Hackers could be fair game for deadly force, cyberwar experts say

Deadly force against organized hackers could be justified under international law, according to a documentÃ'Â released Thursday by a panel of legal and cyber warfare experts.

Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I.

Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press.

[See also: The cyberwar doctrine debate: Meaningful without international sign on?]

"If you have an organized armed group -- not individuals, not lots of people conducting attacks -- and those attacks cause consequences that include physical destruction or injury or death to individuals, then a state that is the victim of such attacks may strike back with force of its own," he said in an interview.

The damages caused by a virtual attack would need to be as serious as those in a real world, or kinetic, attack. "If that happens, pursuant to the right of self defense set forth in the U.N. charter, then the state may respond forcefully -- even if that response involves injuring the individuals that attacked it or caused damage to it," Schmitt said.

The situation can get murky during a "hot" war, if civilian hackers join the fray. "For the time they're doing that," Schmitt said, "they can be attacked."

"If you were on the battlefield and someone was shooting a gun at you, you should be able to shoot back," he said. "It's exactly the same way in cyberspace."

The legal use of deadly force against a cyber attacker is very limited, however. "It makes my heart stop when folks say, 'Someone's conducting a hacking attack; you can attack them back,'" he said. "No, that's not the case."

Timing can be a key element for legally justifying a forceful response to a cyberattack. "Once an attack is completely over, once there's no continuing need to defend yourself forcefully, then the right response to the attack is diplomacy," Schmitt said.

Under those rules, Iran, which suffered infrastructure damage due to a cyberattack by the Stuxnet virus, had no legal grounds for a forceful response to that attack -- even if it knew definitively who was behind the foray against its nuclear development program.

By the same token, the cyberattacks on South Korea's media and banking industry this week failed to meet the minimum requirements for a forceful response. "Under existing law, the consequences weren't severe enough to justify a forceful military response or a cyber response with severe consequences," Schmitt said. "It falls below the threshold."

In attacks such as those on Iran and South Korea, the hard part is determining who to launch a forceful response against.

"Authentication is an essential part of the right to self-defense," David Bodenheimer, who heads the homeland security practice at Crowell & Moring in Washington, D.C., said in an interview. "You can't attack another country for a cyberattack if you can't identify, with some specificity, the country behind the attack."

Even in what's considered a textbook case of cyber warfare launched by one nation state against others -- Russia's cyberattacks on the Republic of Georgia and Estonia -- bulletproof evidence of who was behind the assaults can be lacking.

"There was support for it being connected to Russians or Russian citizens, but at the end of the day, the investigations were unable to show that the attacks were instigated by the Russian government," Bodenheimer explained.

The Tallinn Manual couldn't have come at a better time, according to former U.S. Navy Rear Admiral James Barnett, who heads the cybersecurity practice at Venable, a law firm in Washington, D.C.

"Cyber warfare is very much part of the mainstream in warfare," he said. "Military objectives that can be achieved by ones and zeroes are going to be done ..., because they can be a more effective way of doing things than blowing things up."

Although the manual is meant to guide nations through the intricacies of international law and cyber warfare, it could contribute to conflict, said Richard Stiennon, chief research analyst with IT-Harvest in Birmingham, Mich.

"We don't need any more reasons for countries to go to war and engage in armed conflict with each other," he said. "This introduces more of those ways."

Read more about disaster recovery in CSOonline's Disaster Recovery section.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersdisaster recoveryapplicationsNATOsoftwareBusiness ContinuitySouth Korea bank attacksCambridge UniversitycyberwarBusiness Continuity | Disaster RecoveryestoniaATOTallinn Manual

More about Cambridge UniversityCambridge University PressCyber WarfareNATONewport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts