Deadly force against organized hackers could be justified under international law, according to a document released Thursday by a panel of legal and cyber warfare experts.
Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I.
Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press.
"If you have an organized armed group -- not individuals, not lots of people conducting attacks -- and those attacks cause consequences that include physical destruction or injury or death to individuals, then a state that is the victim of such attacks may strike back with force of its own," he said in an interview.
The damages caused by a virtual attack would need to be as serious as those in a real world, or kinetic, attack. "If that happens, pursuant to the right of self defense set forth in the U.N. charter, then the state may respond forcefully -- even if that response involves injuring the individuals that attacked it or caused damage to it," Schmitt said.
The situation can get murky during a "hot" war, if civilian hackers join the fray. "For the time they're doing that," Schmitt said, "they can be attacked."
"If you were on the battlefield and someone was shooting a gun at you, you should be able to shoot back," he said. "It's exactly the same way in cyberspace."
The legal use of deadly force against a cyber attacker is very limited, however. "It makes my heart stop when folks say, 'Someone's conducting a hacking attack; you can attack them back,'" he said. "No, that's not the case."
Timing can be a key element for legally justifying a forceful response to a cyberattack. "Once an attack is completely over, once there's no continuing need to defend yourself forcefully, then the right response to the attack is diplomacy," Schmitt said.
Under those rules, Iran, which suffered infrastructure damage due to a cyberattack by the Stuxnet virus, had no legal grounds for a forceful response to that attack -- even if it knew definitively who was behind the foray against its nuclear development program.
By the same token, the cyberattacks on South Korea's media and banking industry this week failed to meet the minimum requirements for a forceful response. "Under existing law, the consequences weren't severe enough to justify a forceful military response or a cyber response with severe consequences," Schmitt said. "It falls below the threshold."
Sign up for CIO Asia eNewsletters.