New report details cyberwar rules, puts hackers in crosshairs
Deadly force against organized hackers could be justified under international law, according to a document released Thursday by a panel of legal and cyber warfare experts.
Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I.
Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press.
"If you have an organized armed group -- not individuals, not lots of people conducting attacks -- and those attacks cause consequences that include physical destruction or injury or death to individuals, then a state that is the victim of such attacks may strike back with force of its own," he said in an interview.
The damages caused by a virtual attack would need to be as serious as those in a real world, or kinetic, attack. "If that happens, pursuant to the right of self defense set forth in the U.N. charter, then the state may respond forcefully -- even if that response involves injuring the individuals that attacked it or caused damage to it," Schmitt said.
The situation can get murky during a "hot" war, if civilian hackers join the fray. "For the time they're doing that," Schmitt said, "they can be attacked."
"If you were on the battlefield and someone was shooting a gun at you, you should be able to shoot back," he said. "It's exactly the same way in cyberspace."
The legal use of deadly force against a cyber attacker is very limited, however. "It makes my heart stop when folks say, 'Someone's conducting a hacking attack; you can attack them back,'" he said. "No, that's not the case."
Timing can be a key element for legally justifying a forceful response to a cyberattack. "Once an attack is completely over, once there's no continuing need to defend yourself forcefully, then the right response to the attack is diplomacy," Schmitt said.
Under those rules, Iran, which suffered infrastructure damage due to a cyberattack by the Stuxnet virus, had no legal grounds for a forceful response to that attack -- even if it knew definitively who was behind the foray against its nuclear development program.
By the same token, the cyberattacks on South Korea's media and banking industry this week failed to meet the minimum requirements for a forceful response. "Under existing law, the consequences weren't severe enough to justify a forceful military response or a cyber response with severe consequences," Schmitt said. "It falls below the threshold."
In attacks such as those on Iran and South Korea, the hard part is determining who to launch a forceful response against.
"Authentication is an essential part of the right to self-defense," David Bodenheimer, who heads the homeland security practice at Crowell & Moring in Washington, D.C., said in an interview. "You can't attack another country for a cyberattack if you can't identify, with some specificity, the country behind the attack."
Even in what's considered a textbook case of cyber warfare launched by one nation state against others -- Russia's cyberattacks on the Republic of Georgia and Estonia -- bulletproof evidence of who was behind the assaults can be lacking.
"There was support for it being connected to Russians or Russian citizens, but at the end of the day, the investigations were unable to show that the attacks were instigated by the Russian government," Bodenheimer explained.
The Tallinn Manual couldn't have come at a better time, according to former U.S. Navy Rear Admiral James Barnett, who heads the cybersecurity practice at Venable, a law firm in Washington, D.C.
"Cyber warfare is very much part of the mainstream in warfare," he said. "Military objectives that can be achieved by ones and zeroes are going to be done ..., because they can be a more effective way of doing things than blowing things up."
Although the manual is meant to guide nations through the intricacies of international law and cyber warfare, it could contribute to conflict, said Richard Stiennon, chief research analyst with IT-Harvest in Birmingham, Mich.
"We don't need any more reasons for countries to go to war and engage in armed conflict with each other," he said. "This introduces more of those ways."
Read more about disaster recovery in CSOonline's Disaster Recovery section.