from the dressed-to-kill dept
Last year, Techdirt wrote about an interesting article suggesting that we should welcome "cyberwar" since it would be so much less painful than the ordinary kind. Of course, that begs the question what we actually mean by "cyberwar", since some forms are probably less humane than others. As we have pointed out, the use of the totally embarrassing "cyber" prefix is really just an excuse for more government controls and for security companies to get fat contracts implementing them.
Against that background, the following news from The Verge about an attempt to pin down what exactly "cyberwar" might be, is particularly interesting:
A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted. Written by 20 experts in conjunction with the International Committee of the Red Cross and the US Cyber Command, the Tallinn Manual on the International Law Applicable to Cyber Warfare analyzes the rules of conventional war and applies them to state-sponsored cyberattacks.
The Tallinn Manual on the International Law Applicable to Cyber Warfare is a fascinating, if rather dry read: it consists of 95 key statements or rules about "cyberwarfare", each followed by pages of academic argument about what that statement means, and why. Mostly, it's about transposing existing law on warfare into the online world, defining things like "sovereignty", "attack", "force", "proportionality" etc. But there's one area where old ideas don't help: that of "hacktivists", defined in the Manual as "A private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious, or patriotic reasons."
That's because conventional war makes a distinction between combatants -- those fighting in regular armies -- and those who are "unprivileged belligerents". The difference is crucial: the former enjoy important rights, for example to be treated as prisoners of war if captured, whereas "unprivileged belligerents" do not. The distinction between the two groups is relatively obvious in traditional warfare, where combatants are organized and subject to clear command structures. Hacktivists, by contrast, may decide to defend their country by taking part in group attacks from their home or from a local café, say; the issue then becomes whether or not they are to be considered combatants with rights, or "unprivileged belligerents" without them.
The following section from the Tallinn Manual shows the experts floundering here -- and just how hard it is to come up with sensible rules for this "cyberwar" stuff:
Combatant status requires that the individual wear a 'fixed distinctive sign'. The requirement is generally met through the wearing of uniforms. There is no basis for deviating from this general requirement for those engaged in cyber operations. Some members of the International Group of Experts suggested that individuals engaged in cyber operations, regardless of circumstances such as distance from the area of operations or clear separation from the civilian population, must always comply with this requirement to enjoy combatant status.
So if you're ever tempted to engage in a little patriotic hacking into enemy computers, please don't forget to put on your uniform first...