Go back to talks View external

Internet Governance Forum 2018

November 2018 UNESCO, Paris
#Internet policy #Human Rights

Session: Balancing Cybersecurity, Human Rights & Economic Development

Role: Speaker.

Description

The purpose of this roundtable session is to address the relevance of balancing Cybersecurity, Human Rights and Economic Development issues and explore best practices applied in different regions and stakeholder groups. Particularly, it will be discussed coordination and collaboration models between different stakeholder groups aimed at balancing cybersecurity, economic objectives and fundamental values. Speakers will share their expertise and points of view regarding these issues, and moderator will ask for proposals and their views on how to guarantee a real balance in these three areas. Confirmed speakers cover a wide area of organizations and regions, which will provide a unique and global approach to the proposed theme. A background paper prepared by the organizers will be distributed in advance.

Session: Private Sector “hack back”: Where is the limit?

Role: Speaker.

Description

The private sector has been exposed to an exponentially increasing number and variety of attacks in the digital environment. Businesses should protect themselves, but they are dependent on their respective governments if they wish counter-offensive action be legally taken against attackers. With practices known as “hacking-back” being within governments’ prerogative only, how far should businesses be allowed to go in taking proactive defensive measures (also referred to as “active cyber defence”)? Should public policy evolve, in order to clarify the conditions, limits and safeguards for private sector to resort to such techniques?

Key questions to be discussed by speakers and participants on site and online include:

  • What renders a digital security measure as “active” rather than “passive”? What are concrete measures that might fall into each category? Is this categorisation necessary? What is a technology neutral description of “active cyber defense”? Where are the boundaries between “hacking back” and “active cyber defense”?
  • What is the prerogative of governments in responding to an attack and where does the scope of action of a business start and ends? Could anyone use proactive defence measures or should only “qualified” players be allowed to enter this space? Should there be any oversight?
  • What are the limits of “active cyber defense”? How would what is acceptable and what is not be determined? • What are the risks of hacking back, including to the Internet and other users? Is there any way to mitigate those risks? Who would be responsible in case of damages to a third party?
  • Is there a need for internationally agreed rules and principles in this area? And more generally: has the time come for new rules and guiding principles to clarify businesses’ scope of action, and to allow them to pursue a proactive defence approach of their systems and data in an ever increasingly digital and data-driven world?