

>> LAURENT BERNAT:  Thank you.  I could not agree more.

>> SPEAKER:  I would say yes, but I sometimes worry that there is a lot of discussion which participates it as something that needs to happen.  Right?  So I think we should talk about it.  We should generate definitions and come to the right agreement on what the appropriate actions are, but also make sure that we don't talk about it so that much it becomes a thing where it is a track and it is just going to happen.

>> SPEAKER:  Yes.  I would also say yes, but I have seen two aspects.  We need to be very cautious in order not to open a Pandora Box.  We need to go step by step in a very concrete way.  Both at the national and international level in this question and on the legal and technical issues.

>> SPEAKER:  Yeah.  Again, it goes for a multi‑stakeholder approach and goes for general mobilizations.  So my answer is yes.

>> LAURENT BERNAT:  And I understand it is on the French ‑‑ thanks tod audience and also for your participation.  It is 9 o'clock almost exact ‑‑ 10 o'clock.  Sorry.  10 o'clock sharp.  Thank you.

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 678