Cyberspace makes for a strange battlefield. Attacks are launched from offices, combatants fight with keystrokes, and the targets are usually just information, financial data, and trade secrets. For the vast majority of cyber attacks, that is as big as the threat will be. The biggest exception: cyber attacks that become part of a larger war. When that happens, according to a set of proposed international rules commissioned by NATO and written in conjunction with the International Committee of the Red Cross and the US Cyber Command, even civilian hackers participating in the conflict can be targeted. By bombs and bullets.
That has generated lots of panicky headlines across the web, as you might imagine. The document, called the “Tallinn Manual on the International Law Applicable to Cyber Warfare”, was written by 20 legal scholars and practitioners, and represents those experts’ best reasoning at how current international law applies to cyber war. It covers everything from how to avoid civilian casualties to who’s considered a combatant in a court of law. Here’s the part folks are really riled up about:
That’s legalese, and the sentences almost reads better backwards, so here it is in plain talk: Civilians, normally off-limits as targets in war, stop being off limits if they engage in cyber attacks. This rule explicitly carves out an exception to Geneva Convention rules against targeting civilians, noting that civilians engaged in cyber attacks are participating in the conflict, but hardly proper armed combatants. The Tallinn Manual goes on to specify that these civilians enjoy all the other protections of civilians, except the exemption from targeting.
Okay, great. So what does all this mean?
1. Not much, unless countries are actually at war.
There are circumstances where a cyber attack can constitute an act of war, but those attacks are clearly going to be different from the normal kind of data-targeting cyber attack. To constitute an act of war, the cyber attack probably has to kill someone, or cause a large and obvious infrastructure failure, like shutting down a power grid or breaking dam controls.
2. People who are fighting a war are legal targets in that war.
Perhaps the best way to explain the logic of the proposed rule is to look at drone pilots. Most of them, especially in the Air Force, fly their war machines from bases in the United States, usually the Nevada desert. Yet they are undeniably engaged in the war; it’s hard to describe what they do as anything else, and they do so in uniform, meeting the standards of lawful combatants. The Department of Defense has acknowledged that. That means that if someone kills them in war, that person cannot be tried for war crimes.
The proposed rule on civilians engaged in cyber is a lot like that. Granted, these are civilians, not uniformed soldiers, so it’s slightly different, but not by a lot. If there is a war on, and it involves civilians committing cyber attacks, those civilians can probably be targeted just as if they were actively fighting the war.
3. This is probably about China.
Last month, the New York Times revealed details about one of the Chinese Army’s cyber units, including the unit’s likely location in Shanghai. China is at the forefront of cyber attacks right now–an advantage that isn’t likely to go away any time soon. To balance that out, and to deter cyber attacks, NATO’s best bet is to establish rules where a crippling cyber attack is met with deadly force. The Tallinn rule is part of that.
4. The future of cyber war is just war.
Ultimately, shocking though the headlines might look, they could be just as accurately written as “people who launch deadly attacks in war are legal targets in war.” That’s not catchy, but it’s just as accurate. By interpreting the laws of war for the 21st century, the Tallinn Manual just reinforces the fundamental standard of conflict: if an enemy is trying to kill people, it is okay to use force to stop him. Even if that enemy is a hacker.