Via Big Think
-----
The new Tallinn Manual on the International Law Applicable to Cyber Warfare,
which lays out 95 core rules on how to conduct a cyber war, may end up
being one of the most dangerous books ever written. Reading through the
Tallinn Manual, it's possible to come to the conclusion that - under
certain circumstances - nations
have the right to use “kinetic force” (real-world weapons like bombs or
armed drones) to strike back against enemy hackers. Of course, this doesn’t mean that a bunch of hackers in Shanghai are
going to be taken out by a Predator Drone strike anytime soon – but it
does mean that a nation abiding by international law conventions – such
as the United States – would now have the legal cover to deal with enemy
hackers in a considerably more muscular way that goes well beyond just jawboning a foreign government.
Welcome to the brave new world of cyber warfare.
The nearly 300-page Tallinn Manual,
which was created by an independent group of twenty international law
experts at the request of the NATO Cooperative Cyber Defense Center of
Excellence, works through a number of different cyber war scenarios,
being careful to base its legal logic on international conventions of
war that already exist. As a result, there's a clear distinction between
civilians and military combatants and a lot of clever thinking about
everything -- from what constitutes a "Cyber Attack" (Rule #30) to what
comprises a "Cyber Booby Trap" (Rule #44).
So what, exactly, would justify the killing of an enemy hacker by a sovereign state?
First, you’d have to determine if the cyber attack violated a state’s
sovereignty. Most cyber attacks directed against the critical
infrastructure or the command-and-control systems of another state would
meet that standard. Then, you’d have to determine whether the cyber
attack was of sufficient scope and intensity so as to constitute a “use
of force” against that sovereign state. Shutting down the power grid for
a few hours just for the lulz probably
would not be a “use of force,” but if that attack happened to cause
death, destruction, and mayhem, then it would presumably meet that
threshold and would escalate the legal situation to one of "armed
conflict." In such cases, warns the Tallinn Manual, sovereign states
should first attempt diplomacy and all other measures before engaging in
a retaliatory cyber-strike of proportional scale and scope.
But here's where it gets tricky - once we're in an "armed conflict,"
hackers could be re-classified as military targets rather than civilian
targets, opening them up to military reprisals. They could then be
targeted by whatever "kinetic force" we have available.
For now, enemy hackers in places like China can breathe easy. Most of
what passes for a cyber attack today – “acts of cyber intelligence
gathering and cyber theft” or “cyber operations that involve brief or
periodic interruption of non-essential cyber services” would not fall
into the “armed attack” category. Even cyber attacks on, say, a power
grid, would have to have catastrophic consequences before it justifies a
military lethal response. As Nick Kolakowski of Slashdot points out:
"In theory, that means a nation under cyber-attack that reaches a
certain level—the “people are dying and infrastructure is destroyed”
level—can retaliate with very real-world weapons, although the emphasis
is still on using cyber-countermeasures to block the incoming attack."
That actually opens up a big legal loophole, and that's what makes
the Tallinn Manual potentially so dangerous. Even the lead author of the
Tallinn Manual (Michael Schmitt, chairman of the international law
department at the U.S. Naval War College) admits that there's actually
very little in the manual that specifically references the word "hacker"
(and a quick check of the manual's glossary didn't turn up a single
entry for "hacker").
Theoretically, a Stuxnet-like hacker attack on a nuclear reactor that spun out of control and resulted in a Fukushima-type scenario could
immediately be classified as an act of war, putting the U.S. into
"armed conflict." Once we reach that point, anything is fair game. We're
already at the point where the U.S. Air Force is re-classifying some of its cyber tools as weapons and
preparing its own rules of engagement for dealing with the growing
cyber threat from China. It's unclear which, if any, of these
"cyber-weapons" would meet the Tallinn Manual's definitional requirement
of a cyber counter-attack.
The Tallinn Manual’s recommendations (i.e. the 95 rules) are not
binding, but they will likely be considered by the Obama Administration
as it orchestrates its responses against escalating hacker threats from
China. Rational voices would seem to tell us that the "kinetic force"
scenario could never occur, that a state like China would never let
things escalate beyond a certain point, and that the U.S. would never
begin targeting hackers around the world. Yet, the odds of a catastrophic cyber attack are no longer microscopically small.
As a result, will the day ever come when sovereign states take out
enemy hackers the same way the U.S. takes out foreign terrorists abroad,
and then hide behind the rules of international law embodied within the
Tallinn Manual?