Session
Proposer's Organization: Digital Society Institute
Co-Proposer's Name: Mr. Sven Herpig
Co-Proposer's Organization: Stiftung Neue Verantwortung
Co-Organizers:
Isabel SKIERKA, Civil Society,Digital Society Institute Sven HERPIG, Civil Society, Stiftung Neue Verantwortung
Natasha Msonza and Zahid Jamil will not be able to participate. In their stead, Leandro Ufficerri from DCA and Sven Herpig from SNV Berlin will speak.
5 minutes: The Chair introduces the speakers, context, and format of the debate. The Chair will pose the questions throughout the debate which each speaker has 4 minutes to respond to. The questions are provisional for now.
Question 1: Will an expanded practice of government hack backs result in more or less collective security?
16 minutes: Each of the four speakers has 3-4 minutes to respond to the question.
Question 2: Should governments refrain from expanding hack back authorizations and adopt alternative measures, if so, which ones?
16 minutes: Each of the four speakers has 3-4 minutes to respond to the question.
10 minutes: Speakers will respond to each other and specific points made throughout the debate. The Chair will facilitate the discussion.
20 minutes: The Chair opens the debate to all workshop participants. Participants can address questions to speakers which speakers have a maximum of 2 minutes to respond to. After 15 minutes, one speaker of each team will summarize the results in 1 or 2 minutes.
20 minutes: The Chair will open and moderate the debate among everyone. Each participant can make an intervention (original point or response) of a maximum of 2 minutes.
3 minutes: The Chair will briefly summarize and close the debate.
Report
Session Title:
The Government Hacks Back - Chaos or Security? A Debate
Date: 20.12.2017
Time: 16:40 – 18:10
Session Organizer: Isabel Skierka, Digital Society Institute, ESMT Berlin
Co-Organizer: Dr. Sven Herpig, Stiftung Neue Verantwortung
Chair/Moderator: Isabel Skierka
Rapporteur/Notetaker: Isabel Skierka
List of Speakers and their institutional affiliations:
Dr. Tatiana Tropina, Max Planck Institute, Freiburg
Dr. Sven Herpig, Stiftung Neue Verantwortung, Berlin
Maarten van Horenbeeck, Fastly and FIRST
Leandro Ucciferri, ADC Digital
Key Issues raised:
Definition: The term “hack back” is only poorly defined and is used to refer to practices ranging from preventive cyber security measures to offensive hacking of foreign systems.
Legal basis: The legal basis for law enforcement-led “hack backs” (or: offensive cyber measures launched in response to a cyber attack) is unclear in most countries as well as internationally.
Systemic effects: Offensive ‘counter-strikes’ in the digital realm can have systemic and uncertain effects, which decision-makers might not be able to foresee.
Effectiveness: It is unclear whether and under what circumstances governmental hacking of foreign systems would be effective and how that effectiveness can be measured in terms of international, national, and human security.
Trust: The preventive and/or reactive use of cyber offense tools by law enforcement authorities and intelligence agencies can undermine trust in the reliability and security of the internet.
If there were presentations during the session, please provide a 1-paragraph summary for each presentation: No presentations during the session.
Please describe the Discussions that took place during the workshop session (3 paragraphs):
The workshop proceeded in an Oxford style debating format and discussed the motion „This house believes that governments should have authority, under certain circumstances, to ‘hack back’ devices which serve as attack tools in order to neutralize the threat posed to systems within their jurisdiction.” During the first half of the debate (approximately 40 minutes) two teams of two speakers each discussed the motion and related questions: Maarten van Horenbeeck and Leandro Ucciferri (Team 1) and Tatiana Tropina and Sven Herpig (Team 2). After the first half of the session, participants from the audience joined the debate by posing questions and making interventions themselves. For the sake of brevity, the following two paragraphs will summarize different positions of both speakers and audience participants in line with the team positions.
Team 1 argued that governments should under no circumstance have the authority to engage in ‘hack back’ acts, because
- Malware can act unpredictably. Therefore, governmental hacking and ‘counter-strikes’ in the digital realm can have systemic and uncertain effects which can cause grave collateral damage for technical infrastructure, nation-states, and individuals.
- Governmental hacking on foreign territory can harm the privacy and safety of individuals abroad.
- The use of offensive tools for counterstrikes in cyberspace can undermine trust in the security of the internet and in international security.
- Governments should focus on implementing measures that promote information security at a national and international level, and addressing root causes of cyber crime instead of investing personnel and financial resources into hacking capabilities.
Team 2 argued that if governments authorize hack backs, they should clearly and transparently define the parameters, legal basis, and ways of execution of “hack backs”, and implement very strict safeguards.
- Team 2 agreed that hack backs can pose systemic risks and might have undesirable consequences for technical, human, and international security.
- Therefore, IT security should always be prioritized over other national security interests.
- Governments should only authorize measures on the preventive end of the scale, such as passive reconnaissance/intelligence gathering in foreign networks, DDoS attack mitigation, botnet takedowns and containment with assistance from national ISPs and in coordination with other nations.
- More aggressive hack back practices, such as penetration of foreign systems to alter data, might make sense from a national security perspective, but will negatively affect international security and cause unforeseeable collateral damage.
- Law enforcement agencies will need to comply with strict legal safeguards for hacking, whereas actions by intelligence agencies are much harder to control and oversee.
- Any discussion of law enforcement or intelligence agencies’ use of offensive cyber measures needs to be realistic - governments around the world are already conducting or preparing to conduct ‘hack backs’/offensive ‘counterstrikes’/‘active defense’ measures in cyberspace. Hence, the question is not whether, but how and under which safeguards ‘hack backs’ should take place.
Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):
Key takeaway 1: The topic of the debate, (governmental) “hack backs”, requires further and more detailed discussion. The debate raised a number of key issues, which each merit more nuanced debate from legal, technical, ethical, and political perspectives. This IGF 2017 debate contributed to kicking off discussions about the issue in a multistakeholder setting.
Key takeaway 2: The interactive Oxford-style debating format was well-suited for the discussion, according to feedback from panellists and participants from the audience. The debate made it possible for anyone to raise their own arguments after the first half of the session (starting around 17:20) and made the discussion livelier than a “conventional” panel format would have. Discussions at the IGF would benefit greatly from a growing use of this and other interactive discussion formats.
Way forward and potential next steps: As a way forward, participants suggested to provide a summary of the debate in form of a short paper that can inform future internet governance and cyber security discussions. Participants also suggested continuing the debate at the IGF 2018 and in other fora. Moreover, future debates should include participants from the law enforcement community or other relevant government agencies. The organizers had requested multiple former and current law enforcement officials as speakers and/or participants of the debate. Requested speakers took great interest in the issue, but were each unable to actively participate in the debate for institutional reasons.
Gender Reporting
Estimate the overall number of the participants present at the session:
60 persons
Estimate the overall number of women present at the session:
25 women
To what extent did the session discuss gender equality and/or women’s empowerment?
The session did not discuss gender equality or women’s empowerment.
If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion: /