IGF 2018 OF #33 PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?

Information

Session

Theme:

Subtheme:

Description:

The private sector has been exposed to an exponentially increasing number and variety of attacks in the digital environment. Businesses should protect themselves, but they are dependent on their respective governments if they wish counter-offensive action be legally taken against attackers. With practices known as “hacking-back” being within governments' prerogative only, how far should businesses be allowed to go in taking proactive defensive measures (also referred to as "active cyber defence")? Should public policy evolve, in order to clarify the conditions, limits and safeguards for private sector to resort to such techniques?

Key questions to be discussed by speakers and participants on site and online include:

What renders a digital security measure as “active” rather than “passive”? What are concrete measures that might fall into each category? Is this categorisation necessary? What is a technology neutral description of “active cyber defense”? Where are the boundaries between “hacking back” and “active cyber defense”?
What is the prerogative of governments in responding to an attack and where does the scope of action of a business start and ends? Could anyone use proactive defence measures or should only “qualified” players be allowed to enter this space? Should there be any oversight?
What are the limits of “active cyber defense”? How would what is acceptable and what is not be determined? • What are the risks of hacking back, including to the Internet and other users? Is there any way to mitigate those risks? Who would be responsible in case of damages to a third party?
Is there a need for internationally agreed rules and principles in this area? And more generally: has the time come for new rules and guiding principles to clarify businesses' scope of action, and to allow them to pursue a proactive defence approach of their systems and data in an ever increasingly digital and data-driven world?

To discuss this issue, this Open Forum will bring together 5 speakers, with gender, regional, and stakeholder balance. Discussions will feed the preparation of the inaugural event of the OECD Global Forum on Digital Security for Prosperity (13-14 December 2018, Paris) which will focus on the roles and responsibilities of actors for digital security.

Organizers:

OECD

Speakers:

Laurent Bernat – OECD (moderator)
Karine Bannelier - Associate Professor of Int. Law, Dep. Director Cyber-Security Institute, University Grenoble Alpes, France
Kaja Ciglic - Microsoft
Alp Toker - Technical Community, Netblocks.org
Leandro Ucciferri -Asociación por los Derechos Civiles, Argentina
Yves Verhoeven - French National Cybersecurity Agency (Agence Nationale de la Sécurité des Systèmes d’Information – ANSSI)

Online Moderator:

Lorrayne Porciuncula

Background Paper

Report:

- Session Type (Workshop, Open Forum, etc.): OPEN FORUM

- Title: PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?

- Date & Time: Monday 12 November 2018 – 9:00-10:00

- Organizer(s): OECD

- Chair/Moderator: Laurent Bernat

- Rapporteur/Notetaker: Lorrayne Porciuncula

- List of speakers and their institutional affiliations (Indicate male/female/ transgender male/ transgender female/gender variant/prefer not to answer):

Karine Bannelier - University Grenoble Alpes, France - Female
Kaja Ciglic – Microsoft Corp. – Female
Alp Toker - Netblocks.org - Male
Leandro Ucciferri -Asociación por los Derechos Civiles, Argentina – Male
Yves Verhoeven - French National Cybersecurity Agency (Agence Nationale de la Sécurité des Systèmes d’Information – ANSSI) – Male

- Theme (as listed here): Cybersecurity, Trust and Privacy

- Subtheme (as listed here): Cybersecurity Best Practices

- Please state no more than three (3) key messages of the discussion. [150 words or less]

What are the differences between “active” and “passive” defense and where are the boundaries between “hacking back” and “active cyber defense”?
What is the prerogative of governments in responding to an attack and where does the scope of action of a business start and ends? Could anyone use proactive defence measures or should only “qualified” players be allowed to enter this space? Should there be any oversight?
What are the risks of hacking back, including to the Internet and other users? Is there any way to mitigate those risks? Who would be responsible in case of damages to a third party? Is there a need for internationally agreed rules and principles in this area?

- Please elaborate on the discussion held, specifically on areas of agreement and divergence. [150 words] Examples: There was broad support for the view that…; Many [or some] indicated that…; Some supported XX, while others noted YY…; No agreement…

The OECD Open Forum brought together a panel that discussed an issue that was understood by experts to be one of the less discussed side of digital security: the "hacking back" from the private sector. It was agreed that in general, hacking back should not be encouraged or permissible, due to its potential economic, social and political collateral impacts. While the size of these practices are still unclear, since in many countries it is considered illegal, some indicated that there is a growing body of arguments favouring these kind of responses from the private sector. All agreed that in order to advance in this conversation, better frameworks and concepts are needed, as there is confusion about definitions and typology of hack back practices.

- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps. [100 words]

It was suggested that the first step towards finding solutions for this issue is clarifying concepts and types of hack back practices. This could be done based on the intent (e.g. exploratory, preventative, retaliatory) of, and/or the risk possibly steming from these practices.

Moreover, it was agreed that more international and multistakeholder cooperation is needed to provide guidance for technical and regulatory approaches to address private sector hack back.

- What ideas surfaced in the discussion with respect to how the IGF ecosystem might make progress on this issue? [75 words]

Panellists agreed that the IGF can be a very useful forum for discussions due to its multi-stakeholder approach, allowing for an informed and diverse debate of emerging issues such as the one of concepts, limits and approaches for hacking back from the private sector.

- Please estimate the total number of participants.

50 people

- Please estimate the total number of women and gender-variant individuals present.

25 women

- To what extent did the session discuss gender issues, and if to any extent, what was the discussion? [100 words]

NA.

Session Time:

Monday, 12 November, 2018 - 09:00 to 10:00

Room:

Salle IX