RULE 36 pertains to terror attacks. A cyberattack threat that conveys an intent to contaminate a city's drinking water system would violate this rule. However, a false tweet that causes panic by claiming a highly contagious and deadly disease is spreading rapidly through the population "is neither an attack nor a threat."
Malware that will disrupt the rhythm of the pacemaker and induce a heart attack is programmed to falsely authenticate itself as being generated by a legitimate medical source. The false authentication is accepted by the enemy's computer network and the malware attacks the pacemaker of the adversary commander, causing a heart attack. In this example, the confidence of the adverse party's computer system has been betrayed and, according to the majority of the Experts, the Rule has been violated. Other Experts took the position that the notion of confidence presupposes human involvement, such that influencing a machine's processes without consequently affecting human perception falls outside the Rule.
Other wild scenarios include the do's and don'ts of attacking or jamming GPS, launching a cyberattack against a warship, and using a "logic bomb as part of rootkit." According to Rule 57, if the "rootkits' sniffer component" were to detect that the enemy connected communications for emergency services to their military network, then the logic bomb attack should be cancelled or suspended. Rule 89 addresses submarine cables used for cyber communication that "may not be seized or destroyed except in the case of absolute necessity." Yet the International Group of Experts could not decide if this also applied to satellite uplink and downlink stations.
Do you recall the secret demo for senators that simulated a cyberattack on the power grid and made NYC go dark? Hypothetically, such an attack in the midst of a killer heat wave would cause deaths, create chaos by crashing life-saving medical equipment, cut communications and potentially destroy financial institution networks. Such a cyberattack would need to be looked at in terms ofRule 51 "proportionality" which is referenced numerous times in other rules and basically means that civilian injuries, deaths, and damages must not result in "excessive collateral damage" from Rule 30's "definition of cyber attack." By the way, according to Rule 38, declining civilian moral is not considered collateral damage.
The precautionary Rule 80 - "Duty of care during attacks on dams, dykes, and nuclear electrical generating stations," does not exactly say that such installations could not be attacked. Instead, it states the "civilian population enjoys protection against excessive collateral damage that is to be expected from attacks on dams, dykes, and nuclear electrical stations pursuant to the rule of proportionality (Rule 51)." It seems to boil down to determining "whether the release of dangerous forces will cause severe losses among the civilian population" and "must be judged in good faith."
Sign up for CIO Asia eNewsletters.