IGF 2020 WS #353 Hacking-Back: A Dialogue with Industry

Information

Session

Thematic Track:

Topic(s):

Cyberattacks
Cybersecurity Best Practices
Norms

Organizer 1: Private Sector, Western European and Others Group (WEOG)
Organizer 2: Civil Society, Intergovernmental Organization

Speaker 1: Kristen Verderame, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Kaja Ciglic, Private Sector, Eastern European Group
Speaker 3: Ed Cabrera, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Alissa Starzak, Private Sector, Western European and Others Group (WEOG)

Format:

Panel - Auditorium - 90 Min

Description:

This session will feature industry speakers from the Cybersecurity Tech Accord shedding light on what they believe should and should not be considered “Hacking-back” under the principle of the Paris Call for Trust and Security in Cyberspace prohibiting such activity. In addition, the session will seek to start a conversation and solicit input, in particular from the civil society and public sector officials in attendance, regarding what they believe should and should not constitute “hack-back” activities, in order to drive greater consensus on an important and nuanced topic. Agenda: • 5 minutes – Moderator introduces the topic for discussion in the context of the Paris Call principle prohibiting private sector “hack-back,” first introduced in 2018, and the subsequent work the Cybersecurity Tech Accord has done to clarify what activities this principle should and should not apply to, from an industry perspective. • 25 minutes – The Panelists in turn make opening remarks describing the value of the Paris Call principle and providing a nuanced understanding of what kinds of private sector activities should be considered “hacking-back”. Importantly, panelists will all represent perspectives from different parts of the technology industry – highlighting how the principle might apply in different contexts. • 25 minutes – The moderator will ask pointed questions about what this principle would commit companies to do in different circumstances, and probe how the industry understanding being presented aligns with other perspectives from academia in particular. • 25 minutes – Open discussion with those in attendance, who are invited to ask follow up questions and critique the perspective put forward by the panelists. • 10 minutes – Closing comments from panelists about what they have learned and considerations they are walking away with to continue taking this work forward in implementing the Paris Call principle.

Issues:

In 2018, the Paris Call for Trust and Security in Cyberspace was launched and established 9 foundational cybersecurity principles for governments, industry and civil society to help promote a safe and secure online world. With over 1,000 supporting entities today – including over 75 governments and hundreds of industry and civil society organizations – the Paris Call is the largest multistakeholder agreement in the world focused on cybersecurity principles. One of these principles, number 8, creates a new expectation that Paris Call supporters will “take steps to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors.” This principle raises important questions about what activities constitute “hacking-back,” as well as which ones do not. As an enthusiastic supporter of the Paris Call, the Cybersecurity Tech Accord – a global coalition of technology companies committed to improving cybersecurity – has taken the initiative to clarify what, from an industry perspective, should constitute “hacking-back” under the principle and which activities should not. This is an important discussion as hacking-back can set dangerous precedents that invite escalations in cyberattacks and unintended consequences that can put technology users at risk. Meanwhile, it is just as important to be clear about what hacking-back is not, as painting with too broad a brush could prohibit valuable security practices, including so-called “active defense” measures employed widely by industry to keep users and customers everywhere safe. This session will give representatives from the Cybersecurity Tech Accord an opportunity to share both their consensus view as to how the technology industry broadly thinks about “hacking-back,” as well as the nuanced perspectives of their respective companies on the issue. It will also provide a valuable opportunity to seek input and feedback from other stakeholder groups in attendance as to whether this industry perspective seems consistent with the Paris Call principle ahead of the second anniversary of the agreement in November 2020.

Policy Question(s):

Cybersecurity policy, standards and norms: i) What are the risks and benefits posed by so-called “hack-back” activities? ii) What kinds of activities by private industry should be considered “hacking-back” and off-limits, and which should not, in order to promote safety and security online?

Expected Outcomes:

Participants should walk away with a nuanced understanding of what activities members of the technology industry regard as “hacking-back,” and which security practices should not be given that label. Meanwhile, this consultation with other stakeholders will provide invaluable input and feedback as the Cybersecurity Tech Accord works to finalize a consensus opinion and report on this topic to strengthen and clarify the expectations of the Paris Call for Trust and Security in Cyberspace to support its implementation and recognition.

Relevance to Internet Governance: The Paris Call for Trust and Security in Cyberspace stands as a landmark achievement in establishing a new multistakeholder baseline, and forum for discussion, on principles to better protect the integrity and security of the online world. However, dialogues like this are essential for realizing the potential of this important agreement, as different stakeholders debate and discuss the particulars of what respective principles mean and don’t mean in concrete terms to reinforce clear commitments.

Relevance to Theme: Trust in cyberspace is based on no small part on clear expectations for responsible behavior on the part of all stakeholders, including industry, which are recognized and reinforced. While high-level principles, such as those included in the Paris Call, are essential to identifying what these different responsibilities are, they are not the end but rather the beginning of the discussion to define what specific commitments are consistent with those principles.

Discussion Facilitation:

Organizers will work to socialize this session with a wide audience in advance, in particular with those from civil society and government backgrounds likely to be invested in this discussion and with opinions that may challenge those presented by the speakers. The session organizers will also work to share a draft of the consensus Cybersecurity Tech Accord view on “hack-back” in advance of the session, to stimulate thinking and prompt robust and substantive dialogue during the session. Finally, the session will be structured so that a substantial amount of time is reserved for feedback, questions and discussion with those in attendance, both on site and online.

Online Participation:

Usage of IGF Official Tool.

SDGs:

GOAL 9: Industry, Innovation and Infrastructure
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals