I can feel some downvotes coming for this, but people need some perspective. They are talking about hacking the US military with potentially life and death consequences. Why people seem to think that they could do that without risking their lives is beyond me.
<tinfoilhat>
That's how it starts. Next up, they'll report that "sensitive military servers have been tampered with". Maybe it'll be true, maybe not. Nobody knows but them. The defintion of "potentially life and death consequences" will be bent & twisted beyond reason. Then add a bit more propaganda and it's wartime with whatever country they named.
</tinfoilhat>
Those are the risks of a standing army- computers don't change that. The bottom line is that if you want to "play" in the military's back yard, you can't hide behind your computer as if it makes it any less serious.
It's not about China. It's about the military doing it's job, which is the enforcement of political policy by means of violence. There is a broad spectrum of possible responses to an attack ranging from "ignore it" to "nuke it". Computers don't change that.
A more direct answer might be this: What if an enemy hacker was attempting to compromise battle plans for an impending invasion? I suspect the military would try to stop that effort with violence if there were no easier way.
I don't know... Shooting hackers may actually be easier than getting people to pick and remember more complex passwords.
In all seriousness though, security is not that simple. Yeah, what you're suggesting would mitigate risk, but it wouldn't come remotely close to eliminating it. You can end/save lives through hacking, and if you're costing the opposition lives, you should be treated as anyone else would be.
In principle I agree with you. But the danger here is that, unlike with physical projectiles, it can be difficult or impossible to find out where a hack attack is originally coming from. I'm sure all of the world powers and quite a few smaller ones have their own international botnet by now.
Take for example the recent "cyber attacks" on South Korea. They first accused China, North Korea, before doing deeper investigation and finding that the attack originated from somewhere else. They could have very well killed the wrong people, starting a war with the wrong country.
And like the infamous "weapons of mass destruction" this can easily be used to attack a country under false pretenses.
IMHO much more resources should be spent on research and tools to make software intrinsically safer and more secure, instead of all the pooha about war and killing. It could lead to much more sustainable solutions that actually solve the problem of "we're much too vulnerable digitally".
They are not talking about hacking only military targets.
But they are talking about State-sponsored attacks and State-directed retaliation.
The study indicates that killing state-sponsored hackers is justified as an act against the aggressor State, not as an act against those individuals.
Attacking an individual in another State is itself a violation of that target State's sovereignty and would be grounds for legal retaliation.
The real legal problem in this comes from the grey area around where "terrorists" fit in these definitions [1] and who exactly gets to define "terrorist" [2].
But given how far US legal minds have already taken the escalation of executive power in these cases, it seems silly to think they'd feel particularly restricted in adding "hellfire missile" to their list of options, if not for some third party's supportive legal opinion.
Frankly, when the State can simply disappear a citizen without recourse, the question of whether they may decide outright murder is legal seems rather superfluous.
[1] Where it is precisely the lack of State sponsorship that brands one a "terrorist" and opens the door to extra-legal abuse.
[2] In the US, two administrations have asserted that a "terrorist" is anyone the executive branch claims is a terrorist due no particular evidential requirement and subject to no legislative restriction or judicial review.
Exactly some of the points I tried to point out, as well, in my comments. There is also the central issue that this document is a NATO handbook, not a doc focused on the US military or other governmental agencies.
NATO is trying to wrestle with how to understand and apply the Geneva Conventions to cyberwarfare.
Seems some people are missing that part and reacting as if this is another secret White House memo.
> In the US, two administrations have asserted that a "terrorist" is anyone the executive branch claims is a terrorist due no particular evidential requirement and subject to no legislative restriction or judicial review.
That's not actually true, but don't let the facts get in the way of your narrative.
War, in the traditional sense, used to be easier to define. A bunch of people with weapons, pointing them at each other and pulling triggers (as well as the command-structure and supply chains that support them). Defining when you're at war was easier.
Nowadays, people push buttons from great distances away and one keystroke could unleash havoc halfway around the world. Meanwhile the guy who pushed that button is off to pick up his kids from school (he may not even have known what he started since his code is one piece of a larger whole). At what point are you at war in that scenario? When can the guy who pushed the button be considered an aggressor? While he's behind the keyboard or at anytime during his life thereafter? If he's already part of his country's military, I guess this is different.
I suspect there's a lot of exaggeration in the headline and the actual document is more nuanced.
If it was so easy to define war, then when did the US Civil War begin?
We are already in an era after the atomic bomb, after "total war". Now we are disturbed that in the future, civilians might be killed along with the countries they support in war? How about this happening constantly in war all the way back to city-states?
I think the message is "the US could kill anyone they think is a threat to national security". That includes hackers or anyone they can label as a terrorist. The real risk it seems is being in the same car or house as someone the US is after, since they generally drone bomb the place without regard to who is inside as long as their target is there.
You might not like the message, but they're not going after Ruby on Rails developers. They're going after virus makers targeting military networks etc. Or Al Qaeda's social media manager.
If someone is at war with your whole state or society or culture, then they aren't going to make a lot of fine distinctions about whether you were working on military software.
Since when did we start to believe that civilians are safe in wars? Is this not one of the worst and most ancient aspects of war, that it consistently kills civilians?
Yes, formally it is possible to attack a nuclear facility, launch missiles or intercept drones, so it is an understandable military position.
Moving hacking from play, to fraud, and then warfare has deep implications that are very important to discuss. Mainly what happens if play is confused with warfare. I can imagine (is happening indeed) witch-hunting in the name of security.
I'm not going to argue your point (that killing them might be justified), but I do want to add that if you're close enough to capture them, they'd be a much more valuable prisoner than an everyday soldier.
If you think about it, a cyber-hacker (normally) won't be much of a threat to the capturing force ... how many are trained warriors? And the amount of knowledge that might be gained is immensely more (again, how many are trained to withstand even mild torture)?
