With the support of NATO, legal experts have released a manual as a first broad attempt to codify how international law applies to state-sponsored hacking. The handbook, authored by legal experts working in conjunction with the International Committee of the Red Cross and the U.S. Cyber Command, details what is or is not a legitimate target in cyberwarfare.
It states not only that full-scale conventional wars may be triggered by cyberattacks, but that civilian "hacktivists" can be targeted with conventional weapons if their cyberattacks seriously damage property or cause deaths. The handbook, titled "The Tallinn manual," is primarily advisory and is not an official NATO document; the rules of cyberwarfare remain hotly debated. As the HuffPo U.K. pointed out, experts were divided on exactly when a civilian hacker might be a target. The manual explicitly notes that consensus has not been reached on this issue:
Consider the example of an individual hacktivist who has, over the course of one month, conducted seven cyber attacks against the enemy's command and control system. By the first view the hacktivist was only targetable while conducting each attack. By the second he was targetable for the entire month. Moreover in the absence of a clear indication that the hacktivist was no longer engaging in such attacks, he or she would have remained targetable beyond that period.
As the Guardian noted, the manual follows the Geneva conventions in outlawing certain civilians sites as cyberattack targets. Rule 80 of the handbook states: "In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber-attacks against works an installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, as well as installations located in their vicinity." Hospitals and medical units are also protected.
Although recent years have seen major incidents such as the Stuxnet virus, which targeted alleged Iranian nuclear enrichment facilities and was believed to have come from the U.S. or Israel, the manual states that, "To date, no international armed conflict has been publicly characterized as having been solely precipitated in cyberspace."