The government hacks back – chaos or security? A debate

20 Dec 2017 16:45h - 18:15h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

This session, moderated by Ms Isabel Skierka, Researcher, Digital Society Institute, Berlin, featured discussions regarding the new challenges brought by the growing number of governments considering or already taking steps to authorise ‘hack backs’ by their law enforcement agencies and military forces. As highlighted by Skierka, the core question of this workshop was whether or not law enforcement agencies should have the authority to hack back computer systems that pose a severe threat to individual and public safety, no matter where they are located, in order to protect their citizens’ and others’ security.

The first segment of the session took the form of a debate, departing from traditional panel discussions. Two teams of two speakers had to each present statements favouring either very strict or loose safeguards in the authorisation process for conducting hack backs.

The first question that was addressed by the two teams of speakers was the following: Will an expanded practice of government hack backs result in more, or less, collective security?

Mr Sven Herpig, Project Director, Transatlantic Cyber Forum, Germany, and Ms Tatiana Tropina, Senior Researcher, Max Planck Institute for Foreign and International Criminal Law, argued that there needs to be better understanding of the plurality of practices behind the expression hack backs. Some are very problematic, such as the penetration of foreign systems to delete content or disrupt systems, while others are not (e.g. prevention mechanisms such as firewalls). Tropina then insisted that our understanding of what collective security is, especially at the international level, is unclear. Furthermore, the negative impact of hack backs depends on the domains under study. For instance, when used for intelligence purposes, offensive capabilities can have a positive influence on collective security in certain cases.

The team composed of Mr Maarten Van Horenbeeck, Vice President of Security Engineering, Fastly, and Mr Leandro Ucciferri, Lawyer, ADC Digital, responded by arguing that when governments hack, public trust is undermined. Hacking also interferes with several human rights, and contradicts the principle of due process. By supporting government hacking, a huge market for vulnerabilities is also created, with obvious negative consequences for the security of all. Van Horenbeeck insisted that government hacking can lead to destabilisation of the internet as a whole, and affect the way states work together.

The second question addressed by the speakers was the following: Should governments refrain from expanding hack back authorisations and adopt alternative measures, and if so, which ones?

Herpig argued that a realistic approach to the problem has to be taken. Nevertheless, there need to be safeguards for controlling the circumstances for hacking, as is already the case in certain situations in Germany. Tropina also insisted that as long as other countries have offensive capabilities, states need to respond and gather the same tools.

For Ucciferri, it is very difficult to impose any safeguards on law enforcement practices in most countries in the world, and it is difficult to imagine how to restrain authorities from using such techniques, especially since attribution is almost impossible. Van Horenbeeck argued that espionage malware can be used in very different scenarios and cannot guarantee proportionality.

In a second segment of the session, the debate was then thrown open to all workshop participants, and led to a lively discussion between different stakeholders. It was pointed out by Ucciferri that there needs to be more advocacy for transparency on hacking capabilities.

It was also re-stated that attribution is very difficult with respect to hacking, and that attributions by states are generally politically motivated. Finally, the safeguards with regard to government hacking developed by Privacy International were mentioned as useful tools to ensure governments’ activities respect international human rights laws.

By Clément Perarnaud