Having read the entire 215 pages of the Tallinn Manual on the International Law Applicable to Cyber Warfare [PDF], I’d like to highlight parts of the 95 “black letter rules.” NATO hasn’t officially adopted the cyberwarfare laws as policy and it is unknown If any nation will actually "play" by these rules. Yet even the Stuxnet attack “appears to have been planned with this Rule [Rule 54 – Choice of Means or Methods] in mind.”
North Korea blamed the US and South Korea for “intensive and persistent virus attacks” which allegedly affected three broadcasters, four banks and two insurance companies.” These would be civilian objects, but are they protected under the rules of cyberwarfare . . . had this been cyberwar? If the cyberattack that targeted South Korean banks and broadcasters did indeed originate from an IP in China, and the attack “damaged 32,000 computers and servers at media and financial companies,” then has China disregarded and violated the Tallinn Manual in regards to civilians? In both cases, it would seem the answer would be "no."
According to the Tallinn Manual Rule 81, “objects that merely enhance civilian well-being or quality of life’—such as the Internet or other communication networks—are not protected “objects indispensable to the survival of the civilian population.” Yet “in the context of cyber operations, however, cyber infrastructure indispensable to the functioning of electrical generators, irrigation works and installations, drinking water installations, and food production facilities could, depending on the circumstances, qualify.”
One thing that is for certain in the rule book, a full-scale war can be triggered by a cyberattack. It claims that civilian activists who participate in these attacks can be lawfully targeted with deadly force and killed. The Tallinn Manual defines a hacktivist as "a private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious or patriotic reasons.” It doesn't say to keep an eye on the sky for a killer drone headed your way, but hacktivists might consider that if involved in cyberattacks. Rule 11, defines ‘Use of Force,’ stating “merely funding a hacktivist group conducting cyber operations as part of an insurgency would not be a use of force.” But Rule 35 says, “Civilians enjoy protection against attack unless and for such time as they directly participate in hostilities.”
Consider the example of an individual hacktivist who has, over the course of one month, conducted seven cyber attacks against the enemy’s command and control system. By the first view, the hacktivist was only targetable while conducting each attack. By the second, he was targetable for the entire month. Moreover, in the absence of a clear indication that the hacktivist was no longer engaging in such attacks, he or she would have remained targetable beyond that period.
RULE 36 pertains to terror attacks. A cyberattack threat that conveys an intent to contaminate a city’s drinking water system would violate this rule. However, a false tweet that causes panic by claiming a highly contagious and deadly disease is spreading rapidly through the population “is neither an attack nor a threat.”
Malware that will disrupt the rhythm of the pacemaker and induce a heart attack is programmed to falsely authenticate itself as being generated by a legitimate medical source. The false authentication is accepted by the enemy’s computer network and the malware attacks the pacemaker of the adversary commander, causing a heart attack. In this example, the confidence of the adverse party’s computer system has been betrayed and, according to the majority of the Experts, the Rule has been violated. Other Experts took the position that the notion of confidence presupposes human involvement, such that influencing a machine’s processes without consequently affecting human perception falls outside the Rule.
Other wild scenarios include the do’s and don’ts of attacking or jamming GPS, launching a cyberattack against a warship, and using a “logic bomb as part of rootkit.” According to Rule 57, if the “rootkits’ sniffer component” were to detect that the enemy connected communications for emergency services to their military network, then the logic bomb attack should be cancelled or suspended. Rule 89 addresses submarine cables used for cyber communication that “may not be seized or destroyed except in the case of absolute necessity.” Yet the International Group of Experts could not decide if this also applied to satellite uplink and downlink stations.
Do you recall the secret demo for senators that simulated a cyberattack on the power grid and made NYC go dark? Hypothetically, such an attack in the midst of a killer heat wave would cause deaths, create chaos by crashing life-saving medical equipment, cut communications and potentially destroy financial institution networks. Such a cyberattack would need to be looked at in terms of Rule 51 “proportionality” which is referenced numerous times in other rules and basically means that civilian injuries, deaths, and damages must not result in “excessive collateral damage” from Rule 30’s “definition of cyber attack.” By the way, according to Rule 38, declining civilian moral is not considered collateral damage.
The precautionary Rule 80 – “Duty of care during attacks on dams, dykes, and nuclear electrical generating stations,” does not exactly say that such installations could not be attacked. Instead, it states the “civilian population enjoys protection against excessive collateral damage that is to be expected from attacks on dams, dykes, and nuclear electrical stations pursuant to the rule of proportionality (Rule 51).” It seems to boil down to determining “whether the release of dangerous forces will cause severe losses among the civilian population” and “must be judged in good faith.”
This example was included:
Consider malware intended to reduce enemy electrical supply by taking a nuclear power plant off-line. Paying insufficient attention when planning the attack to safeguarding the core from meltdown by ensuring the continued integrity of its cooling system would violate this Rule.
Rule 80 “does not apply to any other works or installations containing dangerous forces or substances, such as chemical plants and petroleum refineries. Rules 37 to 39 and 51 to 58 govern attacks on these facilities.”
There is much more about perfidy and even distinguishing it from ruses that are allowed. However, “Perfidy must be distinguished from espionage” which is Rule 66; it states that “a member of the armed forces who has engaged in cyber espionage in enemy-controlled territory loses the right to be a prisoner of war and may be treated as a spy if captured.” Other examples of cyber perfidy included spoofing emails as if from the Red Cross, or emails about surrender, but then ambushing and killing troops at the appointed meeting place. There are also long lists of rules about what and who is protected and an emphasis on how such protected networks should be marked. In cyberwarfare, you are not allowed to mark a network and pretend to have protected status. But like a sniper who may never be identified, in a cyberattack if “the originator is concealed,” then that “does not equate to feigning protected status” and is not perfidious.
Rule 58 addresses extremely polite cyberwar, such as notifying the public that a cyberattack will be launched against services that will affect them. Instead of sending text messages to the entire civilian population, notifying the media would be sufficient. But since such notifications would allow the enemy to monitor the attack, it states, "Given the current state of technology, the likelihood of warnings being feasible in the cyber context is low."
That is merely skimming the 215-page surface of the Tallinn Manual on the International Law Applicable to Cyber Warfare [non-PDF]. It’s a good geeky read if you are interested in cyberwarfare. At the very least, it's food for thought about the ethics behind cyberattacks and cyberwar.