The title is, unfortunately, link-baity, misleading, and really misses some of the most alarming parts of this doc.
The article from The Guardian[1] is more balanced in presenting the actual news. This doc[2] is directed at how to handle state-sponsored and other war-time cyber attacks, offering a set of guidelines that indicate targets that are expressly advised to be off-limits--such as "sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations". It is wrestling with how to understand and apply the Geneva Conventions to cyber attacks (e.g., see Rule 80).
Where do civilian hackers come into play? When they're among those "who participate in online attacks during a war". Yes, that is worrisome and potentially alarming if applied too broadly. While abuse of these guidelines concerns me (greatly), this is not a new issue in the art of contemporary war.
Consider the French Resistance during WWII--a heavily civilian-populated paramilitary resistance force that not only engaged in intelligence theft & trafficking, but also were highly regarded and notorious for coordinating and executing sabotage against power grids, transportation infrastructure, and telecommunications networks. I think it could be argued that the Resistance is a historical analogue to contemporary hackers/hacktivists engaged in cyber attacks during a state of war. This document is essentially wrestling with the legalities and rules of war that should apply where the contemporary equivalent is concerned. Of course, I'd guess a lot of us would have greater sympathy for Resistance-style hackers engaged in acts of sabotage than, say, state-sponsored hackers who are targeting domestic nuclear facilities.
The real meat of the NATO document appears to be circling this line of thinking:
< The manual suggests "proportionate counter-measures" against online attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property.
Okay. Prohibition against launching missiles and invasion forces as retaliation for hacking that did not result in death or significant damage to property? Check. (of course, we need to be careful about how we define 'significant damage to property').
This is, however, where the document gets far more interesting and alarming than the OP article mentions. Specifically, note Rule 22 and commentary:
> "An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more . . . To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict."
We've now hit the point that state-sponsored digital operations are recognized as having the potential to initiate armed international conflicts. Not only that, but we have a formal declaration that international armed conflict may be limited to 'cyber operations occurring between two states or more'. That is the more alarming bit of news here.
Viable scenario: a state-organized effort perpetrated solely thru data networks shuts down a nation's entire power grid (electric, gas, etc.), and in a manner where re-activation thereof will be slow & expensive (transformers blown, gas pipes ruptured, etc.) with extensive major civilian consequences (dominating digital economy offline, health/rescue services disrupted/overwhelmed, traffic congestion skyrockets, etc.). Think Stuxnet for the electric company. The perpetrator is identified.
Variation: this is detected beforehand, but very little time remains (hours/minutes) before "detonation". Polite diplomatic channels are in no way fast enough. The cyber-attack is traced to 10,000 malware-hijacked PCs in a handful of concentrated residential neighborhoods.
Too many variables uncounted for in the second scenario. For example, do we know what is going to be targeted and through what method it would be attacked? How many legitimate users need web access to this critical service?
Assuming that knowledge, there's plenty that could be done if we have forewarning. Take those neighborhoods offline at the ISP level. Alternately, block the zombie IP ranges via firewall at the receiving end.
I think the real danger is that we won't have such forewarning, and in the slim chance we did we won't have that crucial knowledge(what specifically is the target and attack vector?).
Just curious, when did you learn to code? For me it was about 5th grade. There are 6th graders now who were born after the United States entered Afghanistan. There are currently human beings capable of writing software who have never existed in a non-wartime state.
Just something to consider when we declare measures like these "extraordinary" and justifiable in "wartime." The War on Terror isn't going to just end. You and I may not live to see the next peacetime. If we say it's okay during wartime, then it had better be okay during the majority of our lives.
Well, at just shy of 32 years old, there has yet to be a single year of my life free of official conflicts or wars. In fact, even my 52-year-old father has not experienced a year of his life free from official conflict or war in effect. If you're older than him, perhaps you've experienced a non-wartime state, but you'd pretty much have to be older than my grandfather.
This document isn't talking about there being conflict just anywhere in the world, but about the actors involved within the states that are officially engaged in open hostilities--i.e., if there is conflict between China and Taiwan, it's not okay for Pakistan to retaliate with conventional force against a group of hackers in India. At least, that's how it reads to me at the moment.
Also, I wasn't saying it was okay. I was pointing out that the posted article is sensationalized, misleading, and misrepresenting the information to get page views--while adding some actual context and content the article completely left out or presented incorrectly. And I wanted to draw an historical analogue to something I thought many people would know about that could be accomplished by hackers today, potentially falling under the purview of this new NATO guidance.
[edit: I learned to code in 5th/6th grade. sorry to leave that out.]
The US is not a 'wartime state'. It's been committed to business as usual, and if you never bothered reading the news, you could get away with never knowing it was at war for the most part. No rationing or real shortages, no conscription, no opposing forces tromping over the nation, no aerial attacks. The US is technically at war, but its society isn't - if you don't want to sacrifice anything for your country, you can go about your business quite happily and undisturbed.
This is exactly the point. The government has repeatedly used the legal fiction of the United States being "at war" to dramatically expand its punitive authority, despite the fact that the "war" is an open-ended, amorphous legal fiction. That's why it is so dangerous to dismiss some extraordinary assertion of power because it only applies "in wartime"; it's always wartime, even when it's not.
I agree that it's alarming to think of cyber-warfare escalating to a war, but I don't think it's unrealistic or uncalled-for. I'm concerned that a cyberattack could be misinterpreted (not really an attack, or originating from another body) but that's an education and sophistication problem, not an error in the legal premise.
I, too, do not think it is unrealistic or uncalled-for. My sense of 'alarming' is anchored a bit in a historical position--i.e., we've now reached the point in history where an action taken on a computer in a room in some corner of the world can be the trigger for formal war declarations, and is officially recognized as such.
We thought blitzkrieg was a challenge about 75 years ago. This is a huge shift.
I think your muddying the waters by introducing Francs-tireurs into the mix - I am sure this document is about state actors resistance groups are a trickier proposition eg USA politicians effectively turning a blind eye to PIRA fund raising.
Some research finds that under current laws of war “Combatant and prisoner of war status is granted to members of dissident forces when under the command of a central authority. Such combatants cannot conceal their allegiance; they must be recognizable as combatants while preparing for or during an attack."
So it looks like the self organizing nationalists as some of the Russian a Chinese hactivists have been described that attack enemies of the sate are not covered.
The document is about its contents and its contents alone, irregardless of what we may be sure it is about.
I disagree that including the French Resistance as an analogy for the types of groups that could come under the provisions of this manual is muddying the waters. They strike me as a salient example of non-military, non-governmental personnel who could be (and were historically) categorized as combatants if engaged in cyber activities during armed conflicts.
The manual specifically includes civilian actors engaged in cyber actions during wartime hostilities between countries. It does not, to the extent I've read it so far, include a distinction between those who are resistance groups and those who are state actors--that's a subjective determination and what this doc is discussing is applying the Geneva Conventions to contemporary issues.
[Nitpick:] More confusing still, using Francs-tireurs is, unfortunately, both too specific and ambiguous at the same time. Some (like myself) might mistake you for meaning the Francs-tireurs from the Franco-Prussian War, where the term originated. Or did you mean Francs-tireurs, the name adopted by a couple groups who were part of the Resistance (like the FTP). Then again, that francs-tireurs became a more generalized term to refer to potentially non-lawful combatants between and after all the wars from the Franco-Prussian to WWII, adds further chance for confusion. Assuming you are referring to the French Resistance as I was, however, it is not the general term used for the Resistance members as a whole.
Given the quote you include, it then sounds like you're not responding to the Resistance at all, but perhaps the generalized francs-tireurs--note, no capital F--about whom those rules were made during the Third Geneva Convention.
I don't see the point... the article begins with:
> A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted.
Really? As if people really followed the rules during wars. History is full of people breaking such "rules" and nothing happens... after all "it's war".
I'm not suggesting people under extreme stress should be expected to act impartially... though I wonder why discuss such rules if none will be applied anyway.
The article from The Guardian[1] is more balanced in presenting the actual news. This doc[2] is directed at how to handle state-sponsored and other war-time cyber attacks, offering a set of guidelines that indicate targets that are expressly advised to be off-limits--such as "sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations". It is wrestling with how to understand and apply the Geneva Conventions to cyber attacks (e.g., see Rule 80).
Where do civilian hackers come into play? When they're among those "who participate in online attacks during a war". Yes, that is worrisome and potentially alarming if applied too broadly. While abuse of these guidelines concerns me (greatly), this is not a new issue in the art of contemporary war.
Consider the French Resistance during WWII--a heavily civilian-populated paramilitary resistance force that not only engaged in intelligence theft & trafficking, but also were highly regarded and notorious for coordinating and executing sabotage against power grids, transportation infrastructure, and telecommunications networks. I think it could be argued that the Resistance is a historical analogue to contemporary hackers/hacktivists engaged in cyber attacks during a state of war. This document is essentially wrestling with the legalities and rules of war that should apply where the contemporary equivalent is concerned. Of course, I'd guess a lot of us would have greater sympathy for Resistance-style hackers engaged in acts of sabotage than, say, state-sponsored hackers who are targeting domestic nuclear facilities.
The real meat of the NATO document appears to be circling this line of thinking:
< The manual suggests "proportionate counter-measures" against online attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property.
Okay. Prohibition against launching missiles and invasion forces as retaliation for hacking that did not result in death or significant damage to property? Check. (of course, we need to be careful about how we define 'significant damage to property').
This is, however, where the document gets far more interesting and alarming than the OP article mentions. Specifically, note Rule 22 and commentary:
> "An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more . . . To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict."
We've now hit the point that state-sponsored digital operations are recognized as having the potential to initiate armed international conflicts. Not only that, but we have a formal declaration that international armed conflict may be limited to 'cyber operations occurring between two states or more'. That is the more alarming bit of news here.
[1]: http://www.guardian.co.uk/world/2013/mar/18/rules-cyberwarfa... [2]: http://bit.ly/YTbtRd