PARIS -- The Internet went crazy last week over what was described in hyperventilating tweets as NATO's plan to kill hackers. "NATO-Commissioned Report Says Killing Hackers Is Basically OK," blared one tech blog headline, nicely reinforcing the paranoia. That makes it sound as if the governments of NATO countries are looking for any excuse to vaporize anyone with a computer, doesn't it? The more irrationally jumpy among us might imagine that these governments are just waiting for the guy beside us at the local Starbucks to fire up his iPad so they can finally have the excuse to wipe out an entire city block.
The U.S. Cyber Command at Fort Meade, Maryland, didn't just spring up out of nowhere in 2010 in some nefarious post-9/11 plot to quash civil liberties as aggressively as it apparently robs the common sense of those prone to self-absorbed fantasies. Cyber-warfare parameters have been an extremely long time coming.
After three years of work, a group of international experts with NATO's Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia, has just released "The Tallinn Manual on the International Law Applicable to Cyber Warfare." It's an attempt to adapt and apply international law to the cyber realm. Here's what you need to know about this proposed cyber-warfare framework, which does not yet constitute official policy -- although you'd never know it from all the whining echoing through cyberspace.
--NATO experts were divided on whether a single guy hacking catastrophically into a country's systems could trigger a retaliatory attack. However, citing NATO and U.N. Security Council resolutions that followed in the wake of the 9/11 attacks, they determined that a group of hackers outside of state direction could trigger a self-defensive counterattack if the initial hit was significant enough (in other words, if an attack caused serious harm to people, property or critical infrastructure). They also extended this provision to any attacks launched by Internet service providers or technology companies.
-- A hacker acting on behalf of a state could trigger proportionate retaliation if the initial attack is equal in scale and effect to a traditional warfare "use of force."
Recommended
-- Psychological operations, disinformation and other "ruses of war" don't meet the threshold for a defensive response -- much like when the hacker collective Anonymous recently claimed to have hacked the information systems of Israel's Mossad spy agency, with Mossad claiming that it was just a ruse.
-- There would be no geographical limit to the target nation's retaliation in rooting out the attacker(s). Good. Why should there be?
-- Within the context of any ongoing exchanges of hostilities, a hack attack has to be proportional. Moreover, it must be limited to military infrastructure and personnel and any civilians directly involved in the hostilities. If a hacker targets something that serves both military and civilian use, then it's considered a military hit by default, legitimizing the use of retaliatory force.
-- Hackers are not permitted to tweet specific cyber-threats with the intention of terrorizing civilians, but crying wolf about a perceived danger that happens to cause panic is OK. "OMG THE JUSTIN BIEBER CONCERT IS CANCELED" won't get you NATO-bombed.
-- You're not allowed to cause civilians to starve or die of thirst with your hacking. Emptying all the Fritos from the shelves of the local supermarket to fuel your 24/7 hacking activities is excluded.
-- Cyber-espionage gets a pass as long as you don't do it in enemy territory, in which case you'll be treated as a spy in accordance with the laws of the land, and perhaps even killed. That is, if you're not worth torturing first to extract information.
-- Cyber-espionage of private companies in other countries has nothing to do with NATO. Economic warfare (a no less important threat) will have to be handled through different channels.
Bottom line: Your attempts to hack the McDonald's gift card system to score a million Big Macs won't get you bombed by NATO. So relax, dude.