Are there international rules for cyberwarfare?

The systematiccrash of the computer systems of banks and TV broadcasters in South Korea reportedlythe result of an attack that was widely speculated to have been launched by North Korea raises questionsabout what internationallaws, ifany, governthe new and unexplored area of cyberwarfare.

"The answer is there's nothing and there's everything," said Michael Schmitt, professor and chairman of the international law department at the U.S. Naval War College.

Schmitt, who was asked by the NATO Co-operative Cyber Defence Centre of Excellence to look into these issues, chaired athree-year project that brought together 20 academics and practitioners from around the world. The culmination of their efforts was the recently published Tallinn Manual on the International Law Applicable to Cyber Warfare.

"Ifyou're looking for cyber specific law, alaw that says 'a cyberattack that causes theseconsequences in an armed attack to which you can respond,' you will find nothing," he said."But it was our unanimous consensus among the group of experts that the existing international law applies to cyberspace and tocyberweapons."

This means that,as international law permits a country to defend itself and retaliate if attacked by conventional weapons,a countrythat is the victim of acyberattack that causes damage or death, may also retaliate, either through cyberwarfareor conventional weapons.

"Hack into a control system of a dam and release waters downstream. Those waters are going to cause significant damage, physical damage,people will drown. In my mind that's clearly an armed attack," Schmitt said. "And if someone did thatto Canada,you could resort to force, not only cyber but armed force to defend yourself."

Other examples of cyberwarfare that are grounds for retaliation by forcecould include hacking into a water treatment plant and causing chemicals to flow into the water, thereby poisoning the population, hacking into air trafficcontrol systems and causing planes to crash, orhacking into a hospital and changingpeople'sblood type,causing harm to patients

But the attack onSouth Korea, if in fact North Korea was responsible, is different,Schmitt said. The attack is certainlya violation of SouthKorea's sovereignty and a violation of international law, he said, but not grounds for the use of force in response.

"We would call that a below the threshold operation that certainly would permit a response from South Koreabut the response could not include armed force," Schmitt said.

The retaliatory optionsfor South Korea would include countermeasures. These are actions that can be taken by the aggrieved state thatwould normallybe unlawful under international law but are considered acceptable because the aggressor state violated international law first.

"If stateA attacksstate B'sbanking system, stateB may thenrespond proportionally against state A's banking system to compel stateA to knock it off," Schmitt said.

His group also looked at issues surrounding cyberattacks on civilians. Under international law and the principle of distinction, when on the battlefield,operationsmay only be directed against military objects and combatants and not civilians.

"We asked the question 'when is a cyber operation a forbidden attack?' There are allsorts of things you can do in cyberspaceagainst civilians during an armed conflict that doesn't physically harm them and doesn'tinjure them,"he said.For example, erasing personal data or messing with their banking records.

"What we said is that this is a very hard question. Not unanimous, but the majority said that an attack, in the law of war, meansyou physically harm someone,you break something, you cause physical damage or you interferein the functionality of an object such that it needs to be actually repaired."

Ashley Deeks, an associate professor at the University of VirginiaSchool of Lawand an expert in international law, said many of the scenarios are case by case.

"Even in the kinetic world, there is no real definition of what an armed attack is,"she said, adding that states look to past practices.

For example, the Stuxnet computer virus, reportedly launched by the U.S. that attacked and destroyedhundreds of centrifuges at theNatanz uranium enrichment facilityin Iran, raised these issues.

"Iguess I would just characterize itas the closest thing we've seen to a cyber action that produces real world effects, not dissimilar from what akineticattack would do. But I'm not prepared to say it was an armed attack."

That's why alot of peopleare starting to devote a lot of attention to cyberwarfare and trying to sort out where the lines are, Deeks said.

"There are a lot of question marks. If you took out a banking system, and it caused massive instability in the country ... that could be construed as an armed attack by some states. But it'sreally an open question," she said.

"There would be other states that say, 'No, unless people die, things blow up, not an armed attack. We want to set a high threshold.' Others say, 'That 's crazy. You want to start deterring these things.You want to call lower level things armed attacks."

However, Schmitt said he believes all these thresholds willevolve over the next decade.

"I anticipate that we'll see a lot of thresholds coming down that will allow states to respond more vibrantly to cyber attacks that might not be possible under thelaw as we found it."