State-sponsored cyber-warfare is nothing new. As computers are ever further integrated into all systems, the chance of those computers being the focus of a cyber-attack designed to steal secrets or cripple a country’s infrastructure becomes ever higher.
In recent years we’ve seen the US and Israel create Stuxnet to target Iranian nuclear enrichment facilities, North and South Korea continually hacking each other’s systems, and China managing to break into most digital spaces around the world both private and state-run. So it is unsurprising that groups are attempting to create laws that govern such attacks.
It may surprise many, but physical wars between countries are actually governed by various international laws and treaties such as the Geneva Conventions governing treatment of prisoners, and the Hague Conventions which govern warfare itself. But as more targets become digital, so do the attacks, and these conventions were not written with the internet in mind. Now NATO’s Co-operative Cyber Defence Centre of Excellence has made an attempt at codifying how international law should be applied to the digital realm.
CCDCOE produced the Tallin Manual Project after three years work, and as you would hope, they propose “proportionate counter-measures” for attacks rather than an out and out physical assault, with force only permitted if the original cyber-attack resulted in death or significant property damage. It also says that hackers who perpetrate attacks are legitimate targets for a counterstrike as they would essentially be military operatives.
Similarly, the Manual attempts to keep in line with the Geneva Convention outlawing attacks on key civilian sites such as dams, dykes, and nuclear electrical generating stations, as well as hospitals.
Whilst these rules are in general good recommendations, with the difficulty in proving the source of digital attacks with the use of networks of proxy servers I don’t see them being agreed upon and implemented any time soon. The possibility of shutting down electrical grids and internet infrastructure remotely and without the PR-poison of military attacks, however, is likely too promising for governments jostling for power around the world.
Codifying international law to govern the wild west of the internet may be a while off yet.