IGF 2017 - Day 3 - Room XXV - WS192 The Government Hacks Back - Chaos or Security? A Debate

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Okay, welcome everyone. Thank you very much for joining our debate. The government hacks back, chaos or security.

And let me first say this is a debating format, so it is a bit different from the panel discussion, and that's intentional, because we like to involve all of you in a debate. We like you to actually also actively debate after the first half of the session.

And so in the first half we have the four excellent speakers here on the panel in two different teams debating with each other, before we'll open up the audience and you can join whichever team you like or open a new team just by yourself. More on that later.

The topic we will discuss today is government hack-backs and implications for security.

And the core question of the workshop is, should law enforcement agencies have the authority though hack back computer systems that suppose severe threat to individual and public safety, no matter where the systems are located, in order to protect citizens and other's security.

As you can imagine, this is a contested issue and currently being discussed in many countries and some countries have already adopted clauses like active defense or others in the cybersecurity strategy. So this is a topic that will be debated even more in the future.

And we will also discuss what exactly "hack back" means later in the session. Our speakers will also talk about this a little more.

So such scenarios, as I said, are already being thought about or even implemented, and the steps have also been met with resistance or fierce debate from many factors in society, industry and users.

We'll debate all these different issues here. The motion we will discuss in this debate, this house believes governments should have authorities, under certain circumstances, to hack back device which is serve attack tools, and can do for threats in the system.

The motion is debated by two teams of speakers.  The team on my left, and team on my right.

Sven Herpig is the project leader for international cybersecurity, at a think tavern in Berlin and Germany. And he has worked in various government departments. Tatiana Tropina is a lawyer and expert on cybercrime and cyber law in general. A senior researcher at the institute for attorney and national criminal law in Germany.

On my right we have Leandro, a lawyer and researcher with focus on human rights, privacy and freedom of expression at ADC, an independent non-profit based in Argentina. On the very right we have Maarten van Horenbeeck, director of security and engineer and also a board member and former chairman of the form of incident response and security teams first.

Now, brief word on the agenda. I pose two rounds of questions to debaters and each has that three or four minutes to answer the question.

After the two rounds, speakers have about 10 minutes to respond to each other.

Then after the first half we open up the debate and you will be able to pose first questions to the speakers they have to answer, and then for the last 10 minutes of the debate you will become debaters yourselves and make interventions of around two-minute time limit yourselves.

That's it from me. I am very much looking forward to this debate. I am Isabel Skierka and work for the institute in Berlin, forgot to introduce myself, sorry.

We start off with the first question to Sven. Will an expanded practice of government hack backs result in more or less collective security? 

>> SVEN HERPIG:  Good afternoon. To answer the question and make general informed decisions about policies we first have to look at what hack backs actually mean. It is a big struggle as many actors face currently debating hack back, what is supposed to be a hack back? 

Doing the academic role, talking about definition, the most exciting topic always, but I would like to give you a quick run-through of what different stakeholders and governments assumed under hack back. Based on that I think we can discuss it more clearly.

When I say "discuss" under hack pack I mean civilian domain only first.

Giving you some idea I put them in three categories from not too problematic to awful.

And category one, not too problematic. The prevention mechanism like firewalls, antivirus, cyber hygiene, passive intelligence gathering, all considered by some governments as the first helpful of hack backs.

And the service providers to reflect, re-wrote or block attacks or in connection with sinkholing.

Together with that nationally or internationally coordinated takedowns by law enforcements and ISPs.

And last in the category, setting up traps like honey pots or inserting (?) Into documents that shows the location when stolen.  When they leave the network there is location of where they are now back to the original creator and that's the category I describe as category one, not too problematic. The second category I call quote/unquote "gray area" assistance of national interservice providers in conducting more garden approach. Identify certain citizens, for example, and don't allow them to go to the web page, they say your computer is inflicted. If you clean your computer we can lead you back to the Internet.

The second part is passive reconnaissance. The networks to improve, first you do what you want to hack back and the practices we have of intelligence agencies.

And inserting into document creating a monitor once the documents are stolen and they are open, it triggers the device where it was copied to. That's what is called the gray area.

And the category which is highly problematic, not feasible and maybe even you consider awful consists of four parts. Penetration of systems to conduct reconnaissance, penetration to delete stolen content, or steal it back quote/unquote. Penetration of foreign systems to shut down the systems, disrupt them temporarily and lastly penetration of foreign systems to quote/unquote destroy them or disrupt them more permanently.

I think there is no catch-all approach or answer, but those on category one about not too problematic hack back measures are not so bad, are okay.

Category two I have problems with that, but I think some are debatable. And if you take them into consideration you can actually improve national security without necessarily decreasing collective security simultaneously.

>> MODERATOR: Thank you. Now I give the floor to Maarten

>> MAARTEN VAN HORENBEECK:  Thank you for having me here. It doesn't have the definition of what the hack back is, but why it is done.  I start from there. When I look at collective security I look at it as a technical security member. When we look at Internet, how can some activities lead to destabilization or other issues that are of concern to us.

I argue the first problem with hack backs you don't know who you are hacking.  You may be hacking a machine but you don't know if it is running a critical service, you don't really know what country the machine is based in. It maybe that it is actually connecting to the Internet through an VPN, attacking a point in a different country. And you don't necessarily know who the user of the machine is. You may get the information from other means, but in some cases what is running on the machine you can't really determine that until you have actually compromised the machine.

This is where it becomes a little difficult. When you compromise a machine, and this is admittedly the third category of types of attacks just mentioned, when you compromise a machine you are changing the excuse flow intended of the person who actually installed, configured and operates the machine. It is of concern, because when you think of even a stable exploit it has a limited set of scenarios where it fails. Destabilize the machine that the user is using. If it is supporting a hospital, then you may actually end up causing harm to life.

This is concerning, because does this mean we are motivating attackers to compromise systems that are that sensitive, to them use them in their criminal acts. That's destabilizing if we go into the machines.

The second problem with hacking back, someone has to be the hacking and that maybe law enforcement.

The problem is that some cases law enforcement is also a point of contact for security incidents. That activicly is only the -- typically is the case when they don't have a good response team or community that can work off incidents, but those cases today definitely exist. And it means as, for instance, a software vendor you would be less likely to provide information on compromised machines or machines involved in an incident to that particular organization.

Because let's say in a particular country the law enforcement authority or authority that is authorized to do the hack backs is responsible for reaching out to individuals when they had an incident, most likely criminal, potentially not.

If that organization receives data on vulnerable systems in the country, then the software vendor in the way provided a tool to the agency to compromise those machines. That is concerning and can make it different to respond to incidents with some of the countries. 

Next, they also have a -- hacking back has the potential of destabilizing the way that states work with each other on the Internet and I will use a silly example, but there are certain software applications that are only used in particular countries or by particular large groups. Word pros he is, there is one called (?) Popular in Japan and another called (?) Uniquely used in Korea.

Let's say a law enforcement agency wants to compromise a system and identify this is the word processer is how to do it. And have attack codes that takes over the word processer and it leaks. Does it mean that one state ends up attacking another state?  Or still a simple law enforcement operation? 

That is just one example of how actually investing in exploits and investing in offensive goals to do some of these hack backs can really have destabilizing consequences. 

Another one we have seen quite recently was actually fairly commence in the sense it used codes used by intelligence agencies, and leaked and used to attack others.

And I will leave it with that. From that perspective, I have trouble endorsing hacking back as something that increase collective security.

>> MODERATOR: Thanks a lot, Maarten. Tatiana.

>> I have to admit have I a problem with the question itself.  Talking about collective security, there are so many different initials of cybersecurity, I am a bit lost in the notion of "collective" and I believe that the answer would be different. Are we talking about security on the Internet level?  Meaning how states are working with each other?  Or talking about security on the national level? 

And I believe that if we are talking about crime and investigation, crime prevention, current disruption, mitigation of threats, the military defense on the national level, well we can all disagree here that they that the hack backs are helpful but look at cybersecurity. Many counties openly declare they are using offensive capability as an integral part of their cybersecurity strategies. It means there is an opinion they are helpful.  Not only defense will help, but offense the capabilities.

So my answer here would be it will depend on which domain you are looking at. If we are looking at law enforcement, they will probably do it with many safeguards and it is easy to regulate.

And I degree here with Sven, some have banks which are regulated which are very helpful. Talking about military or intelligence, apparently on the national level they do consider them helpful. And hack backs might be helpful for cyberattacks, and gathering information for policy-makers to make informed decision. So I believe there is no black or white here. It is gray. I tend to say on the national level they are helpful. On the Internet level, how they might influence states working together, well no, they are not helpful. They will probably result in less collective security on the international level.

Then the question is what is collective security on the international level in the age where TGE couldn't even agree on the soft law of the responsible state of behavior. Are we really in a position to say that in the nearest future hack backs will be -- to me it is believing that a (?) Or that we can implement safe guards.

Let's get real here.  Are they helpful?  Implemented on the national level they are considered to be helpful.

>> MODERATOR: Thanks Tatiana.

>> PANELIST: I will start complimenting Maarten here. I believe hacking governments weakens security, and I degree with Tatiana there is a lot of differences what it is in some states and they do not agree on common understanding on the same topic.

I do believe, of course, coming from civil society, it is the people who use the technology.  I do think when the governments hack even pro-actively or hack back after something occurred to them as they argue, I think people's trust is in their mind. So that in itself I say weakens collective cybersecurity at the international level.

And also, it's kind of tricky when talking about boundaries online.  It's not the -- I mean we have discussed about jurisdiction on the Internet for how long now?  It's kind of difficult to give borders to how we use the technology on a day-by-day basis. And that translate as well to this debate, I think.

I also wanted to raise the point by nature hacking interferes with a broad range of human rights.  Not discussing just privacy, peaceful assembly and association, but taking into account due process and property as well. When Maarten mentioned, when a government hacks they are actively engaging with our property, people's properties and we need to take that into consideration as well. 

I agree that exploits and malware can act unpredictably. So the range in which operations can go wrong when the government hacks is, of course, more dangerous as a sort of collateral damage that may occur when their operations.

Other problems that arise in terms of giving capabilities of hacking or faculties in legal frameworks to government hacking, is that there's a huge black market of vulnerabilities. And it appears that it's not going to stop. It's not going to slow down.  Only betting bigger and bigger. And researchers are made more to provide exploits than the software or security companies to fix it, per se. And one thing we need to take into consideration, there is this sort of race to horde vulnerabilities and use exploits or specific malware that usually the people who develop it does not have the -- a tight control on how those kind of softwares are going to be used. It can be a government but can be a distributor, a hacking team and they distribute the software to a bunch of countries who have no respect to human rights, to say the least.

So this takes us to another point related to cybersecurity as well. Is that as zero days, malwares and exploits become cheaper and cheaper, there is no reason to use other tools, we use other means to find the guilty people that committed a crime. Or the person responsible for a murder or petty crime or what the government is investigating. And something we need to take into consideration and we are going to debate more in the next question, I don't want to jump ahead. 

Also, the last two points that I wanted to raise, is that security is not equal for everyone. People that have lower resources and have lower incomes, or that doesn't have specific access to specific technologies or specific consumer products, or even specific knowledge, is not as secure as people that have that specific knowledge.

Someone who has an iPhone today is probably more secure than someone with an android from five or seven years ago and we need to take that into consideration as well.

The last point I want to raise, there seems to be kind of a double standard in terms of the criminalization of information security researchers and how the government is advocating for the need of more capabilities to do hacking.

So there seems to be this unbalanced situation when independent research he was or cybersecurity firms are criminalizing by finding the vulnerabilities and mixing them, and the government is trying to make use of them for their own gains.

>> MODERATOR: Thanks so much for the first round of responses. I think what we can just quickly recap is that, of course, we need to define what collective security means. We have the technical image of I.T. security, and human security, user security, the national security level and international cooperation and how that is influenced here.

Your side pointed that out and you also pointed out that hacking back is a catch-all phrase. Looking at the levels of hacking back that can occur. Some are less and some more problematic. Whereas many of them still fall into the legal gray area.

And then so we need safe guards depending on which institution will conduct them. And if intelligence agencies are at the military, conduct without many safe guards it will only lead to international instability.

In this we heard a lot of good arguments about how uncontrolled but even the hack backs with safeguards can lead to destabilization of the Internet because it is a complex system we are talking about here. 

We have a conflicts of responsibilities as well when if comes to vulnerability disclosure as pointed out, Maarten. And that hacking back can destabilize relations between states.

Also, there is a danger that it will fuel the vulnerability market and we haven't really touched on an Internet level the question jurisdiction and borders and how states react to hack backs or have any possibility to interpret them when their server is hacked and they cannot really attribute it.

The second question I would like to pose to you now, in the same order, is should governments refrain from expanding hack back authorizations and adopt alternative measures.  Which ones?  Sven.

>> SVEN HERPIG:  And we often say no, but you heard the position and you agree on the bottom line hacking back is the category three he described it.

No one here on the panel actually likes it, so I actually -- I actually want to pursue what she just said, is let's be real.

Why did I bring up the stuff with the definitions?

not because I think it is so much fun, but I think a discussion we have to germinate. A society advocating against hack backs, losing a lot of ground because everything is assumed under hack backs. And who can be against firewalls?

putting that into the hack back discussion makes it difficult.  If we want to become really think the first point is we have to come up with a definition, promote a joint definition of what hack backs are, what they are not.

And second of all we have to prepare for the worse. If governments are pursuing that, now if we say no, we don't want them to expand on that, and they might still do that, we have to prepare for it and have to come up with safeguards. Framework and minimum standards for government hacking and vulnerability management process, what this might look like, or does it look like what was just published.

No, I don't think they should be extended and in some cases even decreased.  If we look at Germany, for example, all of the category one stuff and half of the category two stuff mentioned is already allowed by law. And now the talk is just the last four or five steps towards it.

>> MODERATOR: Maarten.

>> MAARTEN VAN HORENBEECK:  I think we need to take a little step back thinking why we are hack back. A few reasons we may do that.

The first one, that typically doesn't work, and even states with the best defensive capability are still being attacked. 

And the second is to cover data stolen or stopping the data from being spread. In most cases we are too late.  The moment the data is through it is out and may have been redistributed.

And the third is to stop the attack.  I feel taking defensive action by hacking back is actually the wrong way to stop the attack because we have good ways.  We have a global community of response teams.  We have response procedures.  We have ways to stop attacks but need to invest in those ways and buildup the capability.  I think using the money that would typically go to hack back offensive operations, in we put it to work to make software more secure and work on building the global community of incident responders, we will actually end up in a much more secure place than that when we built them in the long run may destabilize them overall.

>> MODERATOR: Thank you, Tatiana.

>> TATIANA TROPINA:  I know they have answered this questions, I shouldn't refrain. But I am very sorry for this analogy that when we discovered nuclear power the first thing we did was nuclear bomb. But not nuclear power station that supply us with energy.

And this comes back to the point about through security systems and education and source collaboration. The problem is that realistically when governments have these power or intelligence agencies or military in their tool box, the answer is that once you get hack backs from another state, what you going to do alternative?  Say oh, you are such a bad state?  No. You want to have the same tool in your tool box. You want to hack back.

And the same with espionage and many other issues.  I believe in the way the horse is already out of the barn.

And what we can do realistically, because we cannot stop the governments to do this. And realistically again look at some of the cybersecurity strategies. I'm sorry, I will make, I will make some examples. Look at U.K., and the cybersecurity defense relies on hyper securities and doing everything to develop them.

And the cyber capability embedded in the cyber defense concept. And you see in at least three different countries around the world.  Better than developing them on the Sly. It is much better if the government says openly yes, I am going to do this.

And here the question comes how we can provide safeguards and checks and balances. And I believe that in this regard, law enforcement are much easier to regulate in terms of human rights and safeguards because they are visible. Because law enforcement are the subject of criminal, procedural law. For many things they have to get authorization. In many way law enforcement the most easy and visible to implement safeguards for many forms of government.

As to military, I have to say here honestly, in this age of development of offensive and defensive capabilities, from the military point of view you think about your adversary have this capability. But I believe we come to the process of responsible behavior. I think we have to abandon soft power, soft law, no measures. Apparently fulfilling functions but not enough. Maybe we have to come to the idea that governments have to develop a hard-law solution.

Maybe a convention, maybe something else.  But degree on the -- but agree on the basic principles.

And I don't like this situation any bit, but unfortunately that's what I see, thank you.

>> PANELIST: For the sake of the debate, there should be a prohibition on government hacking. I am not saying not in any circumstances but the presumption is the government cannot incur in government hacking.

Just to expand on that, I'd say hacking can provide access to private information that may be far beyond the reach of a judicial or official investigation.

And another challenge that we have is, so how can we limit court orders or warrants to say okay, when you're using a malware you don't know what you're going to find. Malwares can act unpredictably. If you act as a computer it is not going to be all tied up in silos.  It is not okay I have the photos of the tourists that bombed the London tube. So you have his bank account, his everything, his life on the computer on the cell phone.

So it's also a question on how can we address due process concerns and due process guarantees when the government have these capabilities? 

The other thing I want to raise is that I don't think that it's so easy to put safeguards on law enforcement. It may be in Europe, it may be in the U.S. they have they have arguably stronger institutions than other nations in the world, but in the case of Latin America, it is tricky talking about things not even involving cybercrime.  Not taking into that the law enforcement agencies and even government officials, or government officials from ministries, they more often than not look basic knowledge on huge rights and civil liberties, which is also concerning when dealing with this pervasive techniques.

Talking about the problem of attribution, again just detailing some other concerns. It's very difficult, as Maarten said, it's very difficult to understand what would be the proportionate approach to respond. And that is, also, what can lead to misunderstandings between states and different actors that are non-state actors.

And again, the collateral damage that may occur afterwards.

I don't think I have the solution, of course, if not I would not be here. But I think we need to take an approach on understanding where are the limitations on each specific context, on each country.

As Sven said, I think we have a catch-all approach to this. And I think we need to take a nuance approach in terms much what we understand.  How are we going to frame government hacking in legislation.

I do like the approach that debt in terms of characterizing on what is the focus of the operations that the government wants to implement. To say they're trying to control a message, or control the message that is being sent.  They are trying to cause damage, or trying to do surveillance in intelligence gathering.

If we have that characterization we can talk about specific provisions concerning the techniques and activities that the government may use.  But if not, we can't have a catch-all solution.

>> MODERATOR: Okay, thank you very much. Now, we've herald a lot more interesting points, and I would like just to take up here to let you debate any open questions amongst you quickly.

I think one issue we've heard here is that, you know, let's be real, let's be realistic about this. This is something we can't prevent anymore. Governments are already writing certain clauses into their cybersecurity strategies, which might be even better because they declare it openly at least.

So we need to take the next step and develop minimum standards and also think of vulnerability, disclosure and handling processes.

What would your side say to this?  Would you say that you also believe like realistically we have to come to terms with this reality? 

And then, for example, first of all that's the question, would you think that, or would you argue no, that's not the case. And what would bodies like (?) Do about this? 

>> Sure. I think the first thing to come to terms with is that reality is something we can change. In fact, we change reality every day.

One of the ways of doing this is by pointing out when specific actions that are that I know have the potential to be destructive.

I heard earlier the comparison with police activity. And one thing that stands out, a lot of police activity can be doing investigations that the person don't know about. But in general at least you of with the police you know what the intent is.

In this case let's say the police hacks a certain machine. First it is never clear that it is the police.  It is not like the police shows up with the car and you know they are on your system.

The way that most espionage malware is written in these types of investigation, it is actually written to be very useful in multiple scenarios.  As in it doesn't just restrict you from getting a particular file from a system, it's almost always developed in a way that gives significant amounts of ownership to the investigator to get access.

If someone finds it on their system they don't know if it is the police, a foreign state or competitor. And those should make us think of whether or not it is the right way to go because we don't have the same ability to say this was a police investigation. In fact, we don't really know what is happening on the system. 

I think reality is something we can change and need to be aware of the challenges. And actually think does it make sense?  And I will acknowledge there is probably a limited number of cases where some type of activity is it potentially acceptable. But I don't think we got to that point where it is socially acceptable.

>> And to add on to Maarten's points, perhaps if we're put between the sword on the wall, having to choose between pervasive method surveillance and targeted government hacking, then in certain cases government talking would cause the least damage. So those are the challenges we're facing.

Even when you from society have to argue the human rights perspective, it is also tough to consider how the government would actually use specific techniques, as Maarten said, that they can even control. So those are the things I want to raise.

>> I would like to reply first of all about law enforcement.  I think there is a bit of misunderstanding here about police.

Police normally under the criminal law of any country has two measures. Two sets of measures.  One is the so-called open measures like search.  You have to arrive in the police car, have to have a search warrant and so on. That set of measures is a (?) measure.  You intercept communication or go to someone's house without letting them now you install surveillance devices and so on. This is for the police it is practice.

Secondly, not talking about hack backs, but infecting computers with malware. I am not talking about the new provision in German law which was adopted this Germany this year, because I am not sure I am in the capacity to really assess it yet.

But such provisions exist in France, for example, and Spain. And the police has to get warrant for these and the safeguards are higher for normal deception. According to normal deception you have to get approval from a higher type of prosecutor, a hyper type of prosecutor, the prosecutor office.  You to present more evidence. So it's tighter safeguards, you cannot do these for any crime. So safeguards do not mean we restrict it here or there. It is a higher set of crimes, or come into the court and maybe the commission of three judges consider this warrant, so on and so forth. There are many ways to ensure this is the police and limit the police power.

Without changing the situation, it makes me very sad as well that things like these, and I am sorry for these type of arguments. When they hear we cannot even put safeguards on law enforcement on some countries. I want to hear the next argument that we are able to change the situation with hack backs it makes me sad.  If we cannot do something obvious, law enforcement for simple situations how do you change those more in the gray area, more dangerous in scale and so on. I see, you know, contradiction here.

>> PANELIST: About your point, (?) How to be prepared. So we have something, right. And maybe just once more, one minute advertisement block, is that okay?  We have 40 experts working on that issue on government safeguards. Coming up with standards. And anything from German activates making the first meeting very interesting but we need groups advocating completely against it, and people that can work and prepare safeguards if something goes wrong.

And then extending on the comments you made.  I believe that if you believe in some countries of course it is difficult to put safeguards there, it also is difficult for hack backs in general. Maybe an example of how restrictive safeguards can be. From 2009 we have a legal battle and a German Trojan horse. After the Supreme Court revised it, the guidance it can only be used on Windows computers, only (?) Not capable of anything else. A nice safeguard technically you can make it very safe from using.

>> MODERATOR: Thanks. Now I would like to open up the debate already, I saw some hands going up. I am taking notes.

Actually I decide you had can also make really short interventions or pose questions right now. Let's keep it like that. First you respond and as time progresses I will sharpen the questions.

>> I am the organizer of the (?) IGF. I was wondering what it assumes is that we speak openly about state hacking. If I were a state, I wouldn't tell the states that I were hacking. So what would we do then?  How would you react? 

>> Yeah, actually look, there are two dimensions of this. There is a concept of hacking, right. And the actual act of hacking.

If I state that I am going to hack in my security strategy, I can state openly.  But when I actually hack, they don't have to know. When I hack, when and so on.

But I also believe that, you know, I am a strong believer when it goes openly, at least you know what to expect.  At least you know that state A, B, and C has debate or is developing that ability and you know what to wait for from this state.  It's much better than as you say like, you know, we don't know what they are doing and yeah, we can't talk openly.  Sometimes I think we can.

The debate in Germany about defensive and offensive capabilities, and involves civil society, academia.

>> Of course the default should be transparently always. And it's something that seems obvious, but it's not usually the case in most countries.

When you're debating for safeguards, you are supposed to debate in Congress because you are passing them by law. If not, it's only the wheel of the executive, which is even worse.

And so I think what can the general public do?  Advocate for more transparency on how the state works. If you are going to advocate, going to approach Congress and try to engage in those processes. 

Yeah, well I think just using the multi-stakeholder approach like we have at the IGF, having different points of views, of course, is going to be even more relevant when we talk about how government will interfere with our lives.  That's the key starting point at the national levels.

>> And comes down to transparently about things already conducted, not being discussed, already conducted. And comes back to transparently, but oversight. For example, parliamentary oversight and also another safeguard.

>> MODERATOR: You were next. Others please keep your hands up so I can note them down.

>> AUDIENCE: My name is Michael coming from Germany. (?) I'm missing arguments from both sides. That is, the fact that some of the hack backs only work due to the fact of core programming of operating systems on network layers, firstly.

Secondly, others are supported by -- work only if supported by the operating system manufacturer.

And I now have the question, we have the digitalization in front of us coming and more and more insurance companies are coming up and saying well, we will give you insurance against malware, against all of these things.

Now, exploits are not stopped because of hack backs, and insurance has to pay or not to pay?  But maybe the operating system manufacturer argument, I would like to hear something about this from you. Thank you.

>> PANELIST: Thank you. That's a really interesting question. One of the things it points out, we have a real inconsistency with how we deal with the digital society. One hand investing all the effort and time to make the public more security, incentivize people to fix all the issues. At the same time those are the ones we want to go and use to gain access to systems. And that, to me, is a real contradiction and challenge when you think of how we invest and how we actually build it.

And software reliability is a complicated question and a little outside of the scope of hack backs but raises a point. We as a community hold our software vendors reliable for making sure we have secure software, and yet you now have organizations going out and actively looking for ways to bypass them. And the same organizations are the same organizations telling us, or part of the same organization being the government, telling us we all need to be more security. That's one of the key reasons it is a troubling revolution and why it leads to a few of the contradictions as a society on what our properties are.

>> PANELIST: Well from my perspective it is hard to disagree. But I think your point as to both sides of the argument, you know what I mean. Whether it's mentioned by us or by another team.

As a lawyer, because I am looking, you know, on the problem from this legal police level, how can we implement legal safeguards and with software companies, software liability, I don't have enough good legal arguments. I don't have enough answers to solve this problem.

And honestly, this is a case where I can say I don't know how to solve it.

>> MODERATOR: Okay now this man on the right.

>> Mr. (?) From netbox. If we criminalize hack backs, then criminals have the right to hack back.

And the discussion we had with to stop attacks, we shouldn't need to hack back. But isn't that actually where we start looking for areas, and entire countries and continents, where does it end?  Surely a targeted approach which doesn't use positions of power like hidden exploits, make targeted approaches can be a way to avoid building an Internet in pieces because we are shutting off countries because they are attacking.

>> PANELIST: Thank you for the question, it is a good one. Definitely something worth being concerned about.

When we look at the talks we have seen, the major attack, I have not heard of a need to shut down or block a country in order to stop the attack. Usually there are more fine-grain means that can be used to block certain types of traffic while allowing machines and user to access Internet resources.

I think what is important when we think are building a better system to react to attacks is to be there early.  We need to find ways to find when the load of affected machines in a particular country or region become so loud the attacks become exceedingly large. This is something we are seeing for instance with distributed attacked and we need to have enough to make sure we know when something may go to that level.

>> And the success of the (?) Ones before, coming up in case of serious attacks as the state from which the country originates is responsible for taking care of it you may for some time, and debating before what it is like, sponsored by the state that is actually supporting it, in that ways the state might not be because the interest is not cut off from the Internet. And you go and tell my guys it is originating from your place, maybe you want to take care of that.

But in the end, I support Maarten before but it is just on top of that.

>> I am sorry for making the again analogy to the real world, but we shouldn't think that digital, in terms of how criminal law and criminalization works is really that much different in legal terms.

I totally support the argument that the criminalization of facts may raise tension between the states and like push it completely to gray, illegal criminal area.

But I would like to make one example which you will probably all know. In most of the states, espionage is criminalized, but you can spy, you know, until you are caught. So I mean it is a commonly and accepted concept that espionage exists. But most of the time when the spies are caught they are sent back to their country or exchanged, whatever, because this is a crime that goes to a political level.

 

 

So I don't see a problem saying hack backs are criminal, no problem.  But first how we cage them and what are we going to do in the case of state-supported crimes and then goes to the GGE, and my first point which I made during my first intervention, that we do have to think about a proper way to address this on the Internet level in terms of how far a state can go, what is the right to sell defense, how the state can respond and so on and so forth. Because small hack backs might be like petty espionage or petty crime, but when the flesh hold is crossed it is a big issue.

>> MODERATOR: Okay thank you. Before continuing with the on-site participants I would like to know is there any question from the Internet? 

>> Not at all.

>> MODERATOR: Not at all?  Oh, my God, okay. Maybe there will be some that come. The gentlemen opposite of me.

>> Thank you, I am from the University of Geneva. I am a bit concerned if the analogy does not hold completely with espionage, it is a different dimension. Imagine country A attacking country B, or one attacker in country A, but makes it look like it is coming from country C. Then country B is attacking C, and C is taking it as an act of war.

This is a very dangerous situation. If we need to introduce safeguards, bring it to a more international level, have some coordination there and not having 200 countries attacking back the infrastructure, that's horrible.

And even when you look at safeguards for law enforcement, we should also look into safeguards against abused by intelligence agencies. This is very important and unfortunately in the last years we have seen the opposite.  We have seen less and less safeguards, more and more funds getting into there. It is not espionage in that sense, it is broad surveillance and broad hacking and that's really troubling me.

>> PANELIST: I think you got my analogy a bit wrong. Talking criminal law, if espionage doesn't work this will not work at all exactly for what you are talking about. It's a different dimension. It's much, you know, harder to invest gate and so on. 

But the analogy is how criminal law works. And it is about the criminalization of hack back. It is more of the same. The norm exists but rarely applies, so I think we're on the same page here.

And about implementing safeguards for intelligence agencies I would be very much for this. Like really parliamentary overnight, and some have them for enabling intelligent agencies to accept in Europe and I think it would be the good for hack backs.

>> MODERATOR: Also, does anyone from the audience want to react directly to this point?  No, okay.  We continue with the gentlemen in the back with the blue suit.

>> AUDIENCE: I am (?) From the Ukraine. And thank for the conversation it is really interesting. Just a few earmarks. 

You mention about the proliferation of this maybe as I say about cyber malware. And it is similar to the nuclear weapons. But it is more harmful because you can't control, you don't need some special equipment, don't need some special I don't know, some other materials. And you just need only computer, that's all. But a good computer, yes. It's expensive, but it's not unrealistic to buy. 

And want to find out about you mention some civil controls. But for how could it possible to have controls in such autocratic countries like Korea or Russia or others, I don't know. But it is impossible, because the government of that country, they try to suspend and it is not possible. And some countries to the taking control for the act. And could be a forced hack back attack as mentioned by the previous speaker for example A, B, C, would talk some other country. The people of that nation could be harmed because the attack would be directed to the medical infrastructure, some civil other, critical energy and so on.

So I just want there is such other controls of the possibilities of control as mentioned the challenge. There is no legal bindings, no international, it is only now discussing the possibility of creating the digital Geneva Convention. The forced hack back. Thank you.

>> I am sorry if it looks like I am hijacking this question. And for those safeguards, I believe that if a country will capture my citizen and hang her or her, I should not use that principle and hang that.  If my country is a target for surveillance, let's say, from North Korea as my adversary, I still can hack them back, but be transparent on my site. I have still can be an accountable government and implement this for my own sake. Still hack, you know what I mean, but on my side I can ensure that I will hack responsibly.

But I totally degree with you that many analogies will break in terms of control. Because you don't have to get access to restricted materials to create a warfare. Apparently you need resources, need to own the resources, but they hard to trace.  They can be on the government side, the company side if the company has enough power. Technically I am still speaking in my head around these.  But you cannot trace this because you don't have restricted materials, don't have something you can register and trace. So in this case it's, to me, looks like enforceable.

I don't think the possibility for someone to use these tools against me, I can't to have this capacity but it doesn't mean I should do it irresponsibly considering my system, my politics, my citizens, my safeguards.

>> PANELIST: Addressing the question of the gentlemen in the back. The North Korea, China card is kind of tricky in these debates obviously as we would be raising the Saudi Arabia card when talking about human rights.

I'd be concerned about escalation, so I am not sure the approach that should be completely feasible in a lot of context, because of how again, how Maarten and I mentioned escalation can be as quickly as the declaration of war between states. 

So to put an example, the U.S. I believe it was yesterday that apparently attributed the proliferation of random words in North Korea and want to step back and learn how the cry actually started because of an exploit in a protocol in a Microsoft software released. Hackers got into the infrastructure and got into the vulnerability I was mentioned. I am worried about escalation. How long until it gets nuclear?  It is not (?) Having Trump in office, so just raising that concern.

>> PANELIST: I really Tatiana's focus on transparently and I think it address as lot of issues. 

For me on the technical level you don't have transparently because have you no real way of measuring that keeping track of it. When malware is found in another country people don't know where it is come from. And even looking at countries contributing they are making contribution based on technical data.  They release some of the technical data, usually there are ways to refute the technical data. They might be right, because they have additional data they will never disclose because they gained it with mechanisms only theirs. 

And I think it does some to address concerns, but little to address you hacking somebody who is another country and then there be interpretations.

>> MODERATOR: You and Sven and --

>> Thank you very much. I actually agree with this team right now. I always have a problem, you know, when I see any reports about attribution and persistent threats and so on, because I see kind of political attribution. And I see attribution on kind of this artificial level to me.

And I always have a question, so are these data so sensitive that you can only disclose a (?) Or more political than technical? 

But on the other hand, if I am imagining myself technically or legally or politically on the level when I have to make a decision, right and when I know that I have APT, for example, or I have these guys talking me, or I really knew this hack back to get to know something important and knowing they are doing the same.

When it comes to this level of decision, and I know they have this tool, will the fact that this is not technically transparent to whatever stop me, I'm not sure, you know, if it's about my network.

And this is where, you know, hard for me. This is why I cannot argue against it because if I put myself for a second in these shoes, I, you know, my answer is question, I will hack back.

>> Just briefly I think mentioned before, but you look at the national perspective what happens with a big attack, North Korea, or we talk about the OC level, confidence measures, and the (?) Agreement now trying to exploit trading and talking tools without causing a problem for the security researcher community.

So on that level we have a lot that's going on right now. And at the same time hacking back in response to a hack is not the only thing you can do.  The entire spectrum of what you want to do short of war, economic sanctions, political sanctions, and other espionage and sabotage. A lot you can do without hacking back.

And coming back to the point where we mention even if we're hacked without the other state having safeguards. And if when she said that, we just saw that in the United States. Must be published the equities process. It is not qualified into law, maybe by now it is completely different than months ago when they published it, but they went public with how they treat their vulnerabilities and how to manage them and what the process is. That's one step towards the safeguards that they made problem and went ahead with it.

So I think even though I don't qualify myself as a dreamer, sometimes that might actually still happen.

>> MODERATOR: Okay thanks. Are there any interventions on this topic from the audience?  Did you see someone? 

>> No, I wanted to --

>> MODERATOR: You're not allowed yet, sorry.

>> I am Sertros and also on the Board of First. And we heard a lot now two positions.  It's going to happen anyway, we should probably live with it, and I think that's kind of giving in.

>> PANELIST: No, no, no --

>> PANELIST: No.

No.

>> AUDIENCE: Let me finish because I don't really want to go down that Avenue. And the other one is we need a lot of transparency and thinks like that.

What I rarely ever hear is assuming there is something like hacking back even in states where they don't usually do this, what would be conditions where we say maybe that's okay under those conditions?  In legal procedures the police cannot just go in and trash a house completely just because someone has parked his war wrongly. There is this principle that means should be kind of justify the measures and stuff like that. What would that mean on a nation-state level?  I am just interested in what you say. And I am not sure there is a solution, but I am interested in your views.

>> MODERATOR: Okay thanks. I will also take your question and we can answer them together.

>> I might have lost track a bit, and maybe I not the only one, but that's not a problem.

I am grateful that he started off with identifying clearly that hack back is marketing term and then focusing and narrowing down on the different categories.

But the part I've lost track is that we are talking about police, like civilian litigation, and warfare and everything all at the same time. And we also talking about safeguards. And safeguards, if the escalation is that quick, all safeguards are lost anyway.

Bringing it back more to the civilian level, maybe a bit more operational, my question is we're talking about police and the level of law and so on and so forth but the police usually works on two different rounds. One is the envision ever a danger or imminent or active, or prosecution which usually has for time or safeguards because the danger is mitigated. And we used to call it a tech mitigation where it worked so far well in most cases.

And there is (?) More of a state-level topic and show of force. That has happened in both spheres.  For example, if you look at the press coverage around the most recent or last year's Avalong (?) takedown, not all measures were asked for short of the P.R. effect.

So the question is, how would these different levels of rule-making or law fit into the system?  Or get more operational, talking about the (?) And talking about the systems, they can we can patch the systems, we know where he are. We can fix it, but we are not allowed to. And down to the operational level.

>> MODERATOR: A small intervention from my side we don't have so much time anymore, we have like 10 minutes. Speakers who answer now, please make your reply a minute long. Not too long and then I still have three questions here on my list.

>> I will try to keep it really short, I am really bad at that.

First when it comes to proportionality, I think it is the measure we use to determine whether hack back is appropriate or not.  The context of what can go wrong is missed because it is not as transparent as the system and something can go along with the system. A lot more can go wrong and the measure becomes very different.

Related to takedowns and vaccinating systems, the challenge there is that even operating systems vendors, when they release a patch, the patch may still break systems.  The challenge, we also don't really know what we are going to break.

Combining that with most are feasible without hack backing, although one might fit into your category, a little different from my original definition.  That is the main challenge with vaccinating machines and something that needs to be carefully considered.

>> Because I, to repeat myself, not being defeative, just being prepared, the gentlemen in the back.

And the problem about -- infecting the bots, and that's with you don't interact with the system and just cuts them from the Internet.  Maybe not better but less evasive.

>> PANELIST: Concerning the principles as a lawyer. And the tools of proper -- and the principle of legality, but we can't invent new peninsulas on how we will assess these.  We probably have to combine all of they will.  And even them I am not sure we can make them work effectively in 100% of the cases when someone has to react quickly.  That's all for me.

>> MODERATOR: Thanks. So now we have the gentlemen over there, please.

>> AUDIENCE: Two things, one on the first. I am from Austria and I work for an opps for security company.

I don't think it is possible to figure out where (?) Is coming from. In the discussion it was considered you know where the hack back is coming from, but I think it is easily spoofed.

The other thing when it comes to consumer products, security issues are often fixed in time, though the fixes never come to the customer. This is kind of if you buy your iPhone, by a year later you don't get updates anymore, the same with android and something that needs to addressed I think this will become even bigger.

>> Lucy. I want to make a point because there is a lot of work done around that we can maybe draw on.  Because hacking for investigative purposes is often not based in law and without safeguards and overnight. And (?) International proposed safeguards around this to help assess this kind of government hacking specifically against international human rights law, as well as security implication of hacking.

This was borne out of the time that the society was fighting the powers act last year, the notion of thematic economic interference, theoretically allowed them to hack in London and it was a huge issue for us. I have copies of the safeguards if you would like one.  You would like one. Is it legal?  Will the security and integrity of systems be damage is the lack of hacking disproportional.

If you apply it to hacking because of the nature of disproportionate, there are few situations where this kind ever hacking would be aligned. Perhaps by using this narrow range of hacking as a starting point, something we can branch out.

>> MODERATOR: Thank you so much for that and we would all be interested, I think in the safeguards.

I will let you reply again one minute each and then continue with your question.

>> PANELIST: Yeah, just to address Lucy's point and the gentlemen from First.

I'd say we need to step back a bit talking about the debates. Safeguards is taking the nuance approach, Lucy talked about hacking for surveillance or judicial investigation and different shading from intelligence agencies' work and activities. 

Talking about law enforcement, of course it is going to be easier to make them work more transparent.  They're supposed to work upfront to citizenry.

And with the public prosecutor in Argentina, a head of a cybercrime division, he was pretty confident, not just hacking petty crimes, but serious crimes, but on the offense. And audits how the activities were carried out. How the malware was introduced, into a device, or what kind of information was gathered through those activities. Those are the things they are considering in terms of how law enforcement sees government hacking.

In terms of intelligence, intelligence agencies, as Lucy said, I totally degree we should make a presumption on the prohibition on hacking on those activities.

>> The gentlemen on the right, I want to give you a pointer.  The consumer protection association supported by the government is currently taking an electronics store in Germany to court for selling android phones as new, capabilities that cap not be hedged on that phone. I can keep you updated it will be a very it court case.

>> I would like to address the question of law enforcement intelligence and safeguards.  I have been talking about this from the very beginning, that we have to separate these.  We have to know which domain this tool is used in.

And concerned in international safeguards, thank you for pointing us to these.  I would like to add something.

You know the safeguards would also depend on wherein the country such procedural measures, for example, interception required you to show authorization. In some countries they do not.

Where they do implement the safeguards the hack backs are much easier. As I said, some countries from the safeguards quite high. France we can always learn from them in a way.

>> MODERATOR: Maarten.

>> Thank you. To the gentlemen on the right, I agree there's a real challenge with devices and their support life cycles and how long the consumer life cycle is for.

And an interesting concept coming up that tries to spell out responsibilities rather than the legal requirements of a particular organization. And tries to tie them together. I think it might be interesting to catch up to.

And related to international, too much time looking at the spectorization, and few time about the stakeholder discussion about what safeguards should be. And they typically come from government, why I applaud that it was put together.  I wish the stakeholders would reach across the hall earlier and put it together, rather than separate.

>> Hans from Germany. Not a question, more a remark. I like the discussion about setting limits or setting safeguards, but I want to remind you all hacking or hacking back or hacking forward needs a lot of preparation. Preparation means collection of tools, collection of vulnerabilities, collection of exploits, preparation and similar. And everything leaks. There's no possibility to hold this back.

No safeguards will every help because we are humans. Everything can be stolen, everything could be sold. So there is a market for it.

So I am a little bit suspecting that safeguards won't limit everything. And there's something left to work with.

>> Thanks very much for that point. Anyone in the audience still have an intervention or question?  Yes.

>> AUDIENCE: Tosh, for German Government, Ministry of Interior. I don't have a remark, I won't do any remark. But I have a question.

And the question is, why do politicians do decisions on introducing these laws?  And I think we should dig deeper why are these laws coming up.

From me, from my perspective it is like our society has a self-image of a country, of what this country should do. As a self-image in the pre-Internet world was the country and the state is the only one who has the force to investigate everything, to look into everything, to prevent any harm to the society.

And the Internet is simply a game-changer which takes this into doubt. But the society didn't come along with this, and tries to ignore this game-changing.

And we have politicians, they have the pressure of the society that you have to be able to do something with this horrible thing and just say oh, my God we need to react. And when they do this, sometimes a little bit helpless things, like we have to have a law and to allow them this, ignoring all the impacts because again the Internet is a game-changer, just to satisfy this pleasure from part of society.

>> MODERATOR: Thank you for that remark. We are closing off the debate now, unless any of you has one really short question on intervention from the audience, the moment is now --

>> [Speaking away from mic]

>> MODERATOR: And then I will give each of you, if you want to, do you want to say something still?  No?  Okay?  Are you done.

>> PANELIST: I'm done.

>> MODERATOR: Does any one of you still want to say something?  Okay.

[Laughter]

>> MODERATOR: Well then it is my turn to thank all of you for this debate. It is the first debate about this, about government hack backs in this term here at IGF. And I am very grateful for your active participation here.  You have seen the debate was also phrased quite intentionally in broader terms and I am very happy we got to discuss a lot of different processes of this.

What we will do, we will summarize the report probably and put up a synthesis summary and discuss where, if you have any feedback to the debate or any other thoughts, please let us know. I will be here and all of you may be more a couple of more minutes. Otherwise you can find our twitter handles under the #IGF2017 and #hackback. That's how you can reach us, and we are looking forward to any other thoughts, thank you.

[Applause]

[The session ended at 18:10 p.m.]