A Nato handbook laying down the rules of cyber warfare has said governments should refrain from attacking hospitals and nuclear plants.
The manual is the first attempt to set out how international law applies to online attacks by the state, and warns that online attacks could lead to full-blown military conflicts.
The handbook, the result of three years collaboration between international experts for Nato’s Co-operative Cyber Defence Centre of Excellence, defines a cyber attack as one that is “reasonably expected to cause injury or death to persons or damage or destruction to objects.”
An online attack on an electricity grid resulting in fire is one example of the way that cyberwar could bring about real physical harm.
The advisory handbook, written by 20 legal experts including a retired UK air commodore and several British lawyers, says Governments must avoid attacks on civilians, hospitals, nuclear power stations, dams and dykes.
Attacks on the latter three are particularly sensitive as they threaten to cause widespread loss of life, and should be avoided “even when they are military objectives”.
Hospitals and medical units are already protected under the rules governing traditional warfare.
The guidelines also forbid using cyber “booby traps” and attacks to spread terror through the people.
The handbook, drawn up at the invitation of Nato’s Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, includes a provision for states to respond with conventional force if a cyber attack results in death or significant damage to property.
Full-scale wars could be triggered through online attacks, as the report comments “cyber operations alone might have the potential to cross the threshold of international armed conflict”
“Hacktivists” who take part in online attacks can become legitimate targets in cyberwar, the new guidelines say, even though they are technically civilians.
The CCDCOE was established in 2008 following a wave of cyber-attacks on Estonia from inside Russia.
An Iranian technician works at the Uranium Conversion Facility near Isfahan. Stuxnet attacked Iran’s nuclear programme in 2010 Photo: AP
The denial-of-service attacks crashed websites and damaged the country’s infrastructure, raising awareness about the damage that online operations can inflict in a world increasingly dependant on modern technology.
Britain will be joining the centre later this year.
The Tallinn manual, which contains 95 “black letter rules”, was formally launched at Chatham House last week, according to the Guardian.
Colonel Kirby Abbott, an assistant legal adviser at Nato, described it as “the most important document in the law of cyber-warfare.”
Professor Michael Schmitt, director of the project, pointed out that there is currently little agreement about how international law applies to online attacks.
The Stuxnet virus attack on Iran’s nuclear programme, which physically damaged sensitive centrifuges, divided those setting out the rules.
The attack is believed to have been carried out by the US or Israel, but the handbook states: “To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace.”
The manual authorises country’s to take “proportionate counter-measures” to an online attack, but these can only involve real force where it has resulted in death or serious damage.
Professor Schmitt said that the manual shows that cyberspace in not the “wild west”, as a large amount of international law already applies.
The handbook is not official Nato document or policy but an advisory manual, which is published by Cambridge University Press.
Source: The Telegraph