But a new report argues that a hacker who helps a hostile country commit computer sabotage could face a much a harsher penalty: death.
The report, prepared for NATO by a group of independent military law experts, says that countries have legal justification to use military force against hackers who help another country launch a cyberattack. The report is the first formal attempt to define a set of rules that countries should follow in the event of a cyberwar.
International law prohibits attacks against civilians during wartime. But the 282-page report says that hackers who help foreign adversaries could lose that legal protection and be legally targeted by another country’s military. As an example, one nation could target an individual hacker with force if the hacker found a security flaw or wrote malicious software that helped another country sabotage computer networks, the report said.
The attack would merit such a response if the results posed a national security threat. For example, the report outlined a scenario in which a foreign adversary hacked a chemical plant to cause an explosion that led to widespread injuries or deaths.
But the so-called Tallinn Manual, named for the capital in Estonia where it was written, leaves some crucial questions unanswered. For one, it does not resolve the dilemma of determining the origin of a cyberattack. Many hackers disguise their location by routing their attacks through computers around the world, a technique known as “spoofing.”
It also does not conclude where to draw the line in terms of when a hacker becomes fair game. “The law is unclear as to the precise point at which the extent of death, injury, damage, destruction or suffering caused by a cyber operation” qualifies as an armed attack that justifies retaliation, the report says
Some experts agreed with the report’s assertions. Stewart Baker, a former assistant secretary at the Department of Homeland Security, said the military needs the right to retaliate with physical force — not just digital force — against hackers who could shut down a power grid or a water treatment plant.
“If Americans are dying because of terrorist hackers and we have chance to kill them, then we should kill them,” Baker said, adding, “It would be nuts to say that no matter what you do in cyberspace we will only respond in cyberspace.”
But others found the report troubling. On Twitter, one human rights lawyer called the new cyberwar manual a “worrying approach.”
The report points out that it does not reflect the views of NATO countries, and is not meant to “reflect the NATO doctrine.” “It is essential to understand that the Tallinn Manual is not an official document, but is only the product of a group of independent experts acting soley in their personal capacity,” the report says.
The U.S. military has long debated whether it is acceptable to use conventional weapons to respond to computer sabotage. The Pentagon’s first formal cyber strategy released in 2011 concluded that a cyberattack from another country constitutes an act of war that merits a lethal response.
“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” a military official told the Wall Street Journal at the time.