Hackers who cause death or damage government property with cyberattacks could face retaliation under “the law of armed conflict,” according to a North Atlantic Treaty Organization (NATO) document.
They could even be killed.
At the request of NATO’s Cooperative Cyber Defence Centre of Excellence, a group of about two dozen consultants, together with representatives of the International Committee of the Red Cross and the U.S. Cyber Command have prepared the “Tallin Manual on the International Law Applicable to Cyber Warfare,” according to The Verge.
Although the manual does not establish official NATO policy—it is an advisory document published by Cambridge University Press — it nevertheless establishes a provision and cover for future action.
The manual maintains that it is illegal to use cyber warfare techniques against civilian installations like hospitals, dams and nuclear power plants. It is legally permissible, however, to retaliate against the agents of any cyberattack that results in death or significant property damage.
It is important to note that no cyberattack has thus far resulted in a fatality.
Rule 22 of the manual, and its commentary, state the following:
“An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more… To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict.”
The manual further stipulates that the hackers responsible for prosecuting such an attack are legitimate targets of lethal force, even if those hackers are not members of a country’s military and even, presumably, if the attack were not the official result of a military directive.
The “law of armed conflict,” in other words, can pertain even when there are not bombs flying and tanks rolling. And that law is what allows a country to legally launch lethal attacks on another.
As Professor Michael Schmitt, chairman of the International Law Department at the United States Naval War College and lead author of the manual, told The Guardian, “You can only use force when you reach the level of armed conflict. Everyone talks about cyberspace as though it’s the wild west. We discovered that there’s plenty of law that applies to cyberspace.”
Make a note, hackers. If you mastermind a cyber attack and that attack breaks stuff, a NATO member nation is arguably within its legal rights to kill you dead.