Rules of cyberwar: Don’t target nuclear plants or hospitals, says NATO manual

International Conference on Cyber Conflict, June 13, 2011

From Owen Bowcott, Guardian:  State-sponsored cyber-attacks must avoid sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations, according to an advisory manual on cyber-warfare written for Nato , which predicts that online attacks could in future trigger full-blown military conflicts.

The first attempt to codify how international law applies to online attacks includes a provision for states to respond with conventional force if aggression through hacking into computer networks by another state results in death or significant damage to property.

The handbook, written by 20 legal experts working in conjunction with the International Committee of the Red Cross and the US Cyber Command, says full-scale wars could be triggered by online attacks on computer systems. It also states that so-called "hacktivists" who participate in online attacks during a war can be legitimate targets even though they are civilians.

The group of experts was invited to draw up the handbook by Nato’s Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, the Estonian capital. The project took three years. . . .

Professor Michael Schmitt, director of the project, who works at the US Naval War College, said there was relatively little consensus about how existing legal regimes governed online activities. The Stuxnet attack on Iran’s nuclear programme, which physically damaged sensitive centrifuges, divided opinion among experts in the Tallinn group as to whether it constituted an armed conflict. The computer worm is widely believed to have been created by the US and/or Israel. . . .

An attached commentary adds: "To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict."

The manual suggests "proportionate counter-measures" against online attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property.

Formulating a framework for permitted counter-measures should not lower the threshold for future conflicts, Schmitt told the Guardian. "You can only use force when you reach the level of armed conflict. Everyone talks about cyberspace as though it’s the wild west. We discovered that there’s plenty of law that applies to cyberspace. . . ."

The handbook is not official Nato document or policy but an advisory manual. It is published by Cambridge University Press. A retired UK air commodore and several British lawyers were among those who worked on the project.  (photo: CCDCOE)

Image: ccdcoe%203%2019%2013%20conference%202011.jpg