Feeds

Dear gov cyber-ninjas, try NOT to KILL PEOPLE. Love from the lawyers

Stick nuke plants and hospitals on no-go list too - war manual

SANS - Survey on application security programs

A NATO-backed manual that attempts to pull together all the bits of international law regarding the "hostile use" of the internet has prohibited attacks against civilian targets.

According to the legal experts who helped draw up the manual, attacks in cyberspace should avoid anything that might affect civilian targets such as hospitals, dams and nuclear power plants.

The manual was compiled by an independent group of legal scholars, lawyers, academics and technical experts who gathered up all the existing relevant norms in existing international law as a guide for legal advisers to military and state bodies, law students, academics and law firms, although the manual itself is not an official document and does not reflect NATO doctrine or policy. Nevertheless, it's expected to be widely read in government circles, as NATO's CCDoE said at the time of the launch.

A draft copy of the Tallinn Manual on the International Law Applicable to Cyber Warfare came out last September but the issue has hit the news again as result of security conferences in London late last week and Washington, DC on 28 March that featured panel discussions on the weighty tome, which runs to 215 pages.

The manual looks at laws pertaining to armed conflict and the use of force and how they could be extended to regulate conflicts between nation states that have spilled over onto the internet. Technical experts advised on the three-year process of putting together the mega-guide, which featured observers from the International Committee of the Red Cross, United States Cyber Command and NATO’s Allied Command.

The project was backed by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, but the compilers and experts worked in their personal capacity.

The prospective users of the Tallinn Manual are government legal advisers to Ministries of Defence, Foreign Affairs, Interior and Justice; legal advisers to military forces and intelligence agencies; academics and graduate students in law, government and security studies; general counsel for defence industry; think tanks; consultancies; and law firms. The Tallinn Manual is designed to be accessible to lawyers with basic knowledge of international law.

The draft manual can be viewed at the CCDoE website here At the time of publication, it was unavailable for viewing.

When two crews go to war...

The manual covers 95 "rules". Among those that caught our eye were a discussion on attribution (rule 7) that "the mere fact that an operation has been launched or otherwise originates from a government cyber infrastructure is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with that operation".

Another interesting discussion on self-defence in the face of hacker attack (rule 9), posits that: "A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state". Rule 13, meanwhile, says: "A state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on its scale and effects."

The legal experts were split over whether an attack that crashed the New York Stock Exchange, for example, justified a response that could be legally defended as self-defence.

But they did agree on rule 14, that any response ought to be "necessary and proportionate". So, "you hacked us, we'll bomb you", isn't going to wash with international legal experts who want to restrict reprisals to acts of self-defence or actions authorised by the UN Security Council. However the right of self-defence may be exercised collectively, as per the coalition forced to expel Saddam Hussein's Iraqi troops from Kuwait in 1991, for example.

The experts went on to say that the law on armed conflict didn't apply to highly publicised DDoS attacks on Estonia in 2007 but did apply to cyber skirmishes that occurred between Georgia and Russia a year later because these occurred during the course of a ground war (a bullet-and-bombs armed conflict).

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.