1. Key Policy Questions and related issues:
What are the dangers of permitting private industry to hack back to protect themselves and their customers?
What types of activities should be considered hack backs versus active defense measures that should be protected?
2. Summary of Issues Discussed:
All of the speakers, representing different technology companies and signatories of the Cybersecurity Tech Accord, and seemingly also the majority of attendees, agreed with Paris Call principle #8 – that private industry should not be permitted to “hack back” against attackers for their own purposes. In addition, speakers agreed on a general definition of what types of activities should be considered “hack backs” – namely, the unlawful access to computer systems outside ones own networks in order to retaliate against bad actors.
Consensus that such activities were ill-advised was based on concerns about their legality, as well as the potential for unintended consequences and escalation of attacks with malicious actors, even nation state actors. The discussion also highlighted the dangers of a growing market of “hackers for hire” and those selling offensive tools to be used by states and other actors, with questionable legality.
While there was much consensus about definitions and what types of actions should be permitted, representatives from respective companies had differing standards when it came to the types of active defense measures they would pursue – including things like botnet takedowns.
7. Reflection to Gender Issues:
There was no particular discussion of gender issues in the workshop