The title is, unfortunately, link-baity, misleading, and really misses some of the most alarming parts of this doc.<p>The article from <i>The Guardian</i>[1] is more balanced in presenting the actual news. This doc[2] is directed at how to handle <i>state-sponsored</i> and other <i>war-time</i> cyber attacks, offering a set of guidelines that indicate targets that are expressly advised to be off-limits--such as "sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations". It is wrestling with how to understand and apply the Geneva Conventions to cyber attacks (e.g., see Rule 80).<p>Where do civilian hackers come into play? When they're among those "who participate in online attacks during a war". Yes, that is worrisome and potentially alarming if applied too broadly. While abuse of these guidelines concerns me (greatly), this is not a new issue in the art of contemporary war.<p>Consider the French Resistance during WWII--a heavily civilian-populated paramilitary resistance force that not only engaged in intelligence theft & trafficking, but also were highly regarded and notorious for coordinating and executing sabotage against power grids, transportation infrastructure, and telecommunications networks. I think it could be argued that the Resistance is a historical analogue to contemporary hackers/hacktivists engaged in cyber attacks during a state of war. This document is essentially wrestling with the legalities and rules of war that should apply where the contemporary equivalent is concerned. Of course, I'd guess a lot of us would have greater sympathy for Resistance-style hackers engaged in acts of sabotage than, say, state-sponsored hackers who are targeting domestic nuclear facilities.<p>The real meat of the NATO document appears to be circling this line of thinking:<p>< <i>The manual suggests "proportionate counter-measures" against online attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property.</i><p>Okay. Prohibition against launching missiles and invasion forces as retaliation for hacking that did not result in death or significant damage to property? Check. (of course, we need to be careful about how we define 'significant damage to property').<p>This is, however, where the document gets far more interesting and alarming than the OP article mentions. Specifically, note Rule 22 and commentary:<p>> <i>"An international armed conflict exists whenever there are hostilities, which may include</i> or be limited to <i>cyber operations occurring between two states or more . . . To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict."</i><p>We've now hit the point that state-sponsored digital operations are recognized as having the potential to initiate armed international conflicts. Not only that, but we have a formal declaration that international armed conflict <i>may be limited to</i> 'cyber operations occurring between two states or more'. <i>That</i> is the more alarming bit of news here.<p>[1]: <a href="http://www.guardian.co.uk/world/2013/mar/18/rules-cyberwarfare-nato-manual" rel="nofollow">http://www.guardian.co.uk/world/2013/mar/18/rules-cyberwarfa...</a>
[2]: <a href="http://bit.ly/YTbtRd" rel="nofollow">http://bit.ly/YTbtRd</a>