State-sponsored cyber attacks must avoid sensitive civilian targets such as hospitals, dams and nuclear power stations, according to an advisory manual on cyber warfare compiled for Nato.
The handbook says that, in accordance with Geneva conventions, attacks on certain key civilian sites are outlawed.
The document, known as the Tallin Manual, is not an official document, but instead an expression of opinions of a group of independent experts, who have been working on the project for three years.
The group was convened by Nato’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallin, Estonia, as a first attempt to codify how international law applies to state-sponsored cyber attacks.
The CCDCOE was set up in 2008 after a wave of denial-of-service attacks that crashed websites and damaged Estonia’s infrastructure.
The manual includes a provision for states to respond with conventional force if aggression through hacking into computer networks by another state results in death or significant damage to property.
The manual says "proportionate counter-measures" against state-sponsored attacks are permissible, but cannot involve the use of force unless the original cyber attack resulted in death or significant damage.
It also states that so-called "hacktivists" who participate in online attacks during a war can be legitimate targets even though they are civilians, according to the Guardian.
MORE ON CYBER SECURITY
The Tallin Manual contains 95 "black letter rules" and is regarded as the most important document in the law of cyber warfare, the paper said.
The manual states: "An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more."
The manual also notes that: "To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace."
Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict.
Rule seven states that if a cyber operation originates from a government network, "it is not sufficient evidence for attributing the operation to that state, but is an indication that the state in question is associated with the operation".
In 2010, the UK's national security strategy classified cyber attacks, including those by other states, as one of four "tier one" threats, alongside terrorism, military crises between states and major accidents.
In February 2013, the UK government signed an agreement with Estonia to work together on developing digital public services.
Estonia is particularly interested in “cooperating in matters of IT security”, and the UK government is keen to export its cyber security capability to other countries.