It had to happen eventually. Out of all the countries in the world, the hacking back debate has finally entered the political discourse in neutral Switzerland. While it is still too early to determine where the discussion will be heading toward, it is also the perfect time to insert a new perspective on hacking back.
In early May, it was reported that Germany’s federal prosecutor issued an arrest warrant for Dmitriy Badin, the Russian hacker behind the 2015 cyberattacks targeting the Bundestag. Despite this, it is unclear what steps the German government has taken to pursue Badin internationally and how Germany and the United States will manage their separate efforts to arrest him.
On April 7, the Australian Minister of Defense acknowledged – for the first time ever – that the Australian Signals Directorate (ASD) used its offensive cyber capabilities to disrupt foreign cybercriminal infrastructure responsible for malicious cyber activities exploiting the COVID-19 pandemic.1 While details on the operation are sparse, what we do know is that ASD “stopped the criminals from accessing their own systems and prevented them from accessing information they stole.”2 What we do not know is the how, the where, the when, and what exactly triggered ASD into action.
While the discussion on cyber terrorism research and related government policies have hit a wall in recent years, adversarial tactics to create terror in and through cyberspace are only at their beginning.
The top down UN GGE process appears dead in the water. International norms and laws for responding to cyber attacks must now be built from the bottom up.
Rules must be binding, violations must be punished, and words must mean something. The UN GGE failed on all three accounts.
In 2004, the United Nations established a Group of Governmental Experts with the aim of strengthening the security of global information and telecommunications systems (UN GGE). To date the UN GGE has held five sessions, which are widely credited for successfully outlining the global cybersecurity agenda and introducing the applicability of international law to state behaviour in cyberspace.
However, during the UN GGE’s fifth session in June 2017, fundamental disagreements emerged between the Group’s 25 members, particularly on the right to self-defence and the applicability of international humanitarian law to cyber conflicts. In the end, the fifth and possibly last session concluded without the release of a consensus report. With no plans to pick up the pieces, the question now is, where do we go from here?