IGF 2018 OF #33 PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?

The private sector has been exposed to an exponentially increasing number and variety of attacks in the digital environment. Businesses should protect themselves, but they are dependent on their respective governments if they wish counter-offensive action be legally taken against attackers. With practices known as “hacking-back” being within governments' prerogative only, how far should businesses be allowed to go in taking proactive defensive measures (also referred to as "active cyber defence")? Should public policy evolve, in order to clarify the conditions, limits and safeguards for private sector to resort to such techniques? Key questions to be discussed by speakers and participants on site and online include: • What renders a digital security measure as “active” rather than “passive”? What are concrete measures that might fall into each category? Is this categorisation necessary? What is a technology neutral description of “active cyber defense”? Where are the boundaries between “hacking back” and “active cyber defense”? • What is the prerogative of governments in responding to an attack and where does the scope of action of a business start and ends? Could anyone use proactive defence measures or should only “qualified” players be allowed to enter this space? Should there be any oversight? • What are the limits of “active cyber defense”? How would what is acceptable and what is not be determined? • What are the risks of hacking back, including to the Internet and other users? Is there any way to mitigate those risks? Who would be responsible in case of damages to a third party? • Is there a need for internationally agreed rules and principles in this area? And more generally: has the time come for new rules and guiding principles to clarify businesses' scope of action, and to allow them to pursue a proactive defence approach of their systems and data in an ever increasingly digital and data-driven world? To discuss this issue, this Open Forum will bring together 5 speakers, with gender, regional, and stakeholder balance. Discussions will feed the preparation of the inaugural event of the OECD Global Forum on Digital Security for Prosperity (13-14 December 2018, Paris) which will focus on the roles and responsibilities of actors for digital security.