PARIS -- The Internet went crazy last week over what was described in hyperventilating tweets as NATO's plan to kill hackers. "NATO-Commissioned Report Says Killing Hackers Is Basically OK," blared one tech blog headline, nicely reinforcing the paranoia. That makes it sound as if the governments of NATO countries are looking for any excuse to vaporize anyone with a computer, doesn't it? The more irrationally jumpy among us might imagine that these governments are just waiting for the guy beside us at the local Starbucks to fire up his iPad so they can finally have the excuse to wipe out an entire city block.
The U.S. Cyber Command at Fort Meade, Maryland, didn't just spring up out of nowhere in 2010 in some nefarious post-9/11 plot to quash civil liberties as aggressively as it apparently robs the common sense of those prone to self-absorbed fantasies. Cyber-warfare parameters have been an extremely long time coming.
After three years of work, a group of international experts with NATO's Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia, has just released "The Tallinn Manual on the International Law Applicable to Cyber Warfare." It's an attempt to adapt and apply international law to the cyber realm. Here's what you need to know about this proposed cyber-warfare framework, which does not yet constitute official policy -- although you'd never know it from all the whining echoing through cyberspace.
--NATO experts were divided on whether a single guy hacking catastrophically into a country's systems could trigger a retaliatory attack. However, citing NATO and U.N. Security Council resolutions that followed in the wake of the 9/11 attacks, they determined that a group of hackers outside of state direction could trigger a self-defensive counterattack if the initial hit was significant enough (in other words, if an attack caused serious harm to people, property or critical infrastructure). They also extended this provision to any attacks launched by Internet service providers or technology companies.
-- A hacker acting on behalf of a state could trigger proportionate retaliation if the initial attack is equal in scale and effect to a traditional warfare "use of force."
-- Psychological operations, disinformation and other "ruses of war" don't meet the threshold for a defensive response -- much like when the hacker collective Anonymous recently claimed to have hacked the information systems of Israel's Mossad spy agency, with Mossad claiming that it was just a ruse.
-- There would be no geographical limit to the target nation's retaliation in rooting out the attacker(s). Good. Why should there be?