In October 2017, German intelligence officials approached lawmakers and argued for greater legal authority to “hack back” in response to cyber attacks conducted by foreign nation states. The head of Germany’s domestic intelligence agency specifically advocated for the right to be able to destroy data stolen from German servers and relocated to foreign servers in order to mitigate the threat of its misuse. Additionally, the intelligence official expressed the necessity to be able to compromise foreign servers in order to bolster surveillance capabilities that would be leveraged against German cyber targets or extract specific data. Currently, Germany’s foreign intelligence agency does not have the legal to conduct such operations, although it is reputed to have the capability to do so.
Germany, like many other nations, has been a frequent victim of advanced persistent threat (APT) activity suspected of being conducted or directed by foreign governments. A 2017 government report by the domestic intelligence service revealed that Germany was a primary target of cyber spying operations suspected of being conducted by such foreign governments as China, Russia, and Turkey. According to the report, industrial espionage costs German industry billions of euros each year, with small- and medium-sized businesses often the biggest losers.
In the aftermath of Russia’s involvement in the United States elections and those of France a few months later, Germany expected similar APT activities to be directed against its own presidential elections. Despite previous history of malfeasance conducted against political targets by suspected Russian actors in 2015, there was a dearth of “fake news” or spear phishing attacks as it appeared that Russia had left the elections alone.
However, despite being the target of the most sophisticated cyber threat actors, the German government may be wary of granting authority to “hack back,” especially in the wake of questionable spying practices. Suspected United States surveillance of German officials (which has since been disproved), gave a black eye against a Western government leader. Indeed, recent developments intimate that German intelligence may have conducted its own surveillance against White House officials, as well as other European allies. Since then, the government drew up new guidelines on what targets were viable for German intelligence to spy on. In October, the German government conducted a hearing to ensure that the German intelligence apparatus was operating according to its dictates, among other security discussions.
Whether German intelligence agencies receive the authority to “hack back” will largely depend on balancing potential rewarding efforts with potentially detrimental blowback. Cyber space remains a large grey area where governments maintain their own definitions law need to be considered and factored in before empowering intelligence operators to engage in such activities. Lack of an established international cyber norms of responsible state behavior sustains a large grey area where governments maintain their own definitions of right and wrong. The recent failure of the United Nations Group of Government Experts to advance efforts in creating a universal understanding of government activities in cyberspace seems destined to be perpetually at a crossroads.
In an era where nation states are scrambling to obtain offensive cyber capabilities, the need to be able to conduct offensive actions in cyberspace is seen as a necessity, particularly as states are connected to news-garnering, high-profile events. Numerous reports have indicated that even developing nations understand the cost-effective value of obtaining this skill set. Even Ukraine, the victim of ongoing cyber attacks suspected of Russian nationalistic hackers, is reported to be currently growing its cyber capabilities.
Hacking back may seem like an attractive alternative to better defense practices, but there are too many intangibles that need to be considered. Miscalculation, error, and escalation are just some consequences that can result if “hack-back” attacks go wrong. And in light of current tensions with North Korea, even trying to “signal” in cyberspace can lead to misinterpretation, which can lead to unintended courses of action. Bottom line: hacking back nether solves nor deters the problem of state-affiliated cyber theft or sabotage, it merely exacerbates it. And that is a threshold countries relying on advanced technology as a driver of public and private development should not want crossed.
This is a guest post written by Emilio Iasiello.