EU Urged To Kick Off ‘Hacking Back’ Discussions

Brussels should hold discussions on legislation to allow police to hack systems which are believed to be operated by criminals, according to security professionals.

But the European Commission is not keen on the idea of so-called “offensive security”, TechWeekEurope understands.

The Dutch government is currently discussing a bill that would legalise hacking back, even where criminal infrastructure was based outside of the Netherlands. As long as a crime affected an entity or individual in the Netherlands, the proposed law would allow Dutch police to compromise servers suspected of illegal activity.

That has concerned many onlookers, who fear the law would lead to abuse of power within police forces and gross breaches of citizen privacy – as well as police cyber attacks on innocent bystanders.

But now Brussels has been called on to host discussions on giving police, and even private or public organisations, greater powers to breach criminal systems, recover information from them or even take them completely offline where it is unlikely the crooks will otherwise be caught.

Hacking back

“In general the law hasn’t caught up,” Ross Allen, vice president for McAfee in UK & Eire, told TechWeek. “I’m more interested in shutting them [cyber criminal systems] down.

“How do you convict these people? It’s not possible in a lot of cases.”

Darren Thompson, CTO of Symantec, said Brussels would be the best place to start talks, given the borderless aspect of cyber crime. “Coordination is key here, otherwise people are going to be running at different rates,” he told TechWeek. “That would cause friction.

“European-wide coordination of legislation is going to be critical. The tensions and heat that could be generated by the likes of the Netherlands running at a different speed to everyone else could cause political conflict at the very least.

“The people who are the more aggressive proponents of this need to slow down a little bit, people who think it’s not a real thing need to speed up. And they all need to be coalesced in the EU.”

Kroes not convinced

Yet the European Commission is in no rush to talk about hacking back. Neelie Kroes, EU Digital Agenda vice president and the lead on drawing together cyber legislation, is not looking at any laws relating to the issue, a spokesperson told TechWeek.

That’s probably because the European Commission does not have a remit to decide on laws governing police forces in each country. But given the global nature of cyber crime, as highlighted by the creation of the European Cybercrime Centre in Brussels, the EC may be drawn into the debate.

Nevertheless, the Commission is strongly opposed to anything that would spur on the growing threat of digital warfare. “We are adamantly opposed to a cyber arms race and would assess any emerging debate with that in mind,” the spokesperson added.

“The Commission has recently adopted an EU Cyber Security Strategy announcing actions to ensure a safe and secure digital environment while maintaining openness and respecting and promoting fundamental rights.

“The Commission proposal for a Directive on network and information security, presented together with the EU Cyber Security Strategy, aims at improving resilience of network and information systems against any kind of threat, be it accidental events or a criminal activities. Better security will also help deter cyber crime.”

In the UK, the debate over the Communications Data Bill, or Snoopers’ Charter, has left police still hungry to get their hands on crooks’ IP addresses, as the wider proposals have been blocked by the Tories’ Coalition partner, the Liberal Democrats. There has been little to no discussion on actually hacking into criminals’ computers, however.

Private assistance

Plenty of private organisations are capable of helping law enforcement or companies hack back. Indeed, “legitimate” malware manufacturing has become a burgeoning industry, with companies such as Gamma International and Italy’s Hacking Team providing law enforcement with hacking tools, although both have been criticised by human rights campaigners who claim their technology is being used by repressive regimes to spy on activists.

US firm CrowdStrike, which has a number of ex-FBI employees on board, is the best-known player in the offensive security market, however. It says it isn’t compromising any criminal infrastructure, but it is very interested in how far legal frameworks would let it go.

Would such companies help police out in future, or help kick-start discussions in Europe? “It’s uncharted ground. CrowdStrike, the things they do in terms of the identity association with individuals, they have some privacy implications,” Allen added.

As with the bill in the Netherlands, privacy looks set to be the main barrier to any further provision of hacking back powers.

Are you a security expert? Try our quiz!