Print 7 comment(s) - last by marvdmartian.. on Mar 22 at 11:10 AM

If hacktivists cause death, they may be liable for physical counterattacks

The North Atlantic Treaty Organization's (NATO) Cooperative Cyber Defence Centre of Excellence (CCDCOE) has published [PDF] a guideline of rules on how to respond to cyberaggression against the government.  Among the intriguing possibilities of the guide -- Tallinn Manual on the International Law Applicable to Cyber Warfare-- is that it suggests that the U.S. and its European allies respond to cyberaggression from domestic hackers, with counterattacks.

I. NATO Cyberwar Manual Deals With Tough Issue of Civilian Attackers

The manual was written over the course of three years by a team of 20 international warfare experts and drew from a variety of historic non-digital warfare conduct guidelines, including the 1868 St. Petersburg Declaration and the 1949 Geneva Convention.

It suggests that "hacktivists" can be considered digital terrorists, and can be countered with digital force -- or in extreme cases (such as attacks on hospitals or nuclear plants) -- even physical force.

Gibson Neuromancer
Cyberwar is upon us. [Image Source: Interplay (cover art for Neuromancer game)]

The rulebook was unveiled at the think-tank Chatham House in London, UK.  It contains 95 "black letter rules", spread over 302 pages of text.  Colonel Kirby Abbott (Canada, NATO) remarked, "[This document] is the most important document in the law of cyber-warfare. It will be highly useful."

Rule 22 is among the most important provisions, as it echoes previous cyberwarfare guidelines from the Pentagon, in stating that cyber-attacks alone can be considered acts of war.  States the manual:

An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more.
To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict.

NATO meeting
NATO has agreed to a series of cyberwarfare guidelines.

Starting with Rule 14, the concept of proportionality is often mentioned in the document.  The document suggests that counterattacks on civilians are arguably allowable, although general attacks on civilian "objects" (data) are generally forbidden.  The proportionality rule suggests that if hacktivist attacks cause death or serious harm, a physical response  (e.g. a drone deaths strike) may be acceptable.

II. Counterattacks on Anonymous?

The rules raise a number of interesting scenarios.

In recent years Anonymous and other "hacktivist" groups have oft defaced the U.S. government webpagesscooped sensitive government database data via exploits, hit government domains with distributed denial of service attacks, infiltrated systems, and conducted similar attacks on government contractors as well.

The glossary of the manual defines a "hacktivist" as:

A private citizen ho on his or her own initiative engages in hacking for, inter alia, ideological, political, religious or patriotic reasons.

Rule 35, in particular defines rules related to attacks by civilians.  Its third and seventh subsections read:

An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means.
An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means... An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means.

In other words, the NATO members agreed that civilians open themselves up to counterattacks if they attack NATO member-state governments.  However, not all members agreed that this opens up those citizens for attacks in the long-term after the immediate threat passed.

Anonymous's members may face dire consequences if their attacks go too far.
[Image Source: Jason Mick/DailyTech]

As none of these attacks caused "significant" infrastructure damage or resulted in death, it seems that the government -- under the new rules -- would only be able to use digital counterattacks.  However, the government could potentially use the rules as a justification to try to take out social media tools -- YouTube channels or Twitter accounts, for example -- of Anonymous.

If future attacks resulted in death (say an attack on a utility leading to a power outage that killed patients), the responsible civilians could face physical attacks -- potentially even the kind of drone death strikes that President Obama's administration has pushed to make legal for use on U.S. citizens on U.S. soil.

III. U.S. May be Allowed to Counter-Cyber-Attack China

Then there's the issue of China, which the U.S. government has increasingly accused of sweeping government-endorsed hacking and intellectual property theft. President Obama recently threatened economic "consequences" if the hacking continues.  

China hackers
China claims the U.S. is the real cyberaggressor. [Image Source: Asia Society]

Rule Seven states:

[If an attack originates from a government network] it is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with the operation.

This could be significant, as some attacks have reportedly been traced back to Chinese military networks.

The new guidelines make it clear that the U.S. Department of Defense's (DOD) Cyber Command (USCYBERCOM) could also respond (legally) with counterattacks, as the guidelines state that cyberattacks on hostile foreign governments are valid if carried out in "self-defense".

IV. Was Stuxnet Legal?

Lastly, the guidelines revive questions about the legality of the U.S. and Israel's "preemptive strike" on Iran's nuclear capabilities with Stuxnet.  If the Pentagon's rules, and now NATO's rules call cyberattacks an act of war, the question is whether President George W. Bush (R) and President Barack Obama were within the law in ordering the Stuxnet operation.

Iran nuclear facilities
Stuxnet mapped Iranian networks and damaged nuclear centrifuges.  President Bush and President Obama authorized these attacks. [Image Source: CBS]

Article 1, Section 8 of the U.S. Constitution, the foundation of the U.S. government, clearly grants Congress the power:

U.S. Constitution
[Image Source: EL Civics]

The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;

To raise and support armies, but no appropriation of money to that use shall be for a longer term than two years;

Hence traditionally the President was required to receive Congressional permission to go to war.

The new document is simply a suggested guideline for NATO members, but is not consider rule of law.  It has no power to enforce its provisions, although member states are encouraged to do so.  It should be noted that the document is rather ambiguous in its language at times, and at others makes it clear that the participating member states did not agree on a number of issues.

Sources: NATO [as e-book], [as PDF]

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Moderate approach....
By Dfere on 3/21/2013 4:55:13 PM , Rating: 2
The captions above suggest no real change from a physical attack.. e.g. spray paint a federal building, get a fine and possible a little jail time .... toss a grenade at a federal building and you risk death.

The Stuxnet dilemma is more interesting... at what level does a government act with a potential threat and how much confidential information has ot be shared to keep the rest of the world governments from interfering? And isn't this basically what at least a few governments that are using proxies that are not nations counting on? At least the US does stand up for its actions, when they are discovered.

RE: Moderate approach....
By inperfectdarkness on 3/21/2013 6:25:53 PM , Rating: 2
To my understanding, no physical harm was caused. I don't even think the servos that were targeted were irreparably damaged. All that happened was that the centrifuges didn't spin at the right rpm & that thwarted the refinement of uranium.

RE: Moderate approach....
By FaaR on 3/22/2013 8:48:26 AM , Rating: 2
I've read accounts that claim some centrifuges were also spun at higher than rated speeds, causing them to fail prematurely. Stuxnet did not do this in a majority of cases, as that would have attracted too much attention. It merely increased failure rates to some degree, to impede operations at the facility and waste money for the iranian government in the form of additional centrifuges and maintenance, and a slower enrichment process.

It's unlikely this actually caused physical harm to anyone (despite a centrifuge disintegrating when spinning at such speeds should be quite violent), although fanatical regimes may not be so picky when deciding how to retaliate, if they decide to retaliate against anyone that is...

Not really
By Trisped on 3/21/2013 8:09:26 PM , Rating: 2
Lastly, the guidelines revive questions about the legality of the U.S. and Israel's "preemptive strike" on Iran's nuclear capabilities with Stuxnet.
New rules do not apply to old actions. While Stuxnet might have moral issues, there were no legal issues, since the there were no laws against it at the time.

Now, if it was done today, that would be another issue. Since there are laws in place, it is not legal for a US president to order something like Stuxnet without congress's approval.

RE: Not really
By Skywalker123 on 3/21/2013 9:35:23 PM , Rating: 1
it isn't illegal if the President does it

RE: Not really
By marvdmartian on 3/22/2013 11:10:51 AM , Rating: 1
Obama doesn't think it's illegal if the President does it.

There, I fixed that for you.

Act of War? I think not!
By TheEinstein on 3/21/2013 5:44:25 PM , Rating: 3
Espionage is NOT war. While it can lead to war (a certain assassination which triggered WW I comes to mind) it does not need to be so (certain spies who gave the USSR Nuclear Secrets for instance)

The Bay of Pigs resulted in a lot of deaths, heck it was the sponsoring of a real invasion! And yet it did not lead to war....

The Invasion of Panama was also allowed, even as a war act, due to an advise and consent allowance in the War Powers Act.

Hacking could be a 'causi belli' but it typically will never reach that level.

The world is filled with examples of events that could be considered an act of war but which never resulted in war.


"DailyTech is the best kept secret on the Internet." -- Larry Barber

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki