A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted. Written by 20 experts in conjunction with the International Committee of the Red Cross and the US Cyber Command, the Tallinn Manual on the International Law Applicable to Cyber Warfare analyzes the rules of conventional war and applies them to state-sponsored cyberattacks.
Unsurprisingly, the manual advises that attacks must avoid targets such as hospitals, dams, and nuclear power stations in order to minimize civilian casualties, but also makes some bold statements regarding retaliatory conduct. According to the manual's authors, it's acceptable to retaliate against cyberattacks with traditional weapons when a state can prove the attack lead to death or severe property damage. It also says that hackers who perpetrate attacks are legitimate targets for a counterstrike.
"There's plenty of law that applies to cyberspace."
Project leader Professor Michael Schmitt, the Chairman of the International Law Department at the United States Naval War College, tells The Guardian that countries "can only use force when you reach the level of armed conflict," explaining that in most cases the appropriate response to a cyberattack would be digital retaliation. "Everyone talks about cyberspace as though it's the wild west," says Schmitt, "we discovered that there's plenty of law that applies to cyberspace."