Categories
Criminal Defense Cybercrime Cybersecurity Technology- & IT-Law

Current Overview of Hackbacks in Germany: Political Debates, Legal Status, and Planned Legislation

Hackbacks, also known as “active cyber defense,” involve measures where a cyber attack on IT systems is actively countered by attacking the target system of the attacker. The goal of a hackback is to stop the original attacker, restore data, or prevent further damage. This can involve infiltrating the attacker’s IT infrastructure, deleting malicious software, or even physically impairing hardware.

Political Discussions in Germany on Hackbacks

In Germany, hackbacks have been a topic of political debate for several years. In late May 2019, reports by Bayerischer Rundfunk revealed an internal concept paper by the German government detailing proposals for government countermeasures in the event of significant cyberattacks from abroad. The paper outlines a four-stage approach: while the first two stages do not involve hackbacks in the strict sense, the third and fourth stages permit more active measures, such as infiltrating foreign networks and shutting down systems.

This concept paper reignited the debate about the legality and effectiveness of such measures. Critics warn of the potential escalation of digital conflicts and the risk of a cyber arms race. There are also concerns regarding the responsibilities and technical-organizational implementation of such measures in Germany, adding complexity to the discussion.

Legal Status in Germany

Legally, hackbacks in Germany are controversial and exist in a gray area. According to Article 2, Paragraph 4 of the UN Charter, the use of force in international relations is generally prohibited unless it is carried out under the right of self-defense as outlined in Article 51 of the UN Charter. These international legal norms also apply to the cyber realm, meaning that a state conducting hackbacks must adhere to international law limits. In particular, hackbacks are only justified when they can be deemed legitimate self-defense against an armed attack, which is rarely the case in practice.

Additionally, the implementation of hackbacks by state entities faces domestic legal challenges. In Germany, it would be problematic to involve the military or intelligence services in hackbacks, as their roles are strictly defined by law, and such actions could violate the separation of powers between police and intelligence services. Expanding the military’s responsibilities in cyber defense would also pose significant constitutional hurdles, as their engagement is only permissible under strict conditions, primarily in defense scenarios, with stringent constitutional safeguards.

Examples and Recent Developments

An illustrative example of the challenges associated with hackbacks is the incident involving the Russian hacker group “Internet Research Agency” in 2018. To prevent interference in the U.S. midterm elections, the U.S. Cyber Command took measures to disable the operations of this group. This action highlights both the potential scope and consequences of hackbacks, as well as the associated legal and political risks.

In Germany, there are efforts to clarify the legal framework for hackbacks. A central issue remains the question of jurisdiction: the National Cyber Defense Center (NCAZ) includes a variety of authorities, such as the Federal Office for Information Security (BSI), the Federal Criminal Police Office (BKA), and the Federal Intelligence Service (BND). This multiplicity of authorities can lead to jurisdictional confusion, hindering effective responses. Furthermore, discussions are ongoing about whether and how the BSI’s powers for active measures could be expanded.

Planned Legislation and Outlook

Currently, there is no specific legislation in Germany that explicitly permits hackbacks. However, there is ongoing debate about whether legislative changes are necessary to establish a legal framework for hackbacks. Such changes could include defining which entities are authorized to conduct hackbacks, the conditions that must be met, and how these actions can be aligned with international law. A potential approach could be the creation of a system where hackbacks are conducted only under strict supervision and following comprehensive legal review, to prevent abuse and escalation.


Can Hackbacks Be a Crime?

Yes, hackbacks can be considered a crime. In Germany and internationally, various legal frameworks regulate hackbacks. Generally, unauthorized access to foreign IT systems is illegal and violates computer crime laws, even when the intention is to respond to or thwart a prior cyberattack.

Perspective of IT Security Researchers

IT security researchers are often skeptical about hackbacks. While they acknowledge the need for active measures against cyberattacks, especially when passive defenses fail, they emphasize that hackbacks pose legal challenges and technical risks, such as unintended escalation of conflicts or collateral damage to innocent third parties. Researchers argue that hackbacks typically violate existing laws, including the prohibition against hacking under § 202a of the German Criminal Code (StGB) (unauthorized access to data) or § 303b StGB (computer sabotage). Moreover, researchers stress the importance of adhering to legal standards to maintain the integrity of their work and uphold ethical norms.

Perspective of Attacked Companies

For attacked companies, hackbacks might initially seem like an appealing solution to regain control over their IT systems or directly stop the attacker. However, companies must consider the legal implications: conducting a hackback without legal authorization could quickly be classified as unauthorized access or a computer crime. Even when a company has suffered significant damage from an attack, this generally does not justify becoming an attacker. Companies are encouraged to collaborate with authorities and exhaust legal avenues instead. Additionally, there is a risk that hackbacks could escalate the situation and exacerbate damages, which could further weaken the company’s legal position. Participating in hackbacks could also breach corporate governance duties and result in liability issues.

Perspective of State Employees in Government Agencies

State employees, particularly those in security agencies like the Federal Office for Information Security (BSI) or the Federal Intelligence Service (BND), view hackbacks within a complex legal and operational context. While there is a desire to proactively protect state systems and critical infrastructures, they too are bound by strict legal regulations that limit such actions. Hackbacks could violate international norms, such as the prohibition on the use of force under Article 2, Paragraph 4 of the UN Charter, especially when involving incursions into foreign IT systems. Conducting hackbacks by state entities would only be justified in narrowly defined exceptional cases, such as under the right of self-defense per Article 51 of the UN Charter, which does not apply to most cyberattacks.

In Germany, entities like the Bundeswehr may only engage actively in cyberspace under stringent conditions, primarily for defense measures against an armed attack, according to Article 87a of the Basic Law (GG). Using hackbacks as part of routine threat mitigation would therefore often be unconstitutional and could have criminal repercussions for the responsible personnel. The German government has indicated in internal concepts that hackbacks could become part of a strategic defense toolset; however, the legal feasibility and political support for this remain highly contested.


Conclusion

Hackbacks remain a controversial and complex issue in Germany’s cybersecurity policy. While the need for active measures to counter cyberattacks is recognized, the legal and political hurdles are significant. Addressing hackbacks requires a careful balance between protecting national security and adhering to both international and domestic legal norms. The ongoing debate in Germany reflects the necessity for innovative approaches to effectively tackle growing cyber threats without risking legal or political escalation.

So, Hackbacks pose significant legal risks for private individuals, companies, and state actors alike. While the desire to take active measures against cyberattacks is understandable, the legal and ethical implications are considerable. In Germany and most other jurisdictions, hackbacks are generally illegal and can result in criminal consequences. Companies and government agencies are thus advised to adhere to existing legal frameworks and seek alternative, legally permissible methods of cyber defense.

German Lawyer at Law Firm Ferner Alsdorf
I am a specialist lawyer for criminal law + specialist lawyer for IT law and dedicate myself professionally entirely to criminal defence and IT law, especially software law. Before becoming a lawyer, I was a software developer. I am an author in a renowned commentary on the German Code of Criminal Procedure (StPO) as well as in professional journals.

Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
German Lawyer Jens Ferner (Criminal Defense & IT-Law)