Oil refinery with sunset showing defensive cyber attacks for critical infrastructure

Defensive Cyber Attacks Declared Legal by UK AG, Path Cleared to “Hack Back” When Critical Infrastructure & Services Attacked

The Attorney General of the United Kingdom has declared the country can make use of defensive cyber attacks when “key services” (such as critical infrastructure and banks) are struck by foreign threat actors.

The country is taking a formal position on extending international law to the digital realm, something that nations have typically been hesitant to do as espionage attempts are regularly traded back and forth between them. AG Suella Braverman paired the move with an argument before leading policy institute Chatham House that the international principle of non-intervention in the affairs of other sovereign countries should now extend to cyber attacks and countermeasures in a “proportionate” way.

UK declares intent to use defensive cyber attacks against nation-state threat actors

The move highlights a general lack of international agreement about when defensive cyber attacks should be considered appropriate. There has long been a murky world of online espionage in which countries have tacitly agreed to not respond with military force, due in no small part to degrees of plausible deniability and a great difficulty in displaying concrete evidence to the public that another nation’s covert hacking teams were behind a virtual break-in.

This unofficial understanding has survived in the internet age, even as allies have been caught spying on each other, so long as everyone refrained from using cyber attacks to cause physical damage. Some developments in recent years have strained that arrangement, including Russia’s repeated cyber attacks on services in Ukraine and the recent willingness of cyber criminals to hit foreign critical infrastructure and government agencies with ransomware attacks.

The UK AG has expressed that there is a pressing need to establish formal rules regarding defensive cyber attacks given the demonstrated possibility of devastating incidents that could cause actual damage to civilians, and that existing non-intervention agreements could serve as a launch point. The AG sees an initial step as the establishment of a list of acts considered coercive or disruptive, and what proportional defensive cyber attacks would look like in those cases.

The AG’s remarks cited a number of international incidents that have been attributed to nation-state advanced persistent threat (APT) groups: the July 2021 Microsoft Exchange breaches (attributed to China), the April 2021 Solarwinds breach (attributed to Russia), and the December 2017 WannaCry ransomware outbreak (attributed to North Korea) among them.

The AG also identified four sectors that are considered particularly vulnerable to cyber intrusions: energy security, essential medical care, supply chain disruptions and democratic processes. Outside of Russia’s actions against Ukraine there are not many examples of nation-states attacking each other directly in these areas, but they are all areas that have become an increasing focus for ransomware gangs that disrupt operations for money. North Korean APT groups have been observed conducting ransomware attacks as a means of funding the heavily sanctioned government, a move that Russia might consider as it reaches similar levels of economic isolation in the world.

Troubled histories of international cyber relations, “hack back” attempts portends serious difficulties

Outside of a small handful of regional compacts, such as the one recently adopted by the African Union, there has been no real attempt to expand international law to regulate internet activity. A number of international organizations such as the UN General Assembly and the G20 have at least agreed in principle that international law should also apply to cyberspace, but there has been little meaningful effort to actually hash out firm legal codes and definitions.

The extent to which nations “hack back” with defensive cyber attacks is usually just as secretive a matter as the espionage operations that trigger these responses in the first place. The issue was raised publicly in the US in 2017 with the proposal of the Active Cyber Defense Certainty Act, which would have given individuals and companies the right to some level of defensive cyber attacks against aggressors attempting to disrupt operations or steal files. The bill would have limited the defensive cyber attacks to destruction of any files that were exfiltrated, but it never gathered much steam and did not make it out of committee.

One of the ideas floated during debate over this bill was the use of “beacons” that are functionally similar to a GPS tracker slipped in with stolen money; defensive cyber attacks would be justified against systems holding stolen files that contained these digital locators. This is an approach reportedly used in vigilante efforts conducted by companies that have been compromised, though it is laden with technical difficulties, not the least of which being that raw data can be easily copied from files and separated from the beacon without the defense team’s knowledge.