As the United States and its adversaries move from using missiles to malware on its targets, a group of specialists have drafted preliminary guidelines for the world’s ramped-up cyberwars.
The rule book published this week, the Tallinn Manual on International Law Applicable to Cyber Warfare, was curated by NATO’s Cooperative Cyber Defense Center of Excellence and calls upon two dozen experts from around the world to help lay the groundwork for cyberwar guidelines as attacks aimed at computer grids, networks and systems increasingly become the target of foreign agents.
Michael Schmitt, a professor with the US Naval War College and the editor of the manual, told the Associated Press before publication that the guidelines come at a time when few laws formally exist governing the use of so-called cyberweapons. Just like bombs and missiles, hackers and state-sponsored parties can use malicious code to wipe out entire databases, break down machinery and otherwise render enter infrastructures useless.
“Everyone was seeing the Internet as the ‘Wild, Wild, West,'” Schmitt told the AP. “What they had forgotten is that international law applies to cyberweapons like it applies to any other weapons.”
In order to bring a bit more structure, Schmitt and roughly two dozen others from law schools and militaries around the world met in the Estonian city of Tallinn during the last three years to try and at least set up some sort of rules that might be adopted. For now, though, the Tallinn Manual is nothing more than a collection of suggestions that Schmitt and company would like nations around the world to heed as recommendations.
Adding to the AP, University of Westminster international law professor Marco Roscini predicts, “I’m sure it will be quite influential.” In the meantime, though, the Tallinn Manual is merely an example of how future wars might be waged — and what rules will help guide them.
The Tallinn Manual contains 95 “black letter rules” that have borrowed from existing battlefield behavior guidelines like those developed in the 1868 St. Petersburg Declaration and the 1949 Geneva Convention. Taking into account the cybersphere, though, the Tallinn Manual doesn’t just stop with who and how to attack — but with what kinds of methods should be allowed in twenty-first century warfare.
Within the 302 pages of the report, international law experts try to pinpoint what exactly a cyberwar is and what other rules of engagement could be borrowed from past doctrines to guide battles of the future. The specialists decide that a cyberattack can be narrowly defined as a cyber-operation, either offensive or defensive, “that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” But while civilians cannot be lawfully targeted with such an attack, the experts write, persons unaligned to a military can still be considered fair game for assault — with cyberweapons or otherwise—if they pose a threat.
“Consider the example of an individual hacktivist who has, over the course of one month, conducted seven cyber attacks against the enemy’s command and control system. By the first view, the hacktivist was only targetable while conducting each attack. By the second, he was targetable for the entire month. Moreover, in the absence of a clear indication that the hacktivist was no longer engaged in such attacks, he or she would have remained targetable beyond the period.”
Elsewhere in the manual, NATO’s crew defined a hacktivist as “a private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious or patriotic reasons.” Even if that “hacktivist” isn’t directly working with an official military, though, NATO says they could still be targeted for attack.
“An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means,” reads an excerpt from the manual.