Nato draws up a manual for state-sponsored online attacks

State-sponsored cyber-attacks must avoid sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations, according to an advisory manual on cyberwarfare written for Nato which predicts that online attacks could in future trigger full-blown military conflicts.

The first attempt to codify how international law applies to online attacks includes a provision for states to respond with conventional force if aggression through hacking into computer networks by another state results in death or significant damage to property.

The handbook, written by 20 legal experts working in conjunction with the International Committee of the Red Cross and the United States Cyber Command, says full-scale wars could be triggered by online attacks on computer systems. It also states that so-called hacktivists who participate in online attacks during a war can be legitimate targets even though they are civilians.

The group of experts was invited to draw up the handbook by Nato’s Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, the Estonian capital. The project took three years.

The centre was established in 2008 following a wave of cyber-attacks on the Baltic state from inside Russia. The denial of service attacks crashed websites and damaged Estonia’s infrastructure, raising awareness about the damage that online operations can inflict in an increasingly computer-dependent era.

The Tallinn manual, which contains 95 “black letter rules”, was formally launched at the London thinktank Chatham House. Professor Michael Schmitt, director of the project, who works at the US Naval War College, said there was relatively little consensus about how existing legal regimes governed online activities. The Stuxnet attack on Iran’s nuclear programme, which physically damaged sensitive centrifuges, divided opinion among experts in the Tallinn group as to whether it constituted an armed conflict. The computer worm is widely believed to have been created by the US and/or Israel.

Formulating a framework for permitted counter-measures should not lower the threshold for future conflicts, Schmitt told the Guardian. “You can only use force when you reach the level of armed conflict. Everyone talks about cyberspace as though it’s the wild west. We discovered that there’s plenty of law that applies to cyberspace.”

It is often difficult to locate the source of an online attack. Publicity last month about a tower block in Shanghai said to contain a Chinese army unit and to be the source of numerous global cyber-attacks highlighted the difficulty of proving who is responsible for causing damage to computer systems.

Rule seven of the manual declares that if a cyber operation originates from a government network, “it is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with the operation”.

The handbooks says that in accordance with Geneva conventions, attacks on certain key civilian sites are outlawed. Rule 80 of the handbooks states: “In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber-attacks against works an installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, as well as installations located in their vicinity.” Hospitals and medical units are also protected as they would be under rules governing traditional warfare. The handbook is not official Nato document or policy but an advisory manual.

Guardian News and Media 2013