If you’re a hacker living in your mom’s basement causing trouble for a world power, can NATO call in an air strike to put a stop to your cybermischief?
That was one question raised this month with the release of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a NATO-commissioned handbook that could be the first step toward codifying the rules under which NATO members will wage cyberwarfare in future conflicts. The project had the input of the International Committee of the Red Cross and US Cyber Command.
The Tallinn Manual is not NATO doctrine; it is the result of a three-year project funded by the NATO Cooperative Cyber Defence Centre of Excellence and conducted by 20 legal experts working in a private capacity. The document could very well influence future rules of engagement for NATO and governments around the world. But for now, it’s a scholarly endeavor; a follow-up three-year project, which digs even deeper into questions pertaining to cyberoperations and state responses, is in the works.
When details of the manual were first reported in the Guardian last week, the rule was widely interpreted as NATO declaring war on hackers and civilian hacktivists. But in terms of wartime precedent, there’s nothing unique about NATO’s “Rule 29”; civilians who directly participate in hostilities have long been deemed legitimate battlefield targets. So of course the same principle would apply to a hacker in an armed conflict, if the hacker’s actions rose to the level of violence. “If someone is causing planes to crash [in a war] using a computer, it’s not really all that different if they’re using a computer rather than some other tool,” Julian Sanchez, a Cato Institute research fellow specializing in technology and civil liberties issues, says. “So, sure; go after Alan Cumming,” referring to the actor’s character Boris Grishenko, a backstabbing and chauvinist computer programmer targeted by James Bond and the CIA in Goldeneye.
Despite the fairly mundane nature of the rule, Michael Schmitt, chairman of the international law department at the US Naval War College and director of the project that produced the Tallinn Manual, has been flooded with questions about whether NATO is now allowed to send drones to take out Anonymous hackers who they find annoying. “Frankly, I was surprised that part even caught anyone’s attention,” Schmitt tells me. “It’s been generating a lot of blowback. But I can assure you NATO is not going to launch jets to hunt down Anonymous members tomorrow. An unexceptional statement has been taken out of context in rather dramatic ways.”
The main reason your average hacker doesn’t need to worry about getting blown up by NATO anytime soon is because the Tallinn Manual (which, again, is not official NATO doctrine) is relevant only to (a) an armed conflict or declared war between two states or (b) a civil war within a state. Rule 29 from the 282-page manual (which you can read here for free) addresses a scenario in which a civilian hacker starts working with one side of a conflict to, for instance, execute operations via cyberspace that would hack into enemy intelligence networks, disable command and control electronics, hinder combat capabilities, or harm or kill civilians. This establishes a high bar for what a hacker has to do to trigger an armed response from NATO commanders. And despite much recent hype about cyberwarfare from state actors (China, North Korea, Iran, Israel, etc.) and the growing costs of cybercrime, much of this NATO-commissioned handbook focuses on the abstract, simply because the realm of modern cyberwarfare is relatively new and has yet to be deeply explored. Many of these rules would come in handy in a wartime scenario in which Live Free or Die Hard is happening in real life.
“Cyberwarfare in the future will become a prominent part of the battlefield when prominent countries come to blows,” says Martin Libicki, an expert in cyberwar and senior management scientist at the RAND Corporation. “But for now, at least, you don’t just automatically send your drone in after hackers. That’s not the way it works. The worst people like Anonymous are doing nowadays is weapons of mass annoyance.”
There’s a real-world test case for this. In the summer of 2011, individuals identifying themselves as Anonymous claimed to have hacked NATO’s website, perhaps as indirect reprisal for the FBI’s arrest of over a dozen alleged hackers. Under current NATO structure, as well as recommendations made in the Tallinn Manual, such a breach would absolutely not warrant violent retribution. “Can you imagine Luxembourg, Estonia, the United States, France, and Spain, getting together and agreeing through the process that NATO demands, and going to the North Atlantic Council, and deciding to drop a bomb on some ordinary hacker?” Schmitt says, with a hint of irritation. “Are you kidding me?”
However, this is where the hypotheticals get a bit muddled. Suppose a civilian hacker who has taken sides in an armed conflict is waging cyberwar remotely from a neutral country. Suppose a terrorist used his or her MacBook Pro to sabotage a major city’s traffic lights in a time of peace, resulting in mass carnage? When discussing such hypotheticals, experts often point to analogous situations such as the bin Laden raid or modern drone warfare. But this is still all uncharted territory. “The real problem here is not whether the basic rules of war should apply when cyberspace is involved; the real problem here is that the rules of war have, for the most part, a long traditional of being defined through kinetic warfare and physical conflict,” Sanchez says. “But we’ve found that in some cases when we’ve tried to apply the laws and rules of war to cyberspace, that translation is not always so obvious.”
But as for the conspiracy theories sprouting up regarding the recently published Tallinn Manual, the situation isn’t murky. “If somebody defaces my or NATO’s desktop, that’s hardly direct participation in armed conflict, and NATO would not be allowed to resort to armed force,” Schmitt says. “It would make great TV, though—pure Hollywood.”
NATO did not respond to requests for comment, which I can only assume indicates they have already sent a drone to vaporize my laptop.