Cyberspace has upended the way we interact and most of us are constantly hooked to it, creating value and doing many other things. More people with their computers and a multitude of other devices are present in cyberspace, increasing both the size and diversity of the web, enhancing as well as novel cyber risks for users.

Numerous policies and regulatory measures have been proposed and also adopted lately to advance the security of users, through data protection as well as in the areas of financial services, maritime, aviation, medical devices and electronic communications. Users are also vested with rights and businesses have diverse legal as well as financial obligations coupled with risks and liabilities. Directors and company officers also face risks of personal claims for negligence or breach of fiduciary duty here.  In the US, direct legal action has been taken against company directors, due to a cybersecurity breach.  In the EU, the NIS2 directive also mandates management bodies of relevant organizations to review cybersecurity risk-management measures being implemented, oversee their implementation and make them personally liable for failures with respect to the implementation of cybersecurity risk-management measures.

From a data protection perspective, the responsibilities of the data controllers are most relevant in the context of cybersecurity. Aside from the obligation to have processes and solutions which are data protection by design at heart, controllers and processors also must effectively implement appropriate technical and organisational measures to pro­tect the personal information they intend to collect and process.  A careful reading of these provisions does not exclude active and preventive cyber defence measures. Active cyber defence generally involves cyber defence and security strategies in real time that go beyond simply preventive measures like using a  firewall or antivirus.

Is active self-defence however legitimate cyber space? Self-defence provisions originate from land base cases. They are recognised by most legal systems and as a legal principle in international law. In Malta legitimate self-defence is found in our Criminal Code. A careful read of Articles 224 & Article 227 of the Criminal Code limits self-defence only to cases of homicide or bodily harm. Would this preclude a company or an individual in Malta to claim justifiable self-defence in cyberspace? I would dare say that at the outset that would seem to be the case albeit it all depends on the actions pursued and the novel nature of cyberspace coupled with our legislative regime is not helpful here.

Let’s for the sake of argument say that the act of cyber self-defence resulted in unauthorised access (or attempting to gain such access) to a third party device of the potential intruder. The way our computer crime provisions are drafted, particularly Article 337 coupled with Articles 224 & Article 227 would not legitimise nor excuse such an act. Even sniffing a port without authorisation and attempting to access the device to defend yourself from attack, without authorisation is prosecutable under such provisions.  

Now consider this scenario. Using a “honey pot”, to identify intruders, their IP addresses,  possibly mac addresses etc before blocking them out of my system to stop the unauthorised access. This is deemed to be an active act of cyber defence. Would this measure be breaking any criminal law provisions? In today’s day and age, should some form of active cyber self-defence be allowed in specific circumstances, and should there be ad-hoc and clearer provisions at Law?

This argument is not novel, academics started to consider the notion of hack back and some consider it extremely problematic and not ethical in nature. In the US these discussions culminated in a Hack Bill, where specific cases of allowed cyber self-defence were discussed as well as a mandatory pre-notification to the FBI National Joint Investigative Task Force.  

Global cyber security threats have increased in recent years, with more sophisticated attacks as well as use of novel technologies. When companies are hacked, aside from the legal and regulatory permutations, the costs of rectifying the breach and recovering from downtime can spiral into millions. Cyber crime cost global economies around $787,671 per hour in 2021. Over the course of the year, this amounts to $6,899,997,960 lost worldwide to cyber criminals. The average cost of a cyber breach in 2022 was $4.35 million. It’s predicted that cyber crime costs impacting the global economy will to rise to $10.5 trillion by 2025.

One of the key reasons for these staggering figures is the lack of successful detection, investigation and prosecution of cybercrime. The unharmonized nature of national and international laws, difficulties to identify, locate, prosecute, and arrest cybercriminals, lack of experts, technological factors which amplify the reach and scope of cybercrime are all limiting factors.  Another important limitation is the timeliness factor. In a hypothetical cyber self-defence activity, action can be preventive and prompt, when lawful enforcement come in, most of the time any activity is ex post the intrusion, with the crime already perpetrated and harm inflicted.

Given the prevailing scenario, unless the potential victims have the luxury to pre-determine and ascertain each and every case of cyber self-defence with a multitude of diverse permutations and assume the risks for that, they have no other avenues but to pay licence fees and resort to third party vendors and technical solutions to mitigate any possible intrusion, vulnerability or data breach and resort to the Lawful enforcement community and cybercrime legal provisions only as a last resort.

The last resort is still wanting here. Criminal law’s main intent has always been to deter criminals and as much as possible prevent the infliction of harm. In cyberspace this is not the case. Other cybercrime prevention strategies ought to be considered. Could this possibly include a study and consultation on the possibility to lay down ad-hoc legislative measures introducing the notion of legitimate use of cyber self-defence in certain pre-determined instances, thus paving the way for the new paradigm of activity in cyberspace?

Article by Dr Ian Gauci

This publication is provided for your convenience and does not constitute legal advice.

This article was first published in The Sunday Times of Malta of the 05/11/2023.

This publication is protected by copyright © 2023 GTG.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content