“Hacking Back” by States and the Uneasy Place of Necessity within the Rule of Law
Over the past few years, malicious cyber security incidents have become an ever more pressing issue due to a higher frequency of attacks targeting increasingly sensitive and high-stakes assets. In particular, critical infrastructures, such as the telecommunications or energy sector, seem ever more often to be the focus of advanced persistent threats or other malicious cyber operations. Large industrial facilities that serve as the central supplier for entire regions have become the targets of confirmed cyber-attacks in the past years. A successful malicious cyber operation on such infrastructures has potentially devastating effects, including the safety of the affected state’s civilian population, as could be witnessed in 2015 when an attack crippled significant parts of the Ukrainian power grid. Virtually all experts agree that the problem of critical infrastructure protection against malicious cyber operations is only going to become more urgent in the near future.
Faced with such threats from cyberspace, policymakers across the globe have started viewing purely passive, defensive measures as too often insufficient. Instead, official cybersecurity strategies have gradually shifted towards what is commonly known as “active cyber defense”, understood as measures to stop or mitigate malicious cyber operations outside of the defender’s systems. As proposals aiming at implementing such capabilities proliferate among a growing number of states, it is thus high time to assess their potential ramifications for the global cybersecurity environment and the enforcement of international law in cyberspace. Specifically analyzing “hack backs” as the most frequently invoked variation of active cyber defenses, the present paper argues that such policies threaten to undermine the already fragile rule of law in cyberspace, and they do so in two distinct ways.
After explicating the notion of “hacking back” and the implementation of respective policies by states, the concept of the rule of law is briefly sketched out. Subsequently, it is shown how the technical requirement to rely on vulnerabilities in the target system’s soft- or hardware in order to perform hack backs means that state security agencies have a strong incentive to refrain from disclosing found vulnerabilities. It is shown how this practice, by design, weakens the rule of law in cyberspace.
The second, more crucial way in which hacking back policies undermine the rule of law is found on a more fundamental level. First, the paper explains how hack backs would be justifiable under international law in principle if it were not for the pervasive problem of timely attribution in cyberspace. Consequently, the subsequent section explores how recourse to a state of necessity seems to lend itself as a feasible way out of the attribution dilemma. The paper argues that while many experts consider necessity applicable to situations of a cyber emergency, the doctrine as found in customary international law presents a problem for the rule of law.
Tackling both challenges, the final section outlines possibilities to operationalize a conventional emergency regime for cyberspace that does not ignore the vulnerability disclosure problem.