IGF2018: Private sector hack-back: Where is the limit?

Key questions to be discussed by speakers and participants on site and online include:

• What renders a digital security measure as “active” rather than “passive”? What are concrete measures that might fall into each category? Is this categorisation necessary? What is a technology neutral description of “active cyber defense”? Where are the boundaries between “hacking back” and “active cyber defense”?
• What is the prerogative of governments in responding to an attack and where does the scope of action of a business start and ends? Could anyone use proactive defence measures or should only “qualified” players be allowed to enter this space? Should there be any oversight?
• What are the limits of “active cyber defense”? How would what is acceptable and what is not be determined? • What are the risks of hacking back, including to the Internet and other users? Is there any way to mitigate those risks? Who would be responsible in case of damages to a third party?
• Is there a need for internationally agreed rules and principles in this area? And more generally: has the time come for new rules and guiding principles to clarify businesses’ scope of action, and to allow them to pursue a proactive defence approach of their systems and data in an ever increasingly digital and data-driven world?

To discuss this issue, this Open Forum will bring together 5 speakers, with gender, regional, and stakeholder balance. Discussions will feed the preparation of the inaugural event of the OECD Global Forum on Digital Security for Prosperity (13-14 December 2018, Paris) which will focus on the roles and responsibilities of actors for digital security.