Hackback Plans – Cyber Security through an active Cyber Defence?

Cyber attacks on civilian and military infrastructures represent one of the major new security policy challenges. The danger of so-called „cyber wars“ is growing at a national and international level. The German security authorities are recording significantly more cyber attacks than a year ago. In addition, the attacks have reached a new dimension: while offenders in the past often aimed to extort money, sabotage attacks nowadays aim, for example, to switch off or manipulate the power and water supply or disrupt communication.

The legal framework of German IT security

In the past few years, the German and European legislators have developed high IT security standards. They created the Cyber Security Act at the beginning of 2019, which calls on product manufacturers across the European Union to take measures to secure their systems against attacks, and adopted the European Directive on security of network and information systems (NIS Directive) in June 2016, which prescribes measures to ensure a high common security level of network and information systems in the European Union.

The IT Security Act 1.0, which mainly implements the NIS Directive into national law and which came into force in 2015, has already created a uniform legal framework for cooperation between the state and companies in the area of cyber defence in sectors of critical infrastructures. The IT Security Act 1.0 will be enhanced by the IT Security Act 2.0, which shall enter into force by the end of 2019.

Current discussion on cyber defence

Currently, there is a heated discussion in Germany, mainly between academics and politicians, on whether Germany needs an active defence against cyber attacks. While the German Federal Ministry of the Interior demands for the German state authorities to be equipped with powers that enable them to conduct counter offensives in case of cyber attacks on German IT systems, other experts completely reject the idea of a so-called “hack-back”.

What is an active cyber defence?

An active cyber defence is an active countermeasure below the threshold of armed conflict designed to ward off or resolve a cyber attack. It means that state authorities are equipped with powers that enable them to attack hostile IT systems and to penetrate opposing networks in order to stop cyber attacks. Authorities could then, for example, attack hostile servers in order to delete data or, in case of extreme danger, even be authorised to destroy a hostile server completely.

Cyber defence in Germany

Currently, German authorities can only conduct defensive measures to protect against cyber attacks and increase cyber security. The allocation of responsibilities between the state and the federal state opposes a so-called “hack back” in Germany: In principle, the federal states are responsible for the prevention of hazards – and not the state. If powers should be transferred to the state government, this would require an amendment of the German constitution – and this is difficult to achieve.

The draft bill of the IT Security Act 2.0, which was presented by the German Federal Ministry of the Interior on March 27, 2019, already provides for an extension of the powers of the German security authorities – but only to a limited extent. The draft, for example, provides for the German Federal Office for Information Security (BSI) to be empowered to penetrate third-party IT systems in order to install patches or remove malware. Comprehensive offensive powers shall however not be allocated to the authorities, according to the draft. Nevertheless, even now, experts hotly debate the changes provided for by the IT Security Act 2.0.

Why we need an active cyber defence…

Proponents argue that, although the creation of a uniform legal framework is certainly appropriate and necessary in order to raise the IT security standard, it therefore requires more than just preventive measures and the imminent imposition of fines in cases of violations.

They base their view mainly on the increasing risk of cyber attacks. In fact, nowadays, cyber crimes threaten German IT systems substantially more than only a few years ago. The number of cyber attacks has increased rapidly over the past two years, and it will probably continue to rise. The consequences are devastating: In 2016 and 2017, German industry suffered losses of approximately 43 billion Euros from cyber attacks alone.[1]

The proponents of an active cyber defence further argue that nowadays, cyber attacks do not only threaten business enterprises, but also the German state – and on a massive scale. In fact, perpetrators often target state governmental agencies, such as the Federal Foreign Office and its missions abroad, the Federal Ministry of Finance and the Bundeswehr. In January and February 2019 alone, there were approximately 280,000 cyber attacks on Bundeswehr systems, around 4500 cyber attacks had to be fended off every day. On several occasions, attackers have already focused on German politicians.

Many proponents also argue that cyber criminals could be deterred from an attack against Germany if they were threatened by „hack backs”.

…and why we don’t

Opponents of an active cyber defence provide convincing arguments as well. They question the deterrent effect of so-called “hack backs”, arguing that a great challenge is that the identity of those executing cyber attacks often remains unclear. In fact, the question of who should be threatened with damage if no one can be identified often remains unanswered.

Moreover, those who reject the idea of an active cyber defence argue that there is a risk of counter-attacks turning out disproportionally, as there is no international consensus on what a proportional counter-reaction might look like. This could set in motion escalation spirals, they say. Further, opponents argue that the damaging effect of cyber (counter) attacks can hardly be controlled, as it is difficult to limit cyber capabilities to one target and to avoid collateral effects, for example in uninvolved third countries.

The discussion will continue

It is undisputed that the quantity and quality of cyber attacks continues to increase steadily. It is, however, highly debated whether Germany should actively counteract the threat of cyber attacks or if defence is the better strategy to guarantee cyber security. Irrespective of whether one does or does not endorse the idea – the possibility of an active cyber defence is and will remain a complex legal and political issue.

[1] According to a survey which was conducted by the German IT association Bitkom in 2018; see https://www.bitkom.org/Presse/Presseinformation/Attacken-auf-deutsche-Industrie-verursachten-43-Milliarden-Euro-Schaden.html, accessed on 28 August 2019.