Having read the entire 215 pages of the Tallinn Manual on the International Law Applicable to Cyber Warfare [PDF], I'd like to highlight parts of the 95 "black letter rules." NATO hasn't officially adopted the cyberwarfare laws as policy and it is unknown If any nation will actually "play" by these rules. Yet even the Stuxnet attack "appears to have been planned with this Rule [Rule 54 - Choice of Means or Methods] in mind."
North Korea blamed the US and South Korea for "intensive and persistent virus attacks" which allegedly affected three broadcasters, four banks and two insurance companies." These would be civilian objects, but are they protected under the rules of cyberwarfare . . . had this been cyberwar? If the cyberattack that targeted South Korean banks and broadcasters did indeed originate from an IP in China, and the attack "damaged 32,000 computers and servers at media and financial companies," then has China disregarded and violated the Tallinn Manual in regards to civilians? In both cases, it would seem the answer would be "no."
According to the Tallinn Manual Rule 81, "objects that merely enhance civilian well-being or quality of life'-such as the Internet or other communication networks-are not protected "objects indispensable to the survival of the civilian population." Yet "in the context of cyber operations, however, cyber infrastructure indispensable to the functioning of electrical generators, irrigation works and installations, drinking water installations, and food production facilities could, depending on the circumstances, qualify."
One thing that is for certain in the rule book, a full-scale warcan be triggered by a cyberattack. It claims that civilian activists who participate in these attacks can be lawfully targeted with deadly force and killed. The Tallinn Manual defines a hacktivist as "a private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious or patriotic reasons." It doesn't say to keep an eye on the sky for a killer drone headed your way, but hacktivists might consider that if involved in cyberattacks. Rule 11, defines 'Use of Force,' stating "merely funding a hacktivist group conducting cyber operations as part of an insurgency would not be a use of force." But Rule 35 says, "Civilians enjoy protection against attack unless and for such time as they directly participate in hostilities."
Consider the example of an individual hacktivist who has, over the course of one month, conducted seven cyber attacks against the enemy's command and control system. By the first view, the hacktivist was only targetable while conducting each attack. By the second, he was targetable for the entire month. Moreover, in the absence of a clear indication that the hacktivist was no longer engaging in such attacks, he or she would have remained targetable beyond that period.
Sign up for CIO Asia eNewsletters.