Cyberspace makes for a strange battlefield. Attacks are launched from offices, combatants fight with keystrokes, and the targets are usually just information, financial data, and trade secrets. For the vast majority of cyber attacks, that is as big as the threat will be. The biggest exception: cyber attacks that become part of a larger war. When that happens, according to a set of proposed international rules commissioned by NATO and written in conjunction with the International Committee of the Red Cross and the US Cyber Command, even civilian hackers participating in the conflict can be targeted. By bombs and bullets.
That has generated lots of panicky headlines across the web, as you might imagine. The document, called the "Tallinn Manual on the International Law Applicable to Cyber Warfare", was written by 20 legal scholars and practitioners, and represents those experts' best reasoning at how current international law applies to cyber war. It covers everything from how to avoid civilian casualties to who's considered a combatant in a court of law. Here's the part folks are really riled up about:
That's legalese, and the sentences almost reads better backwards, so here it is in plain talk: Civilians, normally off-limits as targets in war, stop being off limits if they engage in cyber attacks. This rule explicitly carves out an exception to Geneva Convention rules against targeting civilians, noting that civilians engaged in cyber attacks are participating in the conflict, but hardly proper armed combatants. The Tallinn Manual goes on to specify that these civilians enjoy all the other protections of civilians, except the exemption from targeting.
Okay, great. So what does all this mean?
1. Not much, unless countries are actually at war.
There are circumstances where a cyber attack can constitute an act of war, but those attacks are clearly going to be different from the normal kind of data-targeting cyber attack. To constitute an act of war, the cyber attack probably has to kill someone, or cause a large and obvious infrastructure failure, like shutting down a power grid or breaking dam controls.
2. People who are fighting a war are legal targets in that war.
Perhaps the best way to explain the logic of the proposed rule is to look at drone pilots. Most of them, especially in the Air Force, fly their war machines from bases in the United States, usually the Nevada desert. Yet they are undeniably engaged in the war; it's hard to describe what they do as anything else, and they do so in uniform, meeting the standards of lawful combatants. The Department of Defense has acknowledged that . That means that if someone kills them in war, that person cannot be tried for war crimes.
The proposed rule on civilians engaged in cyber is a lot like that. Granted, these are civilians, not uniformed soldiers, so it's slightly different, but not by a lot. If there is a war on, and it involves civilians committing cyber attacks, those civilians can probably be targeted just as if they were actively fighting the war.
3. This is probably about China.
Last month, the New York Times revealed details about one of the Chinese Army's cyber units, including the unit's likely location in Shanghai. China is at the forefront of cyber attacks right now--an advantage that isn't likely to go away any time soon. To balance that out, and to deter cyber attacks, NATO's best bet is to establish rules where a crippling cyber attack is met with deadly force. The Tallinn rule is part of that.
4. The future of cyber war is just war.
Ultimately, shocking though the headlines might look, they could be just as accurately written as "people who launch deadly attacks in war are legal targets in war." That's not catchy, but it's just as accurate. By interpreting the laws of war for the 21st century, the Tallinn Manual just reinforces the fundamental standard of conflict: if an enemy is trying to kill people, it is okay to use force to stop him. Even if that enemy is a hacker.
I do believe there is a misconception that the act of trying to kill somebody is the only direct result of an aggressive cyber attack. For example causing panic or chaos in a country due to cyber warfare is very effective and could cause loss of life or the capability of a country to defend itself properly.
Besides just causing direct death due to panic, chaos, or direct means... they also could prevent medical care or other humanitarian pursuits by their unlawful actions. I keep hearing this constant rant from this site of "cyber warfare not actually killing people" argument that is short sighted and simply isn't realistic.
Yes clicking buttons on my keyboard may not fire a rifle to end someones life, but could indirectly kill many more people with less effort.
It's a bit of a slippery slope to label one a combatant because they caused a death by hacking.
What I take away from this is that if a person, civilian or otherwise, employs cyber-tactics with deadly intentions against a country in which his or her country is at war, then this person could possibly be considered a combatant.
I thought governments as they war with each other, were suppose to focus on military targets.
But if N.Korea launches an assault against the whole of S.Korea and all the civilian people it affected in its hacking, breaks this rule of war.
Of course, N.Korea does not have the necessary smarts and tools to accomplish this type of hacking against S.Korea. They had to outsource hacking to their indirect friend China. Who naturally will deny all.
By the way, except for governments, banks and business, why are we sharing our internet access publically with these folks, who have established clearly they want to harm us. WHY?!
In my opinion, war is not only to kill people but also create problems with people. What happens if all the important computers of any country are hacked???? No killing, no war but that country surrender without firing a shot.
The rules leave a lot of room for abuse. Any government that experiences some damage from hacking can choose to declare it as hostilities or not, or as an act of war or not, and can choose to respond with deadly force or not, even if it is against their own citizens.
Even if a widespread computer failure is not caused by hacking, a government could assume that it was and go looking for culprits. And when people start getting killed, who's to say if they were or were not hackers?
This has a lot of similarities to the war on terror: The war encompasses the entire world, the enemy could be anyone, and there is no limit on how long it can go on.
I wonder if any citizens in S.Korea hospitals hooked up to 'life support' and associated computers were harmed by this hacking?
An today article\link to read:
"...The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure..."
They are gearing up and laying out their justification for an eminent drone strike in the US. This strike will happen before the end of 2013. Mark my words.
So as a hacker looses protection as a civilian, does that bean he now has protection as a combatant?
So hacker from country A can now walk up to hacker from country B and shoot him in the head, and not be prosecuted for murder? Just like any soldier can do?
And anyone anywhere can do this at any time?
What about launching a directed attack that results in "collateral damage" to civilians?
Is this now also permitted for hackers since they are now legitimate combatants?
"Potential for abuse" is an understatement.
Who comes up with this crap?
So what happens to a person who gets fooled into helping a hacker?
Recall a year or so ago where Anon carried out that DDoS on some Govt sites and they fooled millions of Facebook and Twitter users to assist when they clicked the link provided.
Are those normal people now mark-able to be "killed" since they assisted?
As HBillyRufus stated:
"The rules leave a lot of room for abuse"
Which is typical of any Govt plan to "protect" it's helpless citizens
What bothers me about viewpoint that this new policy is somehow part of a giant rule book every single government has to use. This is a document attempting to place cyber warfare in it's rightful pecking order according to law. Whether it means an update to the Geneva Convention or maybe used by the United States to preface any attacks we might have against an attacker.
Does this mean they can declare war on a US citizen if they hack something... no. Not only is that a big deal as far a constitutional rights, it doesn't make any sense either. This whole dropping drone strikes on U.S. soil thing is straight up tyrant talk. No, our president won't get away with that power as long as semi-intelligent people in office stops him. Even the Democrats think this is far over reaching the power of the Executive branch. We can and have dropped bombs on terrorists that may have been an American citizen on NON-US soil, but that's a different story.
Could they already start with spammers, just as an exercise.
This is nothing new. Bombing a war plant is a legitimate target and has been for hundreds of years. Civilian's working in plants and factories or carrying supplies in boats are all targets. Farmers supplying grain for use in war fuel would be targets. Why would one exempt technology? If you want to win a war, you have to break a few eggs.
I guess you could just ask them to surrender.
I suggest, every single time they erect a large missile just take it out, over and over again. N.Korea doesn't have a lot of money to keep building these things and if they never launch, they cannot learn either how to make a better missile.
They have clearly declared to the world of their desire to harm the USA, so take out their missile each time its found is established defensive measure.
@AnyIcon yes you said that exact same comment in the "Is North Korea Forcing Diplomats To Sell Drugs Abroad" article.
it's clear that you're NOT commenting on the articles, but instead standing on a soapbox and repeating your own brand of "hello everybody I'm 13yrs old and I just like to hear myself talk" at the bottom of every popsci article.
Whether or not NATO is making provisions for drone strikes on Chinese soil to level buildings used to by the chinese army to attack western assets in the future.. we can only wait and see. Though it's quite probable .. and I fully agree with it.
traditional espionage was easier to combat, you could catch the little **** and kill him face to face... now not so much, so you need to make it acceptable to kill him where he actually is these days.
Everyone is missing a huge point here in my opinion. Are there any provisions made for botnets? Those are a tactic used by hackers to gain more power to perform whatever task they are doing, but users do not necessarily know. Usually they do not.
So would they track the signal back upstream, determine the location, and send in the drones? That leaves far too much room for error.
On the other hand, due to idiotic practices, you can access the controls for things like nuclear power plants over the web today. There are potential dangers here that nobody has mentioned it.
But I see a pattern of too many laws being passed which allows governments to compromise people that have no checks or balances in place to protect the people. I have a degree in System Analysis & Design, and I can see other solutions which would be far more effective than what they are doing. This is wrong. Dead wrong. Our governments need to stop playing games and use some common sense, as opposed to passing law after law, just for the sake of writing legislation. It looks like it will be up to us to scream loud, else they are not going to stop. How many more of these laws might they pass by ........ say 2020?