As cyber threats continue to multiply, governments are considering the possibility of controversial cyber defense operations such as hackbacks, a new action plan published on Tuesday 21 November and seen by Euractiv States.
As governments struggle to contain growing threats in cyberspace, the action plan suggests that active cyber defense operations are the best solution.
Unlike passive measures, such as anti-malware software or firewalls, hackbacks are aggressive measures that include hacking, disabling or disrupting the attacker’s computing devices or networks.
Supported by the Transatlantic Cyber Forum Working Group on Active Cyber Defense and contributions from 23 cyber researchers and IT analysts, the action plan was drafted by cybersecurity policy expert Sven Herpig from think tank Stiftung Neue Verantwortung (SNV) based in Berlin.
“EU member states, such as Germany, have been debating this issue for years, while other countries, such as Romania, have announced that they will implement such measures if necessary,” said Herpig at Euractiv.
In international comparison, measures to combat cybersecurity are being taken by Australia, Japan, China and the United States, all of which have announced the introduction of active cyber defense in the past two years.
The EU is also considering hackbacks as a solution.
“Until today, many EU states have announced valid thresholds and response margins”, contributor to the action plan Dr. Lukasz Olejnik, independent researcher, told EURACTIV.
In May, EU Council conclusions encouraged member states to “develop their capabilities to conduct cyber defense operations, including, where appropriate, proactive defensive measures to protect, detect, defend and deter cyber attacks” .
“Of particular note is France, which states in its strategy that when events reach the required level, cyber response is an option. But others too, notably kinetic. And that’s the important point: the answers should not be limited to cybersecurity,” Olejnik emphasized.
NATO began considering options for defensive cyber defense operations in July.
The central question
One of the main arguments against hackbacks is the potential risk of collateral damage and diplomatic escalation.
“The hack-back is a tricky beast. It may not be clear if and when it makes sense to strike back in the cyber domain,” Olejnik commented.
Assessing the discourse on hackbacks that has lasted for years, “in the public debate, they have rarely gone beyond ‘we need this; otherwise we will lose to the Chinese and Russians on the one hand and “if we do this we risk paralyzing the hospitals” on the other,” Herpig told Euractiv.
Requiring Internet service providers to block or redirect malicious traffic to support command and control infrastructure used in malicious cyber campaigns to uninstall or neutralize malware on victims’ systems or deploy patches is all considered active cyber defense operations, the action plan clarified.
Unlike offensive cyber operations, the objective is not to collect, for example, intelligence.
“When resorting to a response, States must balance a proportional response with the objectives sought. It is also paramount to assess the legality of responses when activities occur below the threshold of armed conflict,” Olejnik recommended.
The action plan states that respect for international law and effective communication with allies and strategic partners are two factors that play a crucial role in a robust framework for responsible hackback.
“We therefore decided to bring together a group of researchers and practitioners to design concrete and operational standards that would allow states that are planning or already implementing these measures to do so more responsibly,” Herpig told Euractiv.
“This should in no way reflect a position on the issue, but rather offer a way to do things better if states consider doing it anyway,” he added.
Another important aspect is developing, testing and applying capabilities to ensure that active cyber defense is accurate and works as intended against malicious cyber activities.
“In other words, does it make sense to answer?” Would the targeted state care? The impact must also be considered in the case of a lawful response using retaliation or retaliation. Was the foreign activity carried out by a State? How serious was it? Olejnik explained.
“The cyberattacks we experience often have no impact or perhaps reach the threshold of interference in internal affairs. But none reach the serious level of use of force,” he added.
The nine operational standards described in the action plan respond to the need for precision and aim to help governments develop their active cyber defense policies.
To ensure proportionality of measures, governments must have a technical understanding of the adversary’s IT deployment environment and limit their measures as much as possible to avoid targeting third-party supply chains and critical infrastructure.
“Governments should establish policy, legal and oversight frameworks for active cyber defense operations and emphasize impact assessment and transparency,” the action plan says.
(Edited by Luca Bertuzzi/Alice Taylor)