Politically motivated civilian hackers, or “hacktivists,” who conduct online attacks as part of a nation’s cyberwar efforts could lawfully be targeted with deadly force, according to a new study commissioned by NATO’s cyberwarfare center.
“An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other legal means,” reads the study, “The Tallinn Manual on the International Law Applicable to Cyber Warfare.”
An international group of experts in the laws of warfare wrote the manual, at the invitation of NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia. It is not a statement of official policy by NATO or any of its member governments, but it reflects a consensus view of a large group of legal scholars and practitioners, including several senior military lawyers from NATO countries.
The manual is being launched next week in Washington, and the issue it raises, of hacktivists who join hostilities online, is far from merely hypothetical.
In August 2008, the Republic of Georgia and the Russian Federation went to war in the disputed border province of South Ossetia. But the shooting war was accompanied by cyberattacks that knocked offline much of the Georgian government, including the Foreign Affairs Ministry. At a crucial moment for their nation’s history, Georgian diplomats were reduced to using a publicly hosted Google Blogspot page to post their public statements.
Georgian websites were attacked using a technique known as distributed denial of service, or DDoS, in which networks of personal computers, infected and enslaved unbeknown to their innocent owners, are used to bombard the target’s web servers so that real users cannot get through.
The manual says that joining a DDoS attack against a military network counts as “direct participation,” but the manual does not squarely address the issue of such an attack against civilian or government computers.
But the manual is clear that civilian infrastructure, including computers and computer networks, that is used for a “military purpose” — for instance, to carry military communications traffic — can lawfully be targeted, providing that any damage is “proportional” to the value of the military objective.
“The analogy is to a road network used by civilian and military vehicles,” the manual states. “There is no reason to treat a computer network differently.”
The DDoS attacks on Georgia were led by loosely-knit groups of ultranationalist Russian hackers who coordinated the timing and targeting of their attacks and distributed software that could be downloaded by volunteer users so their computers could join the assault.
The hackers who wrote such malicious software and made it “openly available online” would not be legally targetable even if the malware was used in cyberwarfare, according to the manual. But a hacker who supplied a similar cyberweapon specifically designed for use in an online assault that rose to the level of international hostilities could be treated as a legitimate military target.
Former senior U.S. intelligence officials have said that private sector or freelance contractors write much of the malicious computer code used by the Chinese military in its cyberespionage operations.
Moreover, since they are not members of their countries’ military, the manual says, hacktivists taking part in a cyberwar should be considered “unprivileged belligerents” — the status the Bush administration accorded to al Qaeda fighters captured on the battlefield in Afghanistan. Unprivileged belligerents are not entitled to prisoner of war status under the Geneva Conventions, and they can be prosecuted for their actions — even if those actions would have been legal under the laws of war if carried out by military personnel.