Cyberwar manual lays down rules for online attacks (Update 3)

Mar 19, 2013 by Raphael Satter
A copy of the Tallinn Manual, a rulebook on cyberwarfare, is held up in a posed photograph in London, Tuesday, March 19, 2013. Even cyberwar has rules, and one group of experts is publishing a manual to prove it. The handbook due to be published later this week applies the venerable practice of international law to the world of electronic warfare in an effort to show how hospitals, civilians, and neutral nations can be protected in an information age fight. (AP Photo/Matt Dunham)

Even cyberwar has rules, and one group of experts is putting out a manual to prove it. Their handbook, due to be published later this week, applies the practice of international law to the world of electronic warfare in an effort to show how hospitals, civilians and neutral nations can be protected in an information-age fight.

"Everyone was seeing the Internet as the 'Wild, Wild West,'" U.S. Naval War College Professor Michael Schmitt, the manual's editor, said in an interview before its official release. "What they had forgotten is that international law applies to cyberweapons like it applies to any other weapons."

The Tallinn Manual—named for the Estonian capital where it was compiled—was created at the behest of the NATO Cooperative Cyber Defense Center of Excellence, a NATO think tank. It takes existing rules on battlefield behavior, such as the 1868 St. Petersburg Declaration and the 1949 Geneva Convention, to the Internet, occasionally in unexpected ways.

Marco Roscini, who teaches international law at London's University of Westminster, described the manual as a first-of-its-kind attempt to show that the laws of war—some of which date back to the 19th century—were flexible enough to accommodate the new realities of online conflict.

The 282-page handbook has no official standing, but Roscini predicted that it would be an important reference as military lawyers across the world increasingly grapple with what to do about electronic attacks.

"I'm sure it will be quite influential," he said.

The manual's central premise is that war doesn't stop being war just because it happens online. Hacking a dam's controls to release its reservoir into a river valley can have the same effect as breaching it with explosives, its authors argue.

Legally speaking, a cyberattack that sparks a fire at a military base is indistinguishable from an attack that uses an incendiary shell.

The humanitarian protections don't disappear online either. Medical computers get the same protection that brick-and-mortar hospitals do. The personal data related to prisoners of war has to be kept safe in the same way that the prisoners themselves are—for example by having the information stored separately from military servers that might be subject to attack.

Cyberwar can lead to cyberwar crimes, the manual warned. Launching an attack from a neutral nation's computer network is forbidden in much the same way that hostile armies aren't allowed to march through a neutral country's territory. Shutting down the Internet in an occupied area in retaliation for a rebel cyberattack could fall afoul of international prohibitions on collective punishment.

The experts behind the manual—two dozen officers, academics, and researchers drawn mainly from NATO states—didn't always agree on how traditional rules applied in a cyberwar.

Self-defense was a thorny issue. International law generally allows nations to strike first if they spot enemy soldiers about to pour across the border, but how could that be applied to a world in which attacks can happen at the click of a mouse?

Other aspects of international law seemed obsolete—or at least in need of an upgrade—in the electronic context.

Soldiers are generally supposed to wear uniforms and carry their arms openly, for example, but what relevance could such a requirement have when they are hacking into distant targets from air-conditioned office buildings?

The law also forbids attacks on "civilian objects," but the authors were divided as to whether the word "object" could be interpreted to mean "data." So that may leave a legal loophole for a military attack that erases valuable civilian data, such as a nation's voter registration records.

Explore further: Facebook goes retro with 'Rooms' chat app

More information: The Tallinn Manual: www.ccdcoe.org/249.html

5 /5 (6 votes)
add to favorites email to friend print save as pdf

Related Stories

Time to wake up to cyber threat: experts

Jun 18, 2010

NATO governments and the public must wake up to the threat of cyberattacks, which could paralyse a nation far more easily than conventional warfare, experts warned Friday.

Taiwan to step up cyberwar capabilities: report

Sep 02, 2012

Taiwan plans to beef up its cyberwar capabilities to counter a perceived threat from Chinese hackers targeting government and security websites, local media reported Sunday.

Cyber war might never happen: researcher

Oct 10, 2011

Cyber war, long considered by many experts within the defence establishment to be a significant threat, if not an ongoing one, may never take place according to Dr. Thomas Rid of King’s College London.

Is there really a cyberwar? Term might be misused

May 05, 2010

(AP) -- Is there really a "cyberwar" going on? Some officials and computer security companies say yes, arguing that armies of hackers are stealing online secrets and using the Internet to attack infrastructure such as power ...

'What if?' scenario: Cyberwar between US and China in 2020

Mar 23, 2011

As Iran's nuclear plant attack and Chinese-based hackers attacking Morgan Stanley demonstrate how the Internet can wreak havoc on business and governments, a new paper by a fellow at Rice University's Baker Institute for ...

Recommended for you

Facebook goes retro with 'Rooms' chat app

14 hours ago

Facebook on Thursday released an application that lets people create virtual "rooms" to chat about whatever they wish using any name they would like.

Some online shoppers pay more than others, study shows

15 hours ago

Internet users regularly receive all kinds of personalized content, from Google search results to product recommendations on Amazon. This is thanks to the complex algorithms that produce results based on users' profiles and ...

Twitter looks to weave into more mobile apps

Oct 22, 2014

Twitter on Wednesday set out to weave itself into mobile applications with a free "Fabric" platform to help developers build better programs and make more money.

Google unveils app for managing Gmail inboxes

Oct 22, 2014

Google is introducing an application designed to make it easier for its Gmail users to find and manage important information that can often become buried in their inboxes.

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

Lurker2358
3.4 / 5 (5) Mar 19, 2013
Idiots.

The only rule of war is "The winner makes the rules".

Learn it, fools.

You have to actually win to get to make the rules.

Remember that.

Bad guys don't follow rules, you silly fools.

packrat
2 / 5 (2) Mar 19, 2013
"It takes existing rules on battlefield behavior, such as the 1868 St. Petersburg Declaration and the 1949 Geneva Convention, to the Internet, occasionally in unexpected ways."

I guess the powers that be forgot all about "Art of War" by SunTzu. That's a bit older than 1868.

I have to agree with you on this one Lurker, the winners have always made the rules and wrote the history.
alfie_null
not rated yet Mar 20, 2013
What is the purpose of the manual? For study by opponents before the war? For use afterwards in determining who is guilty of what?
One aspect of cyber-war that is very different from traditional war is that it is difficult to determine with good assurance who is responsible for some action. Understanding that, participants are hardly going to be dissuaded by future prospects of being found guilty of some war crime.
antialias_physorg
1 / 5 (1) Mar 20, 2013
The Geneva Convention is being ignored left and right (e.g. by redeclaring soldiers as 'enemy combatants' or 'terrorists' which don't fall under the convention and therefore can be interred indefinitely, tortured, etc. ).

What makes them think that a cyberwar convention is going to be any more successful? Especially since cyberwar is waged via proxy servers in other countries (i.e. a case for who originated an attack is backed by circumstantial evidence - at best)
Maggnus
not rated yet Mar 20, 2013
I guess the powers that be forgot all about "Art of War" by SunTzu. That's a bit older than 1868.


That's a book on war, not a convention on conducting it as agreed by signature countries.