Feeds

Dear gov cyber-ninjas, try NOT to KILL PEOPLE. Love from the lawyers

Stick nuke plants and hospitals on no-go list too - war manual

Providing a secure and efficient Helpdesk

A NATO-backed manual that attempts to pull together all the bits of international law regarding the "hostile use" of the internet has prohibited attacks against civilian targets.

According to the legal experts who helped draw up the manual, attacks in cyberspace should avoid anything that might affect civilian targets such as hospitals, dams and nuclear power plants.

The manual was compiled by an independent group of legal scholars, lawyers, academics and technical experts who gathered up all the existing relevant norms in existing international law as a guide for legal advisers to military and state bodies, law students, academics and law firms, although the manual itself is not an official document and does not reflect NATO doctrine or policy. Nevertheless, it's expected to be widely read in government circles, as NATO's CCDoE said at the time of the launch.

A draft copy of the Tallinn Manual on the International Law Applicable to Cyber Warfare came out last September but the issue has hit the news again as result of security conferences in London late last week and Washington, DC on 28 March that featured panel discussions on the weighty tome, which runs to 215 pages.

The manual looks at laws pertaining to armed conflict and the use of force and how they could be extended to regulate conflicts between nation states that have spilled over onto the internet. Technical experts advised on the three-year process of putting together the mega-guide, which featured observers from the International Committee of the Red Cross, United States Cyber Command and NATO’s Allied Command.

The project was backed by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, but the compilers and experts worked in their personal capacity.

The prospective users of the Tallinn Manual are government legal advisers to Ministries of Defence, Foreign Affairs, Interior and Justice; legal advisers to military forces and intelligence agencies; academics and graduate students in law, government and security studies; general counsel for defence industry; think tanks; consultancies; and law firms. The Tallinn Manual is designed to be accessible to lawyers with basic knowledge of international law.

The draft manual can be viewed at the CCDoE website here At the time of publication, it was unavailable for viewing.

When two crews go to war...

The manual covers 95 "rules". Among those that caught our eye were a discussion on attribution (rule 7) that "the mere fact that an operation has been launched or otherwise originates from a government cyber infrastructure is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with that operation".

Another interesting discussion on self-defence in the face of hacker attack (rule 9), posits that: "A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state". Rule 13, meanwhile, says: "A state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on its scale and effects."

The legal experts were split over whether an attack that crashed the New York Stock Exchange, for example, justified a response that could be legally defended as self-defence.

But they did agree on rule 14, that any response ought to be "necessary and proportionate". So, "you hacked us, we'll bomb you", isn't going to wash with international legal experts who want to restrict reprisals to acts of self-defence or actions authorised by the UN Security Council. However the right of self-defence may be exercised collectively, as per the coalition forced to expel Saddam Hussein's Iraqi troops from Kuwait in 1991, for example.

The experts went on to say that the law on armed conflict didn't apply to highly publicised DDoS attacks on Estonia in 2007 but did apply to cyber skirmishes that occurred between Georgia and Russia a year later because these occurred during the course of a ground war (a bullet-and-bombs armed conflict).

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.