Mittwoch, 18. Mai 2016

NATO Paper on the TALLIN MANUAL Paper 7 The Law of Cyber Targeting ( Summary) english

Summary of the paper`s background

The Talinn Papers is a peer reviewed publication of the NATO Cooperative Cyber Defense Centre of Excellence, designed to inform strategic dialogue regarding cyber security within the alliance and beyond.

The Law of Cyber Targeting

The war between Russia and Georgia (2008) marked the birth of cyber war ( not hacktivism). Today we see cyber operations (CO) in Syria and Ukraine. Attention must be paid to the law that governs these activities. Given the novelty of CO as a method of warfare during an armed conflict any alleged misuse has the potential for strategic consequences. NATO CCDCE has taken a global lead in addressing this issue. The following questions are asked:

What applies to my operation ?

May I engage the intended target ?

Is the weapon that I use legal ?

What precautions must I take to avoid collateral damage ?

Do the scope and degree of likely collateral damage prohibit me from engaging the target ?

This paper will explain how each is resolved with respect to CO.

The Applicable Law (Part I)

International Humanitarian Law ( IHL ) comes into play when there is an armed conflict in legal parlance ( international and not international). To kill members of the civilian population is a violation of IHL and a war crime. There is no normative or practical logic for distinguishing between an CO and a kinetic operation (e.g. Stuxnet 2010). The enemy must be an organized armed group which is difficult to see in most cyber threats. The group must be armed and not only long to “denial of service actions (Estonia) In simple terms: The cyber conflict must start looking like war.

The Applicable Law (Part II)

Any discussion of targeting begins within the principle of distinction which is codified in Article 48 ( Geneva Conventions). Attacks against civilians and civilian objects are prohibited, indiscriminate attacks are forbidden, parties to a conflict must take precautions to minimize civilian harm when planning and conducting attacks and so forth.

Controversy surrounds the issue of whether the nation attacks should be interpreted more broadly. A CO targeting civilian cyber infrastructure (CCI) without physical effects could be far more detrimental than one causing limited damage. Consider an attack during an armed conflict on the enemy`s CCI: It seems incongruent to prohibit only the latter. If Data is treated as an object any manipulation of civil data would be qualify as unlawful damage or destruction (mind the deletion of a forum or blog post).Unless a CO has consequences that at least affect the functionality of an object it does not qualify as attack and therefore it is not prohibited. During an armed conflict it is generally legal to conduct CO against civilians as long as they are not harmed or injured. Denial of service is lawful until physical effects like starvation or illness.



The Target

CO must be frequently implicate the prohibition on attacking civilian objects, which are not military ones. Military objects are objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization in the circumstances ruling the time, offers a definite military advantage. “ A particular location might be to open dame gates to flood an area and deny its use to the enemy. A civilian object can become a military object though purpose: A civilian server farm that will store military data which may be attacked even before data storage begins or air traffic control or airspace management systems ( “war fighting or war supporting objects). Many war sustaining targets cannot be struck kinetically in a fashion that would generate the same effects as cyber attacks (bank systems for example). Persons may qualify as targets like combatants. Civilians qualify as well for the time they are members of an armed organized group with a continuous combat function. All those who conduct CO against the enemy or who defend against hostile operations have a continuous combat function and would be targetable. Analogue to human shields would be the development of more specific to an attack of the enemy system allowing CO to be launched from one`s home or business by others.

The Weapon

While certain uses of cyber weapons (malware) violate OHL such as attacking civilians, cyber weapons may also be unlawful per se. Weapons are prohibited when they:

-Cannot be directed at a specific military objective

-Generate uncontrollable effects

Cyber weapons may at times run afoul of these prohibitions – consider malware intended for use against military cyber infrastructure linked to civilian networks. If the malware is designed to spread randomly though the system into which it is introduced it is indiscriminate by nature and prohibited per se. The most well known indiscriminate  cyber weapon is the malicious but seemingly innocuous e-mail attachment sent to a combatant`s private e-mail account. Since the attacker has no control to whom it might be it would be indiscriminate ( mind of puppy or kitten videos). Restrictions do not bear on malware that does not cause injury, damage or loss of system functionality. Cyber weapons can be employed against closed military systems in which the risk of bleed over into civilian networks is low.

Precautions to avoid Civilian Harm and Collateral Damage

An attacker must take constant care to spare the civilian population, civilians and civilians objects. He must do everything feasible to verify that the target is not protected by IHL select the weapon, tactic and target that will minimize civilian harm without forfeiting military advantage or cancel an attack when reason to believe that the attack may be unlawful comes to light and warn the civilian population of any attack that may affect them.

An attack which may expected to cause incidental loss of civilian life injury o civilians, damage to civilian objects or a combination thereof which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited.


On the one hand options that are in fact lawful are sometimes needlessly taken off the table out of misguided concern as to their legality. On the other hand unlawful options are in times seriously considered thereby risking public and intentional condemnations should they be selected. The normative fog of Cyber war is beginning to clear.