The private sector has been exposed to an exponentially increasing number and variety of attacks in the digital environment. Businesses should protect themselves, but they are dependent on their respective governments if they wish counter-offensive action be legally taken against attackers. With practices known as “hacking-back” being within governments' prerogative only, how far should businesses be allowed to go in taking proactive defensive measures (also referred to as "active cyber defence")? Should public policy evolve, in order to clarify the conditions, limits and safeguards for private sector to resort to such techniques?
Key questions to be discussed by speakers and participants on site and online include:
To discuss this issue, this Open Forum will bring together 5 speakers, with gender, regional, and stakeholder balance. Discussions will feed the preparation of the inaugural event of the OECD Global Forum on Digital Security for Prosperity (13-14 December 2018, Paris) which will focus on the roles and responsibilities of actors for digital security.
OECD
Lorrayne Porciuncula
- Session Type (Workshop, Open Forum, etc.): OPEN FORUM
- Title: PRIVATE SECTOR "HACK BACK": WHERE IS THE LIMIT?
- Date & Time: Monday 12 November 2018 – 9:00-10:00
- Organizer(s): OECD
- Chair/Moderator: Laurent Bernat
- Rapporteur/Notetaker: Lorrayne Porciuncula
- List of speakers and their institutional affiliations (Indicate male/female/ transgender male/ transgender female/gender variant/prefer not to answer):
- Theme (as listed here): Cybersecurity, Trust and Privacy
- Subtheme (as listed here): Cybersecurity Best Practices
- Please state no more than three (3) key messages of the discussion. [150 words or less]
- Please elaborate on the discussion held, specifically on areas of agreement and divergence. [150 words] Examples: There was broad support for the view that…; Many [or some] indicated that…; Some supported XX, while others noted YY…; No agreement…
The OECD Open Forum brought together a panel that discussed an issue that was understood by experts to be one of the less discussed side of digital security: the "hacking back" from the private sector. It was agreed that in general, hacking back should not be encouraged or permissible, due to its potential economic, social and political collateral impacts. While the size of these practices are still unclear, since in many countries it is considered illegal, some indicated that there is a growing body of arguments favouring these kind of responses from the private sector. All agreed that in order to advance in this conversation, better frameworks and concepts are needed, as there is confusion about definitions and typology of hack back practices.
- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps. [100 words]
It was suggested that the first step towards finding solutions for this issue is clarifying concepts and types of hack back practices. This could be done based on the intent (e.g. exploratory, preventative, retaliatory) of, and/or the risk possibly steming from these practices.
Moreover, it was agreed that more international and multistakeholder cooperation is needed to provide guidance for technical and regulatory approaches to address private sector hack back.
- What ideas surfaced in the discussion with respect to how the IGF ecosystem might make progress on this issue? [75 words]
Panellists agreed that the IGF can be a very useful forum for discussions due to its multi-stakeholder approach, allowing for an informed and diverse debate of emerging issues such as the one of concepts, limits and approaches for hacking back from the private sector.
- Please estimate the total number of participants.
50 people
- Please estimate the total number of women and gender-variant individuals present.
25 women
- To what extent did the session discuss gender issues, and if to any extent, what was the discussion? [100 words]
NA.
United Nations
Secretariat of the Internet Governance Forum (IGF)
Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland
igf [at] un [dot] org
+41 (0) 229 173 678