And why their reasoning is not all that surprising
Arrest? No longer the worst consequence of cyber attacks. wikimedia commons
Cyberspace makes for a strange battlefield. Attacks are launched from offices, combatants fight with keystrokes, and the targets are usually just information, financial data, and trade secrets. For the vast majority of cyber attacks, that is as big as the threat will be. The biggest exception: cyber attacks that become part of a larger war. When that happens, according to a set of proposed international rules commissioned by NATO and written in conjunction with the International Committee of the Red Cross and the US Cyber Command, even civilian hackers participating in the conflict can be targeted. By bombs and bullets.
That has generated lots of panicky headlines across the web, as you might imagine. The document, called the "Tallinn Manual on the International Law Applicable to Cyber Warfare", was written by 20 legal scholars and practitioners, and represents those experts' best reasoning at how current international law applies to cyber war. It covers everything from how to avoid civilian casualties to who's considered a combatant in a court of law. Here's the part folks are really riled up about:
Civilians are not prohibited from directly participating in cyber operations amounting to hostilities, but forfeit their protection from attacks for such time as they so participate.
That's legalese, and the sentences almost reads better backwards, so here it is in plain talk: Civilians, normally off-limits as targets in war, stop being off limits if they engage in cyber attacks. This rule explicitly carves out an exception to Geneva Convention rules against targeting civilians, noting that civilians engaged in cyber attacks are participating in the conflict, but hardly proper armed combatants. The Tallinn Manual goes on to specify that these civilians enjoy all the other protections of civilians, except the exemption from targeting.
Okay, great. So what does all this mean?
1. Not much, unless countries are actually at war.
There are circumstances where a cyber attack can constitute an act of war, but those attacks are clearly going to be different from the normal kind of data-targeting cyber attack. To constitute an act of war, the cyber attack probably has to kill someone, or cause a large and obvious infrastructure failure, like shutting down a power grid or breaking dam controls.
There are circumstances where a cyber attack can constitute an act of war, but those attacks are clearly going to be different from the normal kind of data-targeting cyber attack. To constitute an act of war, the cyber attack probably has to kill someone, or cause a large and obvious infrastructure failure, like shutting down a power grid or breaking dam controls.
2. People who are fighting a war are legal targets in that war.
Perhaps the best way to explain the logic of the proposed rule is to look at drone pilots. Most of them, especially in the Air Force, fly their war machines from bases in the United States, usually the Nevada desert. Yet they are undeniably engaged in the war; it's hard to describe what they do as anything else, and they do so in uniform, meeting the standards of lawful combatants. The Department of Defense has acknowledged that . That means that if someone kills them in war, that person cannot be tried for war crimes.
Perhaps the best way to explain the logic of the proposed rule is to look at drone pilots. Most of them, especially in the Air Force, fly their war machines from bases in the United States, usually the Nevada desert. Yet they are undeniably engaged in the war; it's hard to describe what they do as anything else, and they do so in uniform, meeting the standards of lawful combatants. The Department of Defense has acknowledged that . That means that if someone kills them in war, that person cannot be tried for war crimes.
The proposed rule on civilians engaged in cyber is a lot like that. Granted, these are civilians, not uniformed soldiers, so it's slightly different, but not by a lot. If there is a war on, and it involves civilians committing cyber attacks, those civilians can probably be targeted just as if they were actively fighting the war.
3. This is probably about China.
Last month, the New York Times revealed details about one of the Chinese Army's cyber units, including the unit's likely location in Shanghai. China is at the forefront of cyber attacks right now--an advantage that isn't likely to go away any time soon. To balance that out, and to deter cyber attacks, NATO's best bet is to establish rules where a crippling cyber attack is met with deadly force. The Tallinn rule is part of that.
Last month, the New York Times revealed details about one of the Chinese Army's cyber units, including the unit's likely location in Shanghai. China is at the forefront of cyber attacks right now--an advantage that isn't likely to go away any time soon. To balance that out, and to deter cyber attacks, NATO's best bet is to establish rules where a crippling cyber attack is met with deadly force. The Tallinn rule is part of that.
4. The future of cyber war is just war.
Ultimately, shocking though the headlines might look, they could be just as accurately written as "people who launch deadly attacks in war are legal targets in war." That's not catchy, but it's just as accurate. By interpreting the laws of war for the 21st century, the Tallinn Manual just reinforces the fundamental standard of conflict: if an enemy is trying to kill people, it is okay to use force to stop him. Even if that enemy is a hacker.
Ultimately, shocking though the headlines might look, they could be just as accurately written as "people who launch deadly attacks in war are legal targets in war." That's not catchy, but it's just as accurate. By interpreting the laws of war for the 21st century, the Tallinn Manual just reinforces the fundamental standard of conflict: if an enemy is trying to kill people, it is okay to use force to stop him. Even if that enemy is a hacker.
NATO cyberwar directive declares hackers military targets
As the United States and its adversaries move from using missiles to malware on its targets, a group of specialists have drafted preliminary guidelines for the world’s ramped-up cyberwars.
The rule book published this week, The Tallinn Manual on International Law Applicable to Cyber Warfare, was curated by NATO’s Cooperative Cyber Defense Center of Excellence and calls upon two dozen experts from around the world to help lay the groundwork for cyberwar guidelines as attacks aimed at computer grids, networks and systems increasingly become the target of foreign agents.
Michael Schmitt, a professor with the US Naval War College and the editor of the manual, told the Associated Press before publication that the guidelines come at a time when few laws formally exist governing the use of so-called cyberweapons. Just like bombs and missiles, hackers and state-sponsored parties can use malicious code to wipe out entire databases, break down machinery and otherwise render enter infrastructures useless.
"Everyone was seeing the Internet as the 'Wild, Wild, West,'" Schmitt told the AP. "What they had forgotten is that international law applies to cyberweapons like it applies to any other weapons."
In order to bring a bit more structure, Schmitt and roughly two dozen others from law schools and militaries around the world met in the Estonian city of Tallinn during the last three years to try and at least set up some sort of rules that might be adopted. For now, though, the Tallinn Manual is nothing more than a collection of suggestions that Schmitt and company would like nations around the world to heed as recommendations.
Adding to the AP, University of Westminster international law professor Marco Roscini predicts, "I'm sure it will be quite influential.” In the meantime, though, The Tallinn Manual is merely an example of how future wars might be waged — and what rules will help guide them.
The Tallinn Manual contains 95 “black letter rules” that have borrowed from existing battlefield behavior guidelines like those developed in the 1868 St. Petersburg Declaration and the 1949 Geneva Convention. Taking into account the cybersphere, though, the Tallinn Manual doesn’t just stop with who and how to attack — but with what kinds of methods should be allowed in twenty-first century warfare.
Within the 302 pages of the report, international law experts try to pinpoint what exactly a cyberwar is and what other rules of engagement could be borrowed from past doctrines to guide battles of the future. The specialists decide that a cyberattack can be narrowly defined as a cyber-operation, either offensive or defensive, “that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” But while civilians cannot be lawfully targeted with such an attack, the experts write, persons unaligned to a military can still be considered fair game for assault — with cyberweapons or otherwise—if they pose a threat.
“Consider the example of an individual hacktivist who has, over the course of one month, conducted seven cyber attacks against the enemy’s command and control system. By the first view, the hacktivist was only targetable while conducting each attack. By the second, he was targetable for the entire month. Moreover, in the absence of a clear indication that the hacktivist was no longer engaged in such attacks, he or she would have remained targetable beyond the period.”
Elsewhere in the manual, NATO’s crew defined a hacktivist as “a private citizen ho on his or her own initiative engages in hacking for, inter alia, ideological, political, religious or patriotic reasons.” Even if that “hacktivist” isn’t directly working with an official military, though, NATO says they could still be targeted for attack.
“An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means,” reads an excerpt from the manual.
Kount Kreepy: While my feelings on "Hackers" and "Hacker culture" remain mixed, I don't believe that any military should have a right to bomb, shoot, or maim civilian targets. On the flip side go ahead and bomb that guy that created the virus that screwed up my computer a few years ago.
No comments:
Post a Comment