IGF 2018 OF #33 PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?

- Session Type (Workshop, Open Forum, etc.): OPEN FORUM

- Title: PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?

- Date & Time: Monday 12 November 2018 – 9:00-10:00

- Organizer(s): OECD

- Chair/Moderator: Laurent Bernat

- Rapporteur/Notetaker: Lorrayne Porciuncula

- List of speakers and their institutional affiliations (Indicate male/female/ transgender male/ transgender female/gender variant/prefer not to answer):

• Karine Bannelier - University Grenoble Alpes, France - Female
• Kaja Ciglic – Microsoft Corp. – Female
• Alp Toker - Netblocks.org - Male
• Leandro Ucciferri -Asociación por los Derechos Civiles, Argentina – Male
• Yves Verhoeven - French National Cybersecurity Agency (Agence Nationale de la Sécurité des Systèmes d’Information – ANSSI) – Male

- Theme (as listed here): Cybersecurity, Trust and Privacy

- Subtheme (as listed here): Cybersecurity Best Practices

- Please state no more than three (3) key messages of the discussion. [150 words or less]

• What are the differences between “active” and “passive” defense and where are the boundaries between “hacking back” and “active cyber defense”?
• What is the prerogative of governments in responding to an attack and where does the scope of action of a business start and ends? Could anyone use proactive defence measures or should only “qualified” players be allowed to enter this space? Should there be any oversight?
• What are the risks of hacking back, including to the Internet and other users? Is there any way to mitigate those risks? Who would be responsible in case of damages to a third party? Is there a need for internationally agreed rules and principles in this area?

- Please elaborate on the discussion held, specifically on areas of agreement and divergence. [150 words] Examples: There was broad support for the view that…; Many [or some] indicated that…; Some supported XX, while others noted YY…; No agreement…

The OECD Open Forum brought together a panel that discussed an issue that was understood by experts to be one of the less discussed side of digital security: the "hacking back" from the private sector. It was agreed that in general, hacking back should not be encouraged or permissible, due to its potential economic, social and political collateral impacts. While the size of these practices are still unclear, since in many countries it is considered illegal, some indicated that there is a growing body of arguments favouring these kind of responses from the private sector. All agreed that in order to advance in this conversation, better frameworks and concepts are needed, as there is confusion about definitions and typology of hack back practices.

- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps. [100 words]

It was suggested that the first step towards finding solutions for this issue is clarifying concepts and types of hack back practices. This could be done based on the intent (e.g. exploratory, preventative, retaliatory) of, and/or the risk possibly steming from these practices.

Moreover, it was agreed that more international and multistakeholder cooperation is needed to provide guidance for technical and regulatory approaches to address private sector hack back. 

 - What ideas surfaced in the discussion with respect to how the IGF ecosystem might make progress on this issue? [75 words]

Panellists agreed that the IGF can be a very useful forum for discussions due to its multi-stakeholder approach, allowing for an informed and diverse debate of emerging issues such as the one of concepts, limits and approaches for hacking back from the private sector.

 - Please estimate the total number of participants.

50 people

 - Please estimate the total number of women and gender-variant individuals present.

25 women

 - To what extent did the session discuss gender issues, and if to any extent, what was the discussion? [100 words]

NA.