Offensive cyber defense is defined only for the business and the civilian sector. States and international organization have their own legal framework to operate offensively in cyberspace.
Preface
Dealing with cyber-attacks is becoming complicated by the day. Numerous defensive tools are developed in the attempt to secure the organization’s networks, communication, and endpoint devices. Criminal organizations and professional hackers have nothing to lose. If they succeed, they make a lot of money, sometimes millions of dollars in a single ransomware attack, and if they fail, they just move to the next victim. To date, our law enforcement and justice system fail to bring the vast majority of the criminals to justice.
Passive, defensive approach to cybersecurity has limited success. It is impossible to defend the entire perimeter and assets, and therefore organizations try to prioritize and defense their critical assets. And even then, most defenses will fail when attached by highly skilled and determined criminal group.
As a result, growing voices are promoting the need to adopt more proactive defense, one that counter strikes the cyber-attackers, also known as hack-back. The idea behind hack-back is to attack on hackers to cripple or disrupt their operations, to harm hacker’s systems to try to deter future attacks, to delete or retrieve stolen data and to collect information about the hacker for law enforcement authorities.
Offensive Cyber Defense
Offensive cyber defense is defined only for the business and the civilian sector. States and international organization have their own legal framework to operate offensively in cyberspace. Offensive cyber defense may stop or preempt cyber-attacks before they impair the victim’s systems or penetrate its cyber-defenses. Hack-back may also introduce uncertainty in the attackers conduct that will probably affect their behavior and even reduce the risks of attacks.
To evaluate these offensive operations, we will define two hack-back categories.
First category represents minimal intervene in the attacker’s systems. It involves some intrusion into an attacker’s system. For example, installing cyber beacons that may trace the location of the attacker and even collect forensic evidence. Or using a software agent that can encrypt stolen data, making it unreadable by attackers.
Second category represents access into the attacker’s system to mitigate the attack by impacting attacker’s system functionality and data even or with intentional damage to the attacker’s data or network.
The two hack-back categories are not strait forward to execute; they require significant capabilities that not every company has. On the other hand, large corporations obtain sophisticated cyber capabilities, sometime even similar if not higher than states cyber capabilities. There should no doubt that using hack-back capabilities against attackers may improve cybersecurity. However, hacking-back faces some serious legal implications.
The Legal Aspect
The legality of private sector hack-back needs to be reviewed under both international and domestic law. The primary risk of hack-back is the mistaken identity of attackers because of incorrect attribution by the victim’s hack-back team. Then we must consider collateral damage to third-party entities because cyber-attackers often hijack third-party computers to carry out attacks. These computers could become collateral damage of a Hack-Back. Furthermore, occasionally, companies are attacked by state actors. Hack-back on a state actor may cause escalation of cyber conflict and dangerous implications on international relations.
When hack-back remains within the first category and refrain from penetration into the attacker’s network, then this type of hack-back may be considered legitimate and within the bounds of legality on both the national and international law.
Hack-back of the second category should not be legitimate and are problematic from the point of national and international law. However, there is lack of clarity in some states.
Non-state actors may response to cyberattacks in protective cyber defense of critical infrastructure such as energy, health, financial and alike. However, these should be under the domestic law. Private companies that have been attacked are able to conduct incident response measures that include intelligence gathering about the attackers, identifying attacker’s methods, and collect forensic data that may be used by law enforcement agencies.
The Global Commission for the Stability of Cyberspace states (November 2019 Report) that some “states do not control or may actively ignore these practices, despite the risk they impose upon the stability and security of cyberspace… however, in many states such practices [are]… unlawful, [or]… criminalized… few states are… considering legitimizing non-state actors’ offensive cyber operations.”[1]
Under International law, only states and international organizations may exercise offensive activities. Non-state actors must rely on the state of their registration or operation. The Council of Europe’s Budapest Convention[2] requires states to illegalize access computer system without authorization, criminalizing hack-back of the second category. Furthermore, the Oxford Statement on International Law Protections in Cyberspace, states that “States must take measures to protect the human rights of individuals within their jurisdiction from violation by information operations or activities carried out by other States and non-state actors.”[3]
Some argue that we may further break the second hack-back category into sub-categories, enabling legalizing some of these categories. This will lead to a very slippery slope as we will gradually allow unwanted hack-back operations under pressure of private corporations. In terms of the ethical view, there is a risk that Private sector companies exercising second category hack-back or parts of it, will start running their own justice system.
Conclusion
To conclude, recent cyber-attacks raise concerns that cyber risks are the reality. Attacks on critical infrastructure (sometimes privately owned) may affect dramatically the ability to maintain functional continuity of critical services. On the other hand, we should not let private sector pressure push to unwanted reality. We need to put some order in hack-back and develop a comprehensive international and national legal framework criminalizing second category hack-back.
[1] Global Commission for the Stability of Cyberspace, A Call to Action on Advancing Cyber-stability: Final Report, 2019.
[2] Council of Europe, ETS No. 185, Convention on Cybercrime, Article. 2, Illegal Access, July 1, 2004. http://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680081561
[3] Oxford Statement on International Law Protections in Cyberspace: The Regulation of Information Operations and Activities, Clause No. 5, June 2021
