The handbook, which defines a cyber-attack as one that is “reasonably expected to cause injury or death to persons or damage or destruction to objects,” warns against all attacks on critical infrastructure, “even when [the targets] are military objectives,” due to the potential for widespread loss of life.
The manual’s main concern is that cyber-actions do have the potential to escalate into full-scale wars. It reads, “cyber operations alone might have the potential to cross the threshold of international armed conflict.” In light of that, civilian hacktivists are therefore legitimate targets in cyber-war.
“While to date, no international armed conflict has been publicly characterized as having been solely precipitated in cyberspace,” the guidelines include a provision for states to respond with conventional force if a cyber-attack results in death or significant damage to property. That force should take the form of "proportionate counter-measures" to an online attack.
It should be stressed that the handbook is not official NATO document or policy, but is rather an advisory manual, which is published by Cambridge University Press. The first attempt of its kind, the handbook is the product of a team of 20 legal experts working for NATO’s Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. The CCDCOE – which Britain is expected to join later this year – was established in 2008 in response to a series of cyber-attacks on Estonia, thought to have originated from within Russia.
The move to codify rules of engagement is to be lauded, but the proof, as ever, will be in the pudding. The Geneva Convention it is not.
“While NATO’s move to implement a set of rules are to be advocated, the difficulty – as is always the case in cyber space – will be in enforcing and defending these protocols,” said Jason Steer, EMEA product manager at FireEye, in a comment to Infosecurity. “Cybercriminals have long been able to hide behind false identities and cover all trace of illegal activity. We have seen the level of sophistication of these cyber-attacks increase exponentially in recent times, and so it will prove a considerable challenge for NATO to defend its new set of regulations against the wave of next-generation hackers, who are now armed with highly advanced and targeted tools.”
He added that the handbook could become the basis for ongoing legislation over cyber-war, but that organizations should still lay down their own defenses when it comes to protecting infrastructure.
“While it appears that first and second world countries are starting to wake up to the realities of the evolving threat landscape and the issue of nation-state attacks, more is needed to be done to ensure that organizations across the board are robustly protected, as NATO’s attempts to lay down the law are likely to prove extremely difficult to enforce,” said Steer. “With this in mind, organizations, nations and particularly those with critical infrastructure to protect, must be mindful of the limitations of traditional security defenses as well as the emerging legislation designed to mitigate the threat."