Hacking-Back by Private Companies and the Rule of Law
States exercise their sovereign authority over the cyber infrastructure based on their territory, but many of them have only limited sovereign authority over other, non-physical layers of cyber space. Those do not control the use of the cyber infrastructure located on their territorial base or any other area under their exclusive control. This is true of poorly technologically developed States, yet also of technologically developed States – whose political and legal culture currently precludes the level of monitoring that would be necessary to completely monitor cyber communications. So, despite the will to exert sovereign authority over cyber space, most States are not currently able to completely prevent, react to, or even detect cyber attacks on or emanating from the cyber infrastructure within their territorial borders. In particular, States are generally slow in deterring and prosecuting cyber attackers targeting private companies. In light of the ineffective action of many States in ensuring the cyber security of the private sector, private companies, whether multinational information corporations or hired private cyber security companies, have reacted to harmful cyber operations themselves. Cyber defence activities may stay in the network of the defender. Alternatively, they may intrude into the network of the cyber attacker and are then known as “hack-back” activities. International law does not recognise the right of hacking-back by private entities and, in principle, does not prohibit it. Hacking-back by private companies is however currently contrary to national legal systems and as such contrary to the content of the rule of law at municipal levels. States may be tempted to authorise the private sector to hack-back with the aim of improving its cyber security. Hack-back measures, not overseen by States, would however contradict formal attributes of the rule of law, the ones of generality, predictability, clarity and constancy. More fundamentally, it would threaten the philosophical and theoretical characteristics of the rule of law. Indeed, the rule of law can be understood as based on a contract between the State and its subjects where the State rules over its subjects in exchange of ensuring their security. This paper argues that private entities should thus not be authorised to respond to harmful cyber operations on their own. It contends that only a minority of licensed companies should be allowed to hack-back, under the supervision of States. This limited and State-supervised private active cyber defence would be respectful of the rule of law.