Cyberattacks and the Legality of Hackbacks: International and Transatlantic Law Perspectives

This was an article first published on Transatlantic Law Journal (C.H. Beck).

Jacky Lui
Jacky LuiJanuary 16, 2024
placeholder

Jacky Lui, Frankfurt am Main1

Introduction

Imagine it is the lead up to the 2016 US presidential elections. You go to work at a factory, not in the United States, but some 4,500 miles away. This is no ordinary factory – it is a ‘troll factory’ – based out of St. Petersburg, Russia. The Internet Research Agency was a phenomenon that took the world by surprise. It was a company engaged in cyber propaganda and influence operations for Russian business and political interests. Foreign interference into election processes has grown as a security issue for States and regional blocs.2 Cyber attacks take shape in various forms, their unifying feature is their origination in cyberspace. In some instances, cyber attacks have real world influence. In 2019, the US Cyber Command conducted operations, beyond its borders, to disable the operations of the Internet Research Agency.3 This was to prevent interference with the 2018 US midterm elections.

Hackbacks and active cyber defense are emerging tools used against malicious cyber attacks. Active cyber defense extends to measures taken by states or private actors to actively defend their own networks, systems, and data from cyber threats. Hackbacks are a type of active cyber defense which employs 'hacking back' at an attacker. Both strategies may be controversial and, as will be seen in this article, perspectives vary as to how they may be legitimately employed.

The US considers China and Russia to be adversaries in cyberspace. The Department of Defense cites China's use of cyber espionage to steal information from the US, and Russia's use of cyber operations in Ukraine to disrupt command and control of Ukrainian forces.4 Earlier this year, the Department of Defense requested in its FY 2024 budget request for USD 13.5 billion for cyberspace activities.5 In this, USD 7.4 billion was marked for cyberspace operations, and USD 2.9 billion for the US Cyber Command.6 Across the transatlantic, Germany continues to focus on the Russian armed conflict in Ukraine.7 Since 2014, German-Russian relations have remained tumultuous with the Russian annexation of Crimea. The German Government has repeatedly condemned Russia's role in the cyber attacks on the German Bundestag and its attempts at influencing the political process. In 2023, Germany announced a National Security Strategy which committed 2% of its GDP over a "multi-year period", to achieving its integrated security goals and developing its defense capabilities.8

This article sketches an overview of hackbacks and active cyber defense from the perspectives of international law and views across the transatlantic. Throughout, it discusses the practicalities of active cyber defense and hackbacks and an outlook is drawn.

Cyber attacks, Hackbacks and International Law

Hackbacks and Active Cyber Defense: What are They?

The term active cyber defense has been used by national security and defense communities for decades.9 However, there remains no uniformly agreed definition. Active cyber defense encompasses a set of actions aimed at proactively safeguarding computer networks, systems, and data from malicious cyber attacks.10 It differs to passive cyber defense, as its objective is to neutralize or mitigate impacts of an ongoing cyber attack.11 Active cyber defense may incorporate any or all elements of threat detection and monitoring, information gathering, honeypots and deception, active response, attribution and forensics, threat mitigation, active hunting and information sharing amongst organizations or government agencies.12 Hackbacks may be included within an active cyber defense strategy, which includes a cyber counterattack, where the initial hacker's IT systems becomes the target. It may result in the destruction of such systems.

International Law Perspective

The existing international legal framework has been applied to State engagement in active cyber defense and hackbacks. In particular, States must be cognizant of the prohibition on the use of force enshrined under Art. 2(4) of the United Nations Charter ("UN Charter"). The prohibition is delimited around two generally accepted exceptions, being the inherent right to self-defense as reiterated in Art. 51 of the UN Charter and collective enforcement actions pursuant to Chapter VII of the UN Charter.13

Around this prohibition, the decisive element is the notion of 'force', which is considered to comprise only armed or military force.14 In the cyber context, question surrounds whether a cyber operation amounted to a use of force. Usually such a question is answered negatively, as cyber operations originate and remain in virtual space. However, academic and political literature covering the topic are vast,15 where an 'effects-based approach' has been applied to this question, determinable by the consequences, or the effects, of the conduct in question.16 In the cyber context, the Stuxnet malware attack on Iran is an often-cited example. There, approximately 1,000 centrifuges at the Natanz nuclear plant were damaged, which was considered a use of force.17 In this instance a threshold of significance – the scale and effect of the impact – was exceeded and the equivalent of the use of weapons, causing injury, casualties, or significant damage to property.18

As to exceptions, States are often in debate as to whether an active cyber defense measure was exercised within its inherent right to self-defense, as reiterated in Art. 51 of the UN Charter.19 As its pre-condition, a valid exercise of self-defense requires an 'armed attack' on the State. For long, 'armed attack' and 'use of force' were not congruous. This was clarified in the Nicaragua decision, which considered that while every armed attack constituted a use of force, only "the most grave forms of the use of force" qualified as armed attacks.20 It followed that an armed attack would justify a State's reaction in using force.21 Without such, there could be no justification in a State's retaliatory use of force. In the context of cyber attacks, these concepts are complicated when it comes to active cyber defense and hackbacks. As cyber attacks usually exist in virtual space, even the most disruptive cyber operations would not amount to an armed attack. A large-scale DDoS (distributed denial-of-service) attack involving millions of botnets that disrupts national critical infrastructure for a short duration of time, would not cross this threshold. Cyber operations causing human casualties, injuries to persons or damage or destroy property, may on the other hand, qualify so.22

Where self-defense is not available as a remedy, States may resort to justification under the law of countermeasures as expressed under Art. 22 and Chapter II of the ILC Articles on State Responsibility ("ILC Articles").23,24Countermeasures are a customary remedy permitting otherwise unlawful conduct of a State in response to a violation of its rights by the targeted State.25 The aim is to induce that State into compliance with its international obligations.26 As its precondition, an injured State may only take countermeasures against a responsible State where there were a prior internationally wrongful act, following from the language of Art. 49(1) of the ILC Articles. This roughly resembles the approach of self-defense. However, in variation, countermeasures are not limited to an 'armed attack' under Art. 51 of the UN Charter. The language of Art. 49(1) of the ILC Articles provides that countermeasures may be taken against any "internationally wrongful act".27 Literature in more traditional contexts refer to 'sanctions' or 'reactions' against prior internationally wrongful acts.28 Resort to countermeasures are delimited by a number of factors. Primarily, countermeasures should not impinge on a State's obligation to refrain from the threat of or use of force, and to observe other obligations such as the protection of human rights, and obligations of a humanitarian character prohibiting reprisals or other peremptory norms of general international law.29 In the cyber context, increased malicious cyber attacks on critical infrastructure have seen States interested to engage countermeasures as a justification for active cyber defense and hackback strategies.30 Over the years, the US Department of Defense has considered a strategy of "defending forward".31 In Germany, a constitutional basis for active cyber defense and hackbacks have been discussed by various state representatives.32

IT infrastructure has quickly developed into a complex, cross-border affair. Applying an existing international legal framework has introduced further layers of complexity. Both self-defense and countermeasures require attribution of conduct to a State where the attack originated. As IT infrastructure often spans across borders, this task difficult under the customary rules of attribution.33 In practice, States neither openly claim responsibility for an attack. Instead, victim States needs to collate evidence to attribute the attack to a State. This complexity was demonstrated in the Russian intelligence agency's attack on the German Bundestag in 2015.34 Sophisticated actors will likely complicate attribution through hiding techniques such as false flagging and other deceptive techniques. Cyber operations are also a space occupied by hacktivist groups and cybercriminals, whom ordinarily are non-state actors. False attribution brings about the possibility to heighten tensions between States.

Necessity as a defense under customary international law has also been considered in the cyber context. Necessity may preclude wrongfulness of active cyber defense measures, where the conduct were the only way for the State to "safeguard an essential interest against a grave an imminent peril".35 The defense is further delimited to acts that do not seriously impair an essential interest of the State towards which the obligation exists or the international community as a whole.36 The threshold to assert necessity is considered high, as the discussion takes focus on whether a State's critical infrastructure was an "essential interest".37 Some views consider that necessity is reserved for genuinely exceptional and unforeseen circumstances, where this may not be a sound basis for domestic active cyber defense legislation.38

Transatlantic Law Perspective

Approaches to legislating for active cyber defense and hackbacks varies in Germany and the US. In Germany, the discussion surrounds the constitutionality of such activities. In the US, legislators are attempting to legislate for a framework to regulate private sector hackbacks. In effect, such a framework would tolerate private sector engagement in active cyber defense and hackbacks.

Germany

German legislators and academic views are mixed as to legislating to permit active cyber defense and hackbacks. Perceptions are that these measures may be intrusive and have a tendency to undermine domestic and international law. The German experience is characterized by an anti-military, anti-surveillance sentiment.39 International law implications have also been considered. For example in 2021, the German Federal Government published a position paper confirming that international law was of critical importance to handling opportunities and risks in the use of information and communication technologies (ICT). It noted that international law, including the UN Charter and international humanitarian law, applied without reservation in the context of cyberspace.40

In 2018 and 2019 respectively, a similar view was reiterated by the German Federal Parliament, in papers of its Scientific Services Department analyzing the constitutionality of conducting hackbacks in foreign jurisdictions. The Department raised awareness that hackbacks may not be compatible with Art. 26 of the German Constitution. Particularly, as Art. 26(1) is concerned with securing international peace, and renders unconstitutional, any acts with the intent to disturb peaceful relations between nations, particularly to prepare for wars of aggression. It recognized that acts that engage Art. 26(1) must lead to a serious impairment of interstate relations. It suggested that absent of precedent, interpretation of cyber operations should draw on the general prohibition of the use of force under Art. 2(4) of the UN Charter.41 The Department recognized that an exception may arise in self-defense under Art. 51 of the UN Charter, and as a collective coercive measure of the UN Security Council under Arts. 39 and 42 of the UN Charter.42 Reiterating the above discussions, the Department noted as important, the scale and effect of the measures and particularly if it caused physical destruction on a significant scale.43 The German armed forces were identified as the only authorized body to engage in cyber operations.44

The Department cautioned that a distinction between attack and defense, their legitimacy and the threshold of their effects were not entirely clear. It identified that hackbacks would be more in line with preparing an offensive attack, which may be contrary to past practices of a more cautious German foreign and security policy.45 In particular, use of digital weaponry increased the risks of an arms race or the militarization of the Internet. The US, UK and France were identified as warning examples.46

The other concern is to which governmental authority would be permitted to conduct hackbacks and active cyber defense. Currently, the country's national cyber security authority, the Federal Office for Information Security (BSI), is responsible for the protection of federal IT systems. The problem here is that currently, most cybersecurity policy is organized at a state level, where IT security law and state-level authorities handle respective cyber security issues. Over the years, the German Federal Minister of the Interior has considered proposals to amend to the Constitution to expand the powers of the federal authorities.47 The proposal was firstly to expand the powers of the Federal Criminal Police Office (BKA) to conduct hackbacks and active cyber defense, and secondly to expand the capacity of the BSI as the central office for federal and state governments As is the current case, the BSI only supports state-level authorities only through a framework of administrative assistance.48 It's expansion into a central authority would enhance coordination of cybersecurity policy across Germany.

United States

In the US, a different approach is being considered. Debate surrounds reforming the domestic legal framework to allow for private sector active cyber defense and hackbacks. This has been discussed in Congress and in thinktanks across the US and raises questions as to the legitimacy of public-private security and whether there are sufficient measures to mitigate any negative externalities. This has been criticized as to whether, at an international level, such a policy would be escalatory or provocative in nature.49

Currently in the US, launching a counterattack into a hacker's network is a federal offense under the United States Code.50 Such activity would violate the computer trespass act, the Computer Fraud and Abuse Act (CFAA). Under that law it is (inter alia) a federal offense where a person "intentionally accesses" or "exceeds authorized access" to and thereby obtains information from any "protected computer".51 Under that law, civil liability also exists for violations of the CFAA.52 As it stands, private sector hackbacks are observed to risk violation of the CFAA.53

The discussion is best summarised in the Active Cyber Defense Certainty Bill (“ACDC Bill”).54 This was submitted to Congress in 2017 and reappeared in 2019.55 What continues to trouble the debate has been defined by the US Center for Cyber and Homeland Security, to be the 'spectrum' in which an active cyber defense strategy takes place. Particularly, consideration should be given to the technical interaction between defender and attacker, and the operations that enable the defender to collect intelligence on a threat actor.56 Hackbacks and active cyber defense takes place anywhere on this continuum, for which a mix of passive and active defense mechanisms may be employed. For example, 'honeypots' may be used to lure in attackers with fake information so their behavior may be surveilled. A botnet outside of the defender's network may also be taken down. This would require an active intervention into an end user's computer or intervention to take down a command and control server. A cyber operation may involve any number of these activities, which could be intrusive and compromising of third parties. These activities may cross jurisdictional boundaries, which attracts public-private cyber security questions.57

The ACDC Bill would amend Section 1030 of title 18 of the United States Code, by introducing a defense to criminal prosecution where the conduct were an "active cyber defense measure".58 No equivalent defense for civil liability has been proposed.59 In effect, the ACDC Bill would permit a "defender" to hack back where there is a "persistent unauthorized intrusion" to their computer.60 A defender would (inter alia) be able to access the attacker's computer without authorization to gather information to establish attribution of criminal activity to share with law enforcement and US cybersecurity agencies, disrupt continued unauthorized activity against the defender's network, monitor the attacker's behavior to develop cyber defense techniques.61 It can be seen that the proposal for the ACDC Bill would legitimize private sector active cyber defense. It has been noted that broad authorization of companies to hackback against attackers could be dangerous, particularly if the defender were technically incapable or lacked sophistication.62

One author has suggested that where private sector hackbacks were tolerated in domestic law, may have an impact on the rule of law and the characteristics of the law's generality, publicity, predictability, clarity and constancy.63 However, the same author noted that the solution is neither as black nor white, as efficiency of the private sector is also to bear in mind. As such, appropriate licensing and supervision over a small number of cybersecurity companies may be a mutual solution for private sector engagement in active cyber defense.64

Outlook

Novel active cyber defense and hackback strategies continue to emerge in the cybersecurity world. There remains no uniform description for what such strategies may entail, as these vary on a case-by-case basis. At the international level, an existing international legal framework has been applied to State engagement in active cyber defense and hackbacks. In particular, States must refrain from the threat of or the use of force in international relations. States may find justification under their inherent right to self-defense or the law of countermeasures. However, in the evolving world of cyber attacks, this is no easy task, as preconditions, such as whether there were an 'armed attack' or an 'internationally wrongful act', delimit whether a State can legally justify their engagement in active cyber defense or hackbacks. IT infrastructure is also complex, which makes other aspects, such as attribution, difficult. The customary plea of necessity may also present debatable grounds for domestic legislation for active cyber defense and hackbacks.

Across the transatlantic, different approaches have emerged towards regulation. In Germany, a constitutional basis for State-authorized active cyber defense has been discussed. The US have showed a greater preparedness towards private sector active cyber defense and hackbacks. Criticism remains as to whether active cyber defense or hackbacks may escalate or provoke international tensions.

This article was written by Jacky Lui and published in the Transatlantic Law Journal (January 2024). You can also read it at LINK ↗.

Footnotes

  1. * Jacky Lui, BCom/LLB (UNSW Sydney), LL. M. (Humboldt University of Berlin) is an Australian lawyer registered with the Law Society of New South Wales. He practices in the public international law/investment treaty arbitration group of Herbert Smith Freehills LLP in Frankfurt am Main. This contribution is written in the author’s private capacity and does not express the views of their law firm or clients.
  2. See for e.g., European Parliament, Report on foreign interference in all democratic processes in the European Union, including disinformation (15 May 2023) (2022/2075(INI)), https://www.europarl.europa.eu/doceo/document/A-9-2023-0187_EN.html.
  3. Julian Barnes, Cyber Command Operation Took Down Russian Troll Farm for Midterm Elections, New York Times (26 February 2019), https://www.nytimes.com/2019/02/26/us/politics/us-cyber-command-russia.html.
  4. United States Department of Defense, 2023 Department of Defense Cyber Strategy Summary, p. 2.
  5. United States Department of Defense, Defense Budget Overview: Fiscal Year 2024 Budget Request (March 2023), pp. 1-5, https://comptroller.defense.gov/Portals/45/Documents/defbudget/FY2024/FY2024_Budget_Request_Overview_Book.pdf.
  6. Ibid, pp. 2-16.
  7. German Federal Ministry of the Interior and Home Affairs, Cybersecurity agenda: Goals and Measures for the 20th Legislative Term (2022), 5. A similar view is taken in the EU, see European Commission, Joint Communication to the European Parliament and the Council, EU Policy on Cyber Defence, (10 November 2022) (JOIN(2022) 49 final), p. 1.
  8. German Federal Government, National Security Strategy (June 2023), pp. 33-34, https://www.nationalesicherheitsstrategie.de/en.html.
  9. Sven Herpig, Active Cyber Defense Operations - Assessment and Safeguards, Stiftung Neue Verantwortung, (November 2021), p. 11 et seq.
  10. Ibid.
  11. Ibid.
  12. Ibid, p. 13, selected examples are identified.
  13. Henning Lahmann, Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution, (Cambridge University Press, 2020), p. 21 et seq.
  14. Ibid, p. 22 et seq.
  15. Ibid, p. 23.
  16. Ibid, p. 25.
  17. Russell Buchan, Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions, Journal Conflicts & Security Law Volume 17 No. 2 2012, 211 (227); Samuli Haataja, Cyber Attacks and International Law on the Use of Force: The Turn to Information Ethics, (Routledge, 2019), p. 487 et seq.
  18. Henning Lahmann, Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution, (Cambridge University Press, 2020), pp. 64-65.
  19. Ibid, p. 47 et seq.
  20. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits Judgment. I.C.J. Reports 1986, para. 191.
  21. See for example, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits Judgment. I.C.J. Reports 1986, para. 74; Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, I.C.J. Reports 2005, para. 148.
  22. Yoram Dinstein, ‘Computer Network Attacks and Self-Defense’ in Michael Schmitt and Brian O’Donnell (eds), Computer Network Attack and International Law, International Law Studies, Volume 76 2002, 99 (105).
  23. On its applicability for Germany and United States, see Statement by Ambassador Dr Thomas Fitschen, Director for the United Nations, Cyber Foreign Policy and Counter-Terrorism, Federal Foreign Office of Germany’ (November 2018) 3 and Brian J. Egan, Remarks on International Law and Stability in Cyberspace (10 November 2016).
  24. ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts, with commentaries ("ILC Articles"), Art. 22 and Chapter II.
  25. See wording of ILC Articles, Art. 22.
  26. ILC Articles, Art. 49(1).
  27. ILC Articles, Commentary, Art. 22, para. 5.
  28. ILC Articles, Commentary, Art. 22, para. 4.
  29. ILC Articles, Art. 50.
  30. Henning Lahmann, Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution, (Cambridge University Press, 2020), p. 125.
  31. US Department of Defense, Cyber Strategy 2018, Summary, p. 1, https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
  32. Hakan Tanriverdi, The Federal Government's Hackback Plans, Tagesschau (29 May 2019), https://www.tagesschau.de/investigativ/seehofer-cyberabwehr-103.html.
  33. See ILC Articles, Arts. 4 to 11.
  34. BBC News, Russia 'Was Behind German Parliament Hack', BBC (13 March 2016), https://www.bbc.com/news/technology-36284447.
  35. ILC Articles, Art. 25.
  36. Ibid.
  37. Ibid.
  38. Henning Lahmann, Unilateral Remedies and the Rule of Law: Self-Defence, Countermeasures, Necessity, and the Question of Attribution, (Cambridge University Press, 2020), p. 266.
  39. Sven Herpig/Robert Morgus/Amit Sheniak, Active Cyber Defense- A Comparative Study on US, Israeli and German Approaches, Konrad Adenauer Stiftung (January 2020), p. 3.
  40. Federal Government of Germany, On the Application of International Law in Cyberspace, Position Paper (March 2021), p. 1.
  41. Scientific Services, German Federal Parliament, Constitutionality of so-called "Hackbacks" Abroad, WD 3 - 3000 - 159/18, Position Paper (8 June 2018), p. 4.
  42. Ibid, p. 4.
  43. Ibid, p. 4.
  44. Ibid, p. 5.
  45. Andre Meister/Anna Biselli, Secret Bundestag Report Attacks the Federal Government's Hackback Plans, Netzpolitik (3 September 2019), https://netzpolitik.org/2019/geheimes-bundestagsgutachten-attackiert-hackback-plaene-der-bundesregierung/#2019-08-27_Bundestag-WD_Cyber-Abwehr-in-Deutschland.
  46. Ibid.
  47. Federal Ministry of the Interior and Home Affairs, Federal Minister of the Interior Nancy Faeser: "We want to make our country more modern, closer to its citizens and more digital", Bundesministerium des Innern und für Heimat (28 April 2022), https://www.bmi.bund.de/SharedDocs/pressemitteilungen/DE/2022/04/digitalprogramm.html.
  48. Sven Herpig, The State of Cybersecurity Architecture: Who actually does cybersecurity in Germany?, BSI Magazine (March 2019), p. 17, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Magazin/BSI-Magazin_2019-01.pdf?__blob=publicationFile&v=1.
  49. Dennis Broeders, Private Active Cyber Defense and (International) Cyber Security—Pushing the Line?, Journal of Cybersecurity Volume 7 No. 1 2021, 1 (1).
  50. 18 U.S.C. § 1030.
  51. 18 U.S.C. § 1030(2). A "protected computer" is defined to include (inter alia), a computer used in or affecting "interstate or foreign commerce or communication" and includes a computer located outside of the US used in the same manner, see 18 U.S.C. § 1030(e)(2).
  52. See 18 U.S.C. § 1030(g).
  53. Sam Parker, Shot in the Dark: Can Private Sector "Hackbacks" Work?, Journal of National Security Law & Policy, Volume 13 2022 211, (214).
  54. Active Cyber Defense Certainty Act, H.R. 4036, 115th Cong. (2017), https://www.congress.gov/bill/115th-congress/house-bill/4036 ("ACDC Bill").
  55. This was introduced by Representative Tom Graves, see H.R. 3270, 116th Cong. (2019), https://www.congress.gov/bill/116th-congress/house-bill/3270.
  56. Dennis Broeders, Private Active Cyber Defense and (International) Cyber Security—Pushing the Line?, Journal of Cybersecurity Volume 7 No. 1 2021, 1 (1).
  57. Ibid, (2).
  58. ACDC Bill, Sec. 4.
  59. ACDC Bill, Sec. 4.
  60. ACDC Bill, Sec. 4, proposed Definition of "defender".
  61. ACDC Bill, Sec. 4, proposed Definition of "active cyber defense measure".
  62. It was noted that highly sophisticated and technically capable companies were not the issue, but that a scaling back of the ACDC Bill may be an appropriate hybrid solution with governmental supervision of hackbacks. See Sam Parker, Shot in the Dark: Can Private Sector "Hackbacks" Work?, Journal of National Security Law & Policy, Volume 13 2022 211, (218).
  63. Irene Couzigou, Hacking-Back by Private Companies and the Rule of Law, Heidelberg Journal of International Law 80 (2020) 479, (503).
  64. Ibid, (504)-(505).