Hack-back debate: new action plan brings viable option
As cyber threats continue to multiply, governments are looking at the option of controversial cyber defence operations such as hack backs; a new action plan published on Tuesday (21 November) and seen by Euractiv states.
As governments struggle to reign in increasing cyberspace threats, the action plan suggests active cyber defence operations as the best solution.
Unlike passive measures, such as anti-malware software or firewalls, hack backs are aggressive measures that include hacking, disabling, or disrupting the computing devices or networks of the attacker.
Supported by the Transatlantic Cyber Forum working group on Active Cyber Defense and contributions from 23 cyber researchers and IT analysts, the action plan was written by cybersecurity policy expert Sven Herpig at the Berlin-based think tank Stiftung Neue Verantwortung (SNV).
“EU Member States such as Germany have been debating this issue for years, while other countries such as Romania announced that they implement such measures if needed,” Herpig told Euractiv.
German National Security Strategy leaves out cyber counter-attacks
After months of delay, the German government adopted its National Security Strategy on Wednesday (14 June), in which they rejected the controversial issue of ‘hackbacks’, a form of active cyber defence.
In international comparison, measures to practice counter-cyber operations are being pursued by Australia, Japan, China and the US, which all announced the introduction of active cyber defence in the past two years.
The EU is also considering hackbacks as a solution approach.
“Until today, many EU States announced the thresholds and room for valid responses,” contributor to the action plan Dr. Lukasz Olejnik, an independent researcher, told Euractiv.
In May, the EU Council Conclusions encouraged the member states to “develop their capabilities to conduct cyber defence operations, including when appropriate proactive defensive measures to protect, detect, defend and deter against cyberattack.”
“Of particular note is France, which states in its strategy that for events reaching the right levels, cyber response is an option. But so are other ones, including kinetic. And that is the point, responses need not be limited to cyber,” Olejnik emphasised.
NATO started to eye the options of defensive cyber defence operations in July.
The core issue
One of the biggest arguments against hackbacks is the potential risk of collateral damage and diplomatic escalation.
“Hack-back is a tricky beast. It may not be clear if or when it makes sense to retaliate in the cyber domain,” commented Olejnik.
Assessing the discourse on hack backs which has been going on for years, “in the public debate they rarely went beyond ‘we need this; otherwise, we lose to the Chinese and Russians’ on one side and ‘if we do this, we may cripple hospitals’ on the other side,” Herpig told Euractiv.
Mandating Internet Service Providers to block or re-routing malicious traffic to take over a command- and control infrastructure used in malicious cyber campaigns to uninstall or neutralise malware on the victims’ systems or deploy patches are all considered active cyber defence operations, the action plan clarified.
Unlike offensive cyber operations, the objective is not to collect, for example, intelligence.
“When resorting to any response, States should find a balance between proportional response and the sought aims of it. It is also paramount to assess the legality of responses when activities happen below the threshold of armed conflict,” Olejnik recommended.
German government reports risk of cyber threats higher than ever
Germany is currently experiencing a peak in cyber threats, with the risk of ransomware attacks considered to be particularly high, according to the latest situation report from the German Federal Office for Information Security.
Hack back principles
The action plan stated that adherence to international law and effective communication with allies and strategic partners are both factors that play a crucial role in a robust framework for responsible hack backing.
“We therefore set out to convene a group of researchers and practitioners to design concrete, operational norms that would enable states that plan to or are already implementing these measures to do so more responsibly,” Herpig told Euractiv.
“By no means should this reflect a stand on the issue but offer a way to do it better if states plan to do it anyway,” he added.
Another important aspect is developing, testing, and applying capabilities to ensure that active cyber defence is precise and works as intended against malicious cyber activity.
“In other words, does it make sense to respond? Would the targeted State even care? The impact must also be considered for a lawful response using reprisals or retorsions. Was the foreign activity made by a State? What was its severity?” Olejnik explained.
“The cyberattacks we often experience have no impacts or perhaps meet the threshold of interference in internal affairs. But none reach the serious levels of use of force,” he added.
The nine operational norms outlined in the action plan address the need for precision and aim to help governments develop their active cyber defence policies.
To guarantee proportionality of measures, governments need to have a technical understanding of the adversary’s cyber deployment environment and limit their measures as much as possible to avoid targeting third parties’ supply chains and critical infrastructures.
“Governments should set up political, legal, and oversight frameworks for active cyber defence operations and emphasise impact assessment and transparency,” the action plan stated.