The chief of Germany's domestic intelligence agency, Hans-Georg Maassen has called for security bodies to engage in offensive cyber-operations. Merely defending from hackers, cyber-criminals and state backed threats is not enough, the BfV head is reported to have said.
He told the German news outlet Deutsche Presse-Agentur that, “we think it's essential that we don't just act defensively, but that we are also able to attack the enemy so that he stops continuing to attack us in the future.” Maassen outlined the desire for his agency to “disable attack structures that pose a grave threat to our cyber-security”. Specifically Maassen bemoaned the fact that the agency could not delete stolen data found on other servers, even though that data could later be used to harm the country, its institutions and citizens.
The prospect of ‘hacking back' is a controversial subject within the realms of security. The fear is that it may lead to an escalating conflict, where ‘revenge' breaches spin out of control. In addition, an effective attack relies on a level of knowledge about the attacker which is often just not there, potentially leading to badly aimed retaliation as well as collateral damage to innocent parties.
On the other hand, from the perspective of a state, it is not a strong position to merely wait to be attacked and then piece together clues from the smoking wreckage of your email server.
Maassen's remarks were made against a background not only of the recent terrorist attack on a Berlin Christmas market but fears of foreign actors meddling in the Germany's upcoming elections, as is widely alleged to have happened in the US' recent presidential elections. Fresh in Maassen's mind must also be the attacks on the German Parliament, the Bundestag. Hackers, later alleged to be backed by the Kremlin, were responsible for a six month attack on the parliament in 2014. In 2016, a spear-phishing attack targeted key members of the Bundestag, in what is believed to be an attempt to influence Germany's 2017 elections.
Many countries are still wrestling with whether to grant themselves this, quite considerable power. In November 2016, the UK's Chancellor called for the ability to retaliate against assailants in cyber-space.
"If we do not have the ability to respond in cyber-space to an attack which takes down our power network – leaving us in darkness or hits our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response," Hammond told an audience as he unveiled £1.9 billion of funding for cyber-security in the UK.
Some may say that governments already engage in this kind of behaviour, which may be true, but putting those kinds of powers into law, is something different altogether. Liina Areng, head of international relations at the Estonian Information System Authority, reminded SC that while that may be the case, this often goes on through proxies and in uncharted waters. International law, she said, “does not prohibit espionage”. Furthermore, as of yet these activities “have not [been] raised to the level that would trigger a state's right to self defence.”
When counter striking, “states need to abide [by] international norms and bear responsibility for their constituents (proxies like private sector hackers) engaging in illegal activities.”“It would probably be understandable and tolerable for most of the society if national intelligence services would be allowed to access the servers of malicious actors to delete the information stolen from them, but who would guarantee that during the same operation they would not access other information on this server?”