Cyber-attacks are much in the news lately, thanks to some well-publicized hacks and rising concerns over malware. It’s certainly not out of the question—although many publications choose to rather delicately tiptoe around the issue—that many of these attacks are backed in some way by governments anxious to seize intellectual property, or simply probe other nations’ IT infrastructure.
But do nations actually have a right to fire off a bomb or a clip of ammunition at cyber-attackers, especially if a rival government is backing the latter as part of a larger hostile action? Should a military hacker, bored and exhausted from twelve-hour days of building malware, be regarded in the same way as a soldier with a rifle?
That’s a thorny question, to say the least. Back in 2009, the NATO Cooperative Cyber Defence Centre of Excellence (which also exists under the lengthy acronym NATO CCD COE) commissioned a panel of experts to produce a report on the legal underpinnings of cyber-warfare. NATO CCD COE isn’t funded by NATO, and nor is it a part of that organization’s command-and-control structure—but those experts did issue a nonbinding report (known as “The Tallinn Manual on the International Law Applicable to Cyber Warfare”) exploring the ramifications of cyber-attacks, and what targeted nations can do in response.
Among many other questions and several very long-winded sections—experts are nothing if not extremely prolix—the report wonders whether cyber-attacks violate state sovereignty.
“A cyber operation by a State directed against cyber infrastructure located in another State may violate the latter’s sovereignty,” the report suggests. “It certainly does so if it causes damage.” But do cyber-attacks actually constitute the use of force, comparable to a bombing or shooting? The panel debated that for several pages of the report, eventually settling on a metric that tries to balance “the level of harm inflicted and certain qualitative elements of a particular cyber operation.”
In other words, a cyber-attack that produces immediate destruction and death is likely to be viewed by the target state as a “use of force.” There are many other factors, including the “military character” of the operation and whether the actual cyber-attack violated some tenet of international law (for example, propaganda isn’t necessarily a violation of said laws, and so may not be considered a use of force).
The panel then moves on to discussing whether a cyber operation merits a “kinetic” defensive response from the targeted state. In other words, if a cyber-attack shuts down a couple power plants, can the attacked nation fire back a couple missiles? The panel suggests that the means of attack is “immaterial” to whether an operation can be considered an armed attack: an engineered virus or a pound of plutonium left in an airport bathroom would trigger the “right of self-defense” in the same way as a armored column rolling across the border. “This is so, despite their non-kinetic nature, because the ensuing consequences can include serious suffering or death,” the report adds. “Identical reason would apply to cyber operations.”
But the experts felt that “acts of cyber intelligence gathering and cyber theft,” as well as “cyber operations that involve brief or periodic interruption of non-essential cyber services,” do not fall into this “armed attack” category.
Indeed, the panel felt that any response to an attack should be based on the criteria of “necessity and proportionality.” Simply put, most attacks can be handled with a combination of defensive measures—i.e., software that identifies and helps block attacks—and “non-forceful measures” such as diplomacy and law enforcement. So-called kinetic operations, which involve the use of force, should be scaled in a way that compels an attacker to “desist,” but (at least in theory) should go no further.
In theory, that means a nation under cyber-attack that reaches a certain level—the “people are dying and infrastructure is destroyed” level—can retaliate with very real-world weapons, although the emphasis is still on using cyber-countermeasures to block the incoming attack. Which isn’t great news for an attacker—because however powerful the hardware specs on their laptop, it probably won’t do much good against a massive bomb.