 on the Farbland event schedule page. Hello, and welcome to this talk by Cyber Law. He will tell us about how you can join anonymous to hack offensively. Oh, wait, no, it's going to be about the cybercrime by anonymous and by offensive hacking or hackbacks, both by black hats or our government, maybe are not such a good idea. Cyber Law, would you like to tell us more about this? Yes, with pleasure. Thank you for this introduction. I hope you can see the slide, which what is this about cybercrime by anonymous is what I use as a name. So legal, ethical and taking the questions all around cyber war. And that is what we will have to deal with for the next 20, 25 minutes. And I should tell you in advance that it is going to be a legalese talk, but I have tried to shorten things, but there will be quite a lot of text on the slide. So please be warned. And also a hint, this talk being named anonymous will have two sections. The first one is going to be about anonymous and the declaration of war against the Russian Federation. And the second section will be asking or picking up the question whether Germany, whether it will be legitimate for the German state to start hackbacks in cyberspace. Is there a legal justification for that? And what are the political arguments that are being brought forward? But let's get going with the first slide. The anonymous group has declared cyber war, as they called it. And I've collected a few quotes that went through the web in the last few days and weeks, various papers reported about this. And I found that was quite interesting. We have headlines such as anonymous is back, how the cyber war against Russia goes, hacker collective attacks the Kremlin, how does the IT campaign work, hacker as a warring party, Ukraine war, anonymous published sensitive data of 120,000 Russian soldiers, hacktivism in war between digital blockades and cyber war, anonymous hacks the largest Russian bank and Moscow stock exchange. And in fact, in various social networks, there was not that much response, but shortly after the war of aggression against Ukraine started, these things went through the roof. And even the conservative paper really went wild. And I thought, well, this is obviously something that people respond to. There's a lot of interest and lots of thumbs up to anonymous declaring a cyber war. So the first impression was, well, that is quite a good idea. And of course, there is this war of aggression in contravention of international law. So how can we defend against that? So many people thought that was a positive thing. And what we are going to delve into is, is this actually a war and what are the consequences to the actions by anonymous? If you look at the, look through it to an legal and ethical lens. And if we talk about cyber war, the first question you have to ask what actually is cyber war exactly. And legally you can distinguish between two different issues. First, there are cyber attacks by Russia against Ukraine and in contrast, Ukraine hacking against Russia. And you have to say from the start, from an international law point of view, mere cyber attacks do not make a cyber war. It's not a state of war. And the question has to be, how does international law judge this and what are the constitutional framework? Because Germany isn't devoid of any rules and not acting in an empty space, not even when cyber actions are concerned. You have to ask, which is going to be the second section, who is actually responsible in Germany? Whose role would it be to conduct such a hackback? What are the government structures and how can authorities prepare and actually act in a constitutional manner? And firstly, cyber attacks, whether by states or from civilian infrastructure, on states or on civilian infrastructure, cannot be called a state of war, not from the point of view of international law. And there are two central aspects here that international law uses to define war. And a few years ago, there was a position paper that was published by the scientific service of the German parliament, the Bundestag, where they broke it down into lay person's terms. And if you look at the conditions that are set in that paper, you can easily say that for a conventional war, two things are required. First, you have to have an armed struggle, the entry into a state of war, for example, through a declaration of war. And the question, of course, you have to ask, and that anonymous has to ask, how do you judge the involvement of civilian actors that get involved in this fight, be it in conventional ways or in a cyber way? And at what point does a cyber attack, which isn't yet a war as we've just seen, when does that pass the threshold into a armed conflict and international law? It's not a lot of fun to deal with for many people. There's a lot of vague terms here, and the more parties are involved in a certain state of things, the more difficult it is to reach a consensus. And that is something that to a large extent applies to international law as well. But what people do agree on is that for cyber warfare, international law effectively can be applied. And it can be applied just as much as in attacks with conventional weapons. And that's where things get interesting from a legal point of view, because from the international law perspective, if we compare cyber attacks with an attack conducted by conventional methods, an armed attack, you have to be able to draw some kind of comparison. And there are various perspectives that I have alluded to already. You have to consider these perspectives and depending which perspective you take, you might reach different conclusions. Looking at the attack on Russia against Ukraine, Russia against Ukraine, of course, it's clear that this is in convention of international law and it's in a war of aggression. And we have seen Ukraine counterattacking in cyberspace, so that is cyber war then per definition because Ukraine is in an armed conflict with the Russian Federation, which is also supported by cyber actions. So when a state is attacked in this way, of course, it is the right of that state to defend itself, which is called the right to self-defense in international law, which applies to Ukraine, and more concrete, these measures, there is a talent manual which contains rules for a war and cyber war, the talent manual, and going back to anonymous away from Ukraine, you have to first ask ourselves what is anonymous actually. It's a hacker collective, loosely organized. There is no clear hierarchy, no responsibilities. And ultimately you have to say that these are more or less private people who act on their own behalf, on their own motivation. And of course, anonymous is not a subject of international law. It cannot be a party in the conflict and therefore it cannot issue a declaration of war. They cannot act as an independent third party that says we are now as an independent institution enter into the state of war. Another problem that is based on the fact that this is a hacker collective is that these people are acting without identification. They are free combatants in the digital space, which means that it is very, very hard to relate actions to individuals. And that is something that is necessary from a legal point of view to judge who can be related to which warring party or none such party at all. And in a conventional war, the state of things is that as soon as you enter into the conflict you lose your rights as a civilian. And that could be more or less applicable in cyberspace as well. But even if you follow the call by Ukraine that was published, they asked for people to join their IT army entering a recruitment process almost. That doesn't automatically lead to an international law justification because this was a one-sided call. And again, the problem is I'm not going to register with Ukraine, I'm not going to work for the Ukrainian Ministry of Defense. So ultimately the question of definitions are not really affected by that. And the problem that not many people really see is when I act individually as a natural person I am responsible for my actions and also legally from a point of view of criminal law and every state has cyber crime laws these days that deal with these actions, including Germany. So manipulation of data, computer sabotage, these are crimes defined in law trying to retain access that is not permitted. These are all crimes from the cyber area and you are not freed from that responsibility once you get involved. You could say, okay, anonymous issues, a symbolic declaration of war and hacker collectives and individuals are becoming active. People that try to attack everything that's Russian in a sense and trying to reach some kind of results because all that would help. You could say that is sensible to act in solidarity with Ukraine that of course does make sense. And of course you are fighting against a authoritarian injustice regime that is committing crimes of war, war crimes. And of course these are not just laws against crimes in terms of international law but also from a human ethical point of view it's completely unjustifiable what is being done. It's a war of aggression against the Ukrainian state against civilians in particular. And you can say of course that you have entered into politics of 1,000 small intrusions, pinpricks and everything you have to take into account when you ask yourself whether hackbacks, digital attacks are something you can perform. And the problem that has already been seen in my previous slides is that private people are getting involved into actions of war and these 1,000 pinpricks might even strengthen the Russian military and Russian propaganda machinery. They are being given arguments for their illegal actions and or justifications. And if attacks on critical infrastructure in Ukraine might occur or in Russia the civilian population might suffer. They might be immediately affected and these are not people that are immediately involved in this conflict. So that might lead to a situation where there is even more solidarity within the country which is the kind of deep problem that we see already. There's a huge fake news machinery in action in Russia and they explicitly try to raise a political mood that is directly against the West and Putin of course will be strengthened in their fight against the evil West. So you have to ask yourself I think from an ethical point of view, of course you could say everyone can be part of saving the world but looking at this from the other side it is a kind of individual justice with my own judgment, my own sense of justice, my own... This is not something that you would normally authorize yourself to do. If I don't like someone I'm not immediately going to try and hack them or something or expose them and that is something that should be considered here as well and not least Russia and Ukraine. These are the main conflict parties of course but it's quite likely that other foreign powers will get involved with secret service operations which they might use under the cover of that war and that of course is also going to be supported by this lack of attribution. That is my idea about the anonymous issue. I want to take this a notch further. As I said, we have two parts of this presentation. The first will be about the anonymous cyber war and then cyber war in Germany or how would Germany be involved in a cyber war because this has a long history towards the years ago. A position paper was published by the German government that was about concrete plannings of a hackback to prepare and execute a cyber war and this was given to the parliament to decide upon and it kind of disappeared and not a lot happened in the last three years but now it's gotten quite a lot of attention again because we're asking ourselves how can Germany act in this current situation and with a threat level rising constantly? Is there something we have to do? Do we have to support certain powers? And should we have the ability to fight back in a cyber war? And if you use a go, it was very unclear how to do that whether to include secret services for example and the German office for information security made it clear that the Bundeswehr, the German army would be the entity that would have to be active there and that is important to know whether the German army would become involved here and what stipulations would be put upon the German army and when defensive action becomes necessary in terms of an aggression from outside. So if the German army becomes involved then it would be a kind of military violence when there's aggression from outside and if there's a concrete attack, we need very strict rules because the German army's main task is to become active in catastrophes and give help or for example in 1998 we had quite a bad train disaster in Germany where the German army was also tasked with evacuating people who were injured. And also keeping IT systems up to date is also a very important task in ensuring that Germany can defend itself against cyber attacks. The problem here is of course you could say you define a low threshold but the problem is that Germany isn't acting in free space basically also not in the cyberspace. So if we lower the threshold of what is considered aggression we are legally responsible and our German army can't just take offensive action in the cyber realm. And there's certain politicians in Germany who are saying that we need possibilities to defend ourselves in the cyber realm and to prevent attacks and that means that we have to raise the discussion about the hack back again. And of course that poses the questions do we automatically have a cyber war? And according to Ms. Faeser's current proposal I think a change in the constitution is planned but this isn't very concrete. It just means that the federal government needs more competencies in order to be able to hack back or to defend Germany against incoming cyber attacks and that takes us back to the German army. And we also have a domestic politics facet to this whole debate. If we give more competencies to the federal government and we had that discussion when we introduced new security laws before that cyber defense was considered a state competency and many people are getting the feeling that the federal government is already taking too much responsibility or taking on too many tasks or powers. So the whole topic has gone beyond the technical side and has moved into the political realm. How to deal with zero day exploits and whether states are able or should be able to use security gaps. This is a question that has been raised again and again and should be raised in terms of anonymous as well. So how do we do cyber warfare? Even if we commit to respecting the constitution and have the German army strictly respect the constitution that's not possible in a cyber realm because not everything is black and white. So if we just say let's hack back or let's take counter offense that's not very easy and the question raises itself whether this would be sustainable in the long term. You can always buy hardware or software. Our current new government in Germany has taken a very clear position there. But the question still raises itself how should the concrete law look like. And of course Germany has a responsibility in international law. If you look at hackbacks at Ms. Pazer's statement the debate since 2019, then you can only say starting the hackback debate again is a political rhetorical device and doesn't have much sense behind it. So that takes me to my conclusion. Hackback cyber war digital society sounds good is bad. Of course people are really moved by what is happening but still you have to think how do you legitimize counter offensive action and what are the consequences on all of the stakeholders and especially for anonymous. There hasn't been very clear communication of these factors and the actual war and the actual events that determine this war actually aren't happening in the cyber realm. So this politics of pinpricks that we mentioned has its inherent risks. So if you get involved you really have to consider whether this is something you can legitimize and the problem with anonymous is everyone's responsible. If the whole ominous entity or organization is responsible no one's responsible basically. What concerns Germany as I said this ongoing discussion since 2019 has pretty much stagnated and hasn't really made progress. I haven't seen any concrete law initiatives. So legally and technically we have no definitions, no clear concepts, no certainty in terms of the constitutional how to do to anchor that in the constitution and my appeal would be that maybe we should concentrate more on passive cyber defense instead of active cyber offense. That was it from my side and I'm looking forward to the discussion. Thank you very much for this fascinating talk. So there's a lot of questions actually in the pad. Of course, as one might have imagined. Let me ask a personal question. You talked a lot about why it's not a good idea to hack actively but as peace loving beings in CCC what can we do to make a positive change? Well, I said it in my final statement that cyber offense as promoted by Faser and Anonymous is not what I favor but it's rather passive cyber defense. So what can people do personally to lower the set as I showed how can I support critical infrastructure, critical cybersecurity infrastructure, data protection? There was our points that you could start with and last but not least, we all have limited time and there's enough possibilities to get active in helping refugees and they need every helping hand they can get right now. So if you want to wage war against Russia this is where you can start peacefully and passively. Yeah, of course, we promoted being active in that manner. Thanks a lot of people asking legal questions. So what does it mean for me as a German hacker? If I for example carried out the DOF attack, is that a criminal offense? Do I need to be afraid to be prosecuted? Well, of course, I can't give a blanket answer. Well, a DDOS attack is basically nothing. But you have to think about who is the victim and I don't know the Russian legal system or I think laws in terms of cyber security or data security. I do assume that Russia does have certain regulations on that, on secret information for example and how to protect that, of course, this would be prosecuted by Russia but in Germany, I don't think it'll be prosecuted. So if German offenders are concerned we do have a cyber criminal law in Germany. This is nothing new and we have laws in terms of sabotage, acts or data breaches. But we don't only have criminal law, we also have civil law in Germany. So for example, if a service faces interruptions a company can't work anymore. In Germany, this has happened in the past with hacker attacks and of course there are civil law clauses that apply and where companies might be entitled to compensation. So if you find the perpetrators, of course, this can be prosecuted either criminally or at the same time civilly as well. There's also the question, is it a criminal offense to use the or to operate to our notes in order to create web access for Russians? Well, as I said, I can't give a consultation in terms of law but I don't think that this would be a problem. I don't know the Russian law but here this is not really relevant. Yeah, maybe it's for Russian hacker refugees if you support them or take action there. Yeah, that's a whole completely different area. So something I was wondering personally, especially when it comes to attacks on Russian civilian infrastructure, if you really do tangible damage, substantial damage that takes away people's basic needs like access to water or if you make a trained rail, I don't think this is possible by cyber means but let's just assume, could people in Germany be prosecuted through international law? I don't think we have precedence there. So of course those offenses that are regulated in international law, but from the judicial position, I think this wouldn't be problematic because there's not a, there are no extradition contracts for example, but you have to ask yourself can you morally support that personally? Because there's not always only a legal perspective but also a personal moral perspective so you have to ask yourself, is that morally justifiable for myself personally? And this is the decisive question that you have to pose here and I think the law really takes the second place here only. Let me look at those questions on Twitter, it doesn't look like it. Mastodon is a fantastic, decentralized alternative to Twitter so do use it if you haven't heard of it before but it looks like no, there aren't any questions on Mastodon either so I'll answer all the questions so I'll answer all the questions, fantastic. Yeah, you left us speechless basically. All right, anyway, I heard that you don't have that much time and you don't have time for a wake-up room, so. You'll be happy not to be overwhelmed with questions right now. Thank you very much for your fantastic.