Hacker News new | comments | show | ask | jobs | submit login
Killing hackers is justified in cyber warfare, says NATO-commissioned report (vrge.co)
101 points by achalkley on Mar 27, 2013 | hide | past | web | favorite | 79 comments

I can feel some downvotes coming for this, but people need some perspective. They are talking about hacking the US military with potentially life and death consequences. Why people seem to think that they could do that without risking their lives is beyond me.

<tinfoilhat> That's how it starts. Next up, they'll report that "sensitive military servers have been tampered with". Maybe it'll be true, maybe not. Nobody knows but them. The defintion of "potentially life and death consequences" will be bent & twisted beyond reason. Then add a bit more propaganda and it's wartime with whatever country they named. </tinfoilhat>

(I'm not downvoting you)

Those are the risks of a standing army- computers don't change that. The bottom line is that if you want to "play" in the military's back yard, you can't hide behind your computer as if it makes it any less serious.


It's not about China. It's about the military doing it's job, which is the enforcement of political policy by means of violence. There is a broad spectrum of possible responses to an attack ranging from "ignore it" to "nuke it". Computers don't change that.

A more direct answer might be this: What if an enemy hacker was attempting to compromise battle plans for an impending invasion? I suspect the military would try to stop that effort with violence if there were no easier way.

There is an easier way though... change all the fucking passwords from "password" and stop buying compromised equipment from China because it's cheap!

Military intelligence.

I don't know... Shooting hackers may actually be easier than getting people to pick and remember more complex passwords.

In all seriousness though, security is not that simple. Yeah, what you're suggesting would mitigate risk, but it wouldn't come remotely close to eliminating it. You can end/save lives through hacking, and if you're costing the opposition lives, you should be treated as anyone else would be.

I guess the idea of keeping sensitive military and industrial hardware off of the public Internet never occurred to anyone, either.

Why does Three Mile Island need a REST API?

That scenario is no different than it is today...

see also: WMD

In principle I agree with you. But the danger here is that, unlike with physical projectiles, it can be difficult or impossible to find out where a hack attack is originally coming from. I'm sure all of the world powers and quite a few smaller ones have their own international botnet by now.

Take for example the recent "cyber attacks" on South Korea. They first accused China, North Korea, before doing deeper investigation and finding that the attack originated from somewhere else. They could have very well killed the wrong people, starting a war with the wrong country.

And like the infamous "weapons of mass destruction" this can easily be used to attack a country under false pretenses.

IMHO much more resources should be spent on research and tools to make software intrinsically safer and more secure, instead of all the pooha about war and killing. It could lead to much more sustainable solutions that actually solve the problem of "we're much too vulnerable digitally".

They are not talking about hacking only military targets. But they are talking about State-sponsored attacks and State-directed retaliation.

The study indicates that killing state-sponsored hackers is justified as an act against the aggressor State, not as an act against those individuals.

Attacking an individual in another State is itself a violation of that target State's sovereignty and would be grounds for legal retaliation.

The real legal problem in this comes from the grey area around where "terrorists" fit in these definitions [1] and who exactly gets to define "terrorist" [2].

But given how far US legal minds have already taken the escalation of executive power in these cases, it seems silly to think they'd feel particularly restricted in adding "hellfire missile" to their list of options, if not for some third party's supportive legal opinion.

Frankly, when the State can simply disappear a citizen without recourse, the question of whether they may decide outright murder is legal seems rather superfluous.

[1] Where it is precisely the lack of State sponsorship that brands one a "terrorist" and opens the door to extra-legal abuse.

[2] In the US, two administrations have asserted that a "terrorist" is anyone the executive branch claims is a terrorist due no particular evidential requirement and subject to no legislative restriction or judicial review.

Well put.

Exactly some of the points I tried to point out, as well, in my comments. There is also the central issue that this document is a NATO handbook, not a doc focused on the US military or other governmental agencies.

NATO is trying to wrestle with how to understand and apply the Geneva Conventions to cyberwarfare.

Seems some people are missing that part and reacting as if this is another secret White House memo.

> In the US, two administrations have asserted that a "terrorist" is anyone the executive branch claims is a terrorist due no particular evidential requirement and subject to no legislative restriction or judicial review.

That's not actually true, but don't let the facts get in the way of your narrative.

War, in the traditional sense, used to be easier to define. A bunch of people with weapons, pointing them at each other and pulling triggers (as well as the command-structure and supply chains that support them). Defining when you're at war was easier.

Nowadays, people push buttons from great distances away and one keystroke could unleash havoc halfway around the world. Meanwhile the guy who pushed that button is off to pick up his kids from school (he may not even have known what he started since his code is one piece of a larger whole). At what point are you at war in that scenario? When can the guy who pushed the button be considered an aggressor? While he's behind the keyboard or at anytime during his life thereafter? If he's already part of his country's military, I guess this is different.

I suspect there's a lot of exaggeration in the headline and the actual document is more nuanced.

If it was so easy to define war, then when did the US Civil War begin?

We are already in an era after the atomic bomb, after "total war". Now we are disturbed that in the future, civilians might be killed along with the countries they support in war? How about this happening constantly in war all the way back to city-states?

exactly there are death camps as far back as classical greece as any one who has read Thucydides will know.

> I suspect there's a lot of exaggeration in the headline and the actual document is more nuanced.


I think the message is "the US could kill anyone they think is a threat to national security". That includes hackers or anyone they can label as a terrorist. The real risk it seems is being in the same car or house as someone the US is after, since they generally drone bomb the place without regard to who is inside as long as their target is there.

You might not like the message, but they're not going after Ruby on Rails developers. They're going after virus makers targeting military networks etc. Or Al Qaeda's social media manager.

This is NATO. It is not a doc produced for DOJ, or some other executive-branch agency.

This article is bullshit reporting sensationalizing the story. Here is an actual report on the NATO manual this article is about: http://www.guardian.co.uk/world/2013/mar/18/rules-cyberwarfa...

I guess most people simply did not think about it yet, including myself. Though a minor one, I'd become a target just like "real" soldiers.

As long as you don't use computers to knowingly kill people, you should be safe...

If someone is at war with your whole state or society or culture, then they aren't going to make a lot of fine distinctions about whether you were working on military software.

Since when did we start to believe that civilians are safe in wars? Is this not one of the worst and most ancient aspects of war, that it consistently kills civilians?

Yes, formally it is possible to attack a nuclear facility, launch missiles or intercept drones, so it is an understandable military position.

Moving hacking from play, to fraud, and then warfare has deep implications that are very important to discuss. Mainly what happens if play is confused with warfare. I can imagine (is happening indeed) witch-hunting in the name of security.

So someone doesn't like you right? They hack into your home computer and from their launch an attack on the military. You are dead.

The civilian version of this is SWATing.

I'm not going to argue your point (that killing them might be justified), but I do want to add that if you're close enough to capture them, they'd be a much more valuable prisoner than an everyday soldier.

If you think about it, a cyber-hacker (normally) won't be much of a threat to the capturing force ... how many are trained warriors? And the amount of knowledge that might be gained is immensely more (again, how many are trained to withstand even mild torture)?

They are not "talking about hacking the US military with potentially life and death consequences."

Where did you see that in the text?

I think that it is intuitively quite clear, that it is possible for 'cyber operations' to be part of acts of war. [1] And the perpetrators are therefore combatants and legitimate targets. But since I read P.W. Singer's Wired for war I have the strong feeling that the second order effects of 'cyber' and drone operations are quite poorly thought out. So for example a drone pilot is by this standard a combatant. And this reduces the protections international law has for his house and the civilians within ( his family).

So I think, that the dominant military power ( or in case of the NATO, military alliance) should try to limit the use of potentially disruptive developments, already out of self interest.

[1] I will not argue in this about the morality of war or the logic of warfare. Here I will simply argue within this framework.

Is a man sitting in a bomber a combatant? If so, then how is a drone pilot not a combatant?

How does international law protect civilians in a war, except by the actions of a party interested in protecting those civilians?

"And this reduces the protections international law has for his house and the civilians within ( his family)."

I don't know what protections you are talking about, but I doubt the pilots would be piloting anything from their homes. They only go there on leave, just like all other soldiers. As for hackers, if a state sponsored attack is launched from a civilian home, it is a violation of the rules of war. The hackers should be in a military installation when doing anything (they probably would anyway, just for security, easier cooperation etc.). There has always been soldiers who fight wars without going to the battlefield.

The scenario I am thinking about is, that bombing an apartment block full of civilians is quite clearly a war crime. On the other hand, bombing barracks is not. And since a drone pilot on leave is as far as I understand still a combatant, he can be attacked given that the harm to civilians is 'proportional.' [1]

[1] https://en.wikipedia.org/wiki/Military_necessity

Also, it should be possible to give drones even more selective weapons:


And there we go. Right on track[1]. So first we keep putting "chinese" and "hackers" into the same sentence with or without proof. Now we start to talk about killing hackers. So now I've been told hackers can be made targets of lethal force and China has a lot of hackers. What next?

1. https://news.ycombinator.com/item?id=5351714

Add that to their ever increasing willingness to kill everyone and anyone secretly with drones and it equals serious badness.

Who is "their"? This is NATO we're talking about. To my knowledge, NATO purchased 5 surveillance drones a year ago, and one of them crashed in January. So they're down to four. And I don't believe there are any NATO drone-executed kill operations known to have occurred.

Consider stuxnet. Now replace Iran with the US and replace centrifuges with missile launch and targeting systems.

You don't need to do that; the US already kills anyone they want to as it is.

You don't even need an internet connection for them to receive virtually zero criticism for blowing you up with a drone-launched missile.

An impressive amount of hyperbole was packed into this comment.

In response to the parent: I highly doubt any of those systems are connected to the web, and more importantly it's likely the operators of such systems practice a bit more stringent data sanitization than the Iranians.

So, presumably its fine for secret murderers to hunt down fighter pilots, tank commanders, Navy commanders, drone operators, etc?

A hacker is a person using a tool, or weapon. They do the hack, and its done. Then get on with life, or do work or do training, etc. Same as a tank commander. Most of the time they are not doing tank killing. They are laid up, or doing something else. So, why not hunt them down the same way? Why are hackers special?

Talk about pussy easy fashionable target.

> So, presumably its fine for secret murderers to hunt down fighter pilots, tank commanders, Navy commanders, drone operators, etc?

Uh, during wartime... yes?

They're all combatants, and it's simply a good strategy to hit your enemy when they can't shoot you back.

A lot of hackers I know have a pretty bohemian lifestyle. I wonder if the realization that they will soon become direct targets by governments will affect the United States' current cybersecurity "hack for the country" recruiting push. Imagine not being able to travel outside the country for fear of being offed, any time any place.

The title is, unfortunately, link-baity, misleading, and really misses some of the most alarming parts of this doc.

The article from The Guardian[1] is more balanced in presenting the actual news. This doc[2] is directed at how to handle state-sponsored and other war-time cyber attacks, offering a set of guidelines that indicate targets that are expressly advised to be off-limits--such as "sensitive civilian targets such as hospitals, dams, dykes and nuclear power stations". It is wrestling with how to understand and apply the Geneva Conventions to cyber attacks (e.g., see Rule 80).

Where do civilian hackers come into play? When they're among those "who participate in online attacks during a war". Yes, that is worrisome and potentially alarming if applied too broadly. While abuse of these guidelines concerns me (greatly), this is not a new issue in the art of contemporary war.

Consider the French Resistance during WWII--a heavily civilian-populated paramilitary resistance force that not only engaged in intelligence theft & trafficking, but also were highly regarded and notorious for coordinating and executing sabotage against power grids, transportation infrastructure, and telecommunications networks. I think it could be argued that the Resistance is a historical analogue to contemporary hackers/hacktivists engaged in cyber attacks during a state of war. This document is essentially wrestling with the legalities and rules of war that should apply where the contemporary equivalent is concerned. Of course, I'd guess a lot of us would have greater sympathy for Resistance-style hackers engaged in acts of sabotage than, say, state-sponsored hackers who are targeting domestic nuclear facilities.

The real meat of the NATO document appears to be circling this line of thinking:

< The manual suggests "proportionate counter-measures" against online attacks carried out by a state are permitted. Such measures cannot involve the use of force, however, unless the original cyber-attack resulted in death or significant damage to property.

Okay. Prohibition against launching missiles and invasion forces as retaliation for hacking that did not result in death or significant damage to property? Check. (of course, we need to be careful about how we define 'significant damage to property').

This is, however, where the document gets far more interesting and alarming than the OP article mentions. Specifically, note Rule 22 and commentary:

> "An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more . . . To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict."

We've now hit the point that state-sponsored digital operations are recognized as having the potential to initiate armed international conflicts. Not only that, but we have a formal declaration that international armed conflict may be limited to 'cyber operations occurring between two states or more'. That is the more alarming bit of news here.

[1]: http://www.guardian.co.uk/world/2013/mar/18/rules-cyberwarfa... [2]: http://bit.ly/YTbtRd

Viable scenario: a state-organized effort perpetrated solely thru data networks shuts down a nation's entire power grid (electric, gas, etc.), and in a manner where re-activation thereof will be slow & expensive (transformers blown, gas pipes ruptured, etc.) with extensive major civilian consequences (dominating digital economy offline, health/rescue services disrupted/overwhelmed, traffic congestion skyrockets, etc.). Think Stuxnet for the electric company. The perpetrator is identified.

Variation: this is detected beforehand, but very little time remains (hours/minutes) before "detonation". Polite diplomatic channels are in no way fast enough. The cyber-attack is traced to 10,000 malware-hijacked PCs in a handful of concentrated residential neighborhoods.


Too many variables uncounted for in the second scenario. For example, do we know what is going to be targeted and through what method it would be attacked? How many legitimate users need web access to this critical service?

Assuming that knowledge, there's plenty that could be done if we have forewarning. Take those neighborhoods offline at the ISP level. Alternately, block the zombie IP ranges via firewall at the receiving end.

I think the real danger is that we won't have such forewarning, and in the slim chance we did we won't have that crucial knowledge(what specifically is the target and attack vector?).


Just curious, when did you learn to code? For me it was about 5th grade. There are 6th graders now who were born after the United States entered Afghanistan. There are currently human beings capable of writing software who have never existed in a non-wartime state.

Just something to consider when we declare measures like these "extraordinary" and justifiable in "wartime." The War on Terror isn't going to just end. You and I may not live to see the next peacetime. If we say it's okay during wartime, then it had better be okay during the majority of our lives.

Well, at just shy of 32 years old, there has yet to be a single year of my life free of official conflicts or wars. In fact, even my 52-year-old father has not experienced a year of his life free from official conflict or war in effect. If you're older than him, perhaps you've experienced a non-wartime state, but you'd pretty much have to be older than my grandfather.

This document isn't talking about there being conflict just anywhere in the world, but about the actors involved within the states that are officially engaged in open hostilities--i.e., if there is conflict between China and Taiwan, it's not okay for Pakistan to retaliate with conventional force against a group of hackers in India. At least, that's how it reads to me at the moment.

Also, I wasn't saying it was okay. I was pointing out that the posted article is sensationalized, misleading, and misrepresenting the information to get page views--while adding some actual context and content the article completely left out or presented incorrectly. And I wanted to draw an historical analogue to something I thought many people would know about that could be accomplished by hackers today, potentially falling under the purview of this new NATO guidance.

[edit: I learned to code in 5th/6th grade. sorry to leave that out.]

The US is not a 'wartime state'. It's been committed to business as usual, and if you never bothered reading the news, you could get away with never knowing it was at war for the most part. No rationing or real shortages, no conscription, no opposing forces tromping over the nation, no aerial attacks. The US is technically at war, but its society isn't - if you don't want to sacrifice anything for your country, you can go about your business quite happily and undisturbed.

This is exactly the point. The government has repeatedly used the legal fiction of the United States being "at war" to dramatically expand its punitive authority, despite the fact that the "war" is an open-ended, amorphous legal fiction. That's why it is so dangerous to dismiss some extraordinary assertion of power because it only applies "in wartime"; it's always wartime, even when it's not.

I agree that it's alarming to think of cyber-warfare escalating to a war, but I don't think it's unrealistic or uncalled-for. I'm concerned that a cyberattack could be misinterpreted (not really an attack, or originating from another body) but that's an education and sophistication problem, not an error in the legal premise.

I, too, do not think it is unrealistic or uncalled-for. My sense of 'alarming' is anchored a bit in a historical position--i.e., we've now reached the point in history where an action taken on a computer in a room in some corner of the world can be the trigger for formal war declarations, and is officially recognized as such.

We thought blitzkrieg was a challenge about 75 years ago. This is a huge shift.

I think your muddying the waters by introducing Francs-tireurs into the mix - I am sure this document is about state actors resistance groups are a trickier proposition eg USA politicians effectively turning a blind eye to PIRA fund raising.

Some research finds that under current laws of war “Combatant and prisoner of war status is granted to members of dissident forces when under the command of a central authority. Such combatants cannot conceal their allegiance; they must be recognizable as combatants while preparing for or during an attack."

So it looks like the self organizing nationalists as some of the Russian a Chinese hactivists have been described that attack enemies of the sate are not covered.

> I am sure this document is about...

The document is about its contents and its contents alone, irregardless of what we may be sure it is about.

I disagree that including the French Resistance as an analogy for the types of groups that could come under the provisions of this manual is muddying the waters. They strike me as a salient example of non-military, non-governmental personnel who could be (and were historically) categorized as combatants if engaged in cyber activities during armed conflicts.

The manual specifically includes civilian actors engaged in cyber actions during wartime hostilities between countries. It does not, to the extent I've read it so far, include a distinction between those who are resistance groups and those who are state actors--that's a subjective determination and what this doc is discussing is applying the Geneva Conventions to contemporary issues.

[Nitpick:] More confusing still, using Francs-tireurs is, unfortunately, both too specific and ambiguous at the same time. Some (like myself) might mistake you for meaning the Francs-tireurs from the Franco-Prussian War, where the term originated. Or did you mean Francs-tireurs, the name adopted by a couple groups who were part of the Resistance (like the FTP). Then again, that francs-tireurs became a more generalized term to refer to potentially non-lawful combatants between and after all the wars from the Franco-Prussian to WWII, adds further chance for confusion. Assuming you are referring to the French Resistance as I was, however, it is not the general term used for the Resistance members as a whole.

Given the quote you include, it then sounds like you're not responding to the Resistance at all, but perhaps the generalized francs-tireurs--note, no capital F--about whom those rules were made during the Third Geneva Convention.

I don't see the point... the article begins with: > A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted.

Really? As if people really followed the rules during wars. History is full of people breaking such "rules" and nothing happens... after all "it's war".

I'm not suggesting people under extreme stress should be expected to act impartially... though I wonder why discuss such rules if none will be applied anyway.

I don't think there's any new distinction to be made about hackers regarding this. Rather, hasn't it always been a question of whether someone was a target of interest or not?

I wouldn't be surprised if the US and Soviets were killing hackers 25+ years ago during the cold war.

There are some conspiracy theories floating around the deaths of Boris Floricic [1] and Karl Koch [2]. Especially the latter one is often connected to the KGB due to his involvement as a hacker during the cold war.

[1] http://en.wikipedia.org/wiki/Tron_%28hacker%29 [2] http://en.wikipedia.org/wiki/Karl_Koch_%28hacker%29

Wasn't familiar with them. The notion that Koch burned himself to death with gasoline as a means of suicide is absurd.

URL shortener blocked here for some reason. Working link:


Surely in this context "cyber warfare" means state sponsored hackers, probably working for the military at a military establishment guarded by people with guns.

Not just some kid who nmaps the wrong netblock.

That is precisely what the NATO document in question is specifying.

However, they also include civilian 'hacktivists' who engage in cyber attacks against an enemy state during existing armed conflict.

[edit: clarify civilian angle]

This message is sure to alleviate their technical recruiting problems.

Spying and sabotage have always been frowned upon by countries at war, regardless of the means.

Whether wars are of the "world" variety, the "cold" variety, or the dubious "terror" variety matters not.

Related to this:


A weapon system comparable to this would enable a drone to reliably target one and only one person. That would be instrumental in taking out both hackers and drone pilots under this new doctrine.

If you're interested in a movie related to the subject, check out http://en.wikipedia.org/wiki/Sleep_Dealer

Ignore the main plot and look to the interactions between the protagonist and the drones:

> catches him monitoring a frequency used by the drones, an act that warrants a brutal attack

What does the report says about what amount of damage requires killing in retribution? Is it with due process or not? Would hacker include anyone with a computer that's in reach of drones?

I believe the language of the memo is framed in the context of an existing armed conflict. Even then, I think the level of damage done(and whether it is ongoing) that would determine the level of response. I imagine in the case of most amateur attacks they would simply mitigate the attack and move on, in others they might retaliate digitally. The option to drop a bomb on the hacker is probably a last resort, in the face of sophisticated and ongoing attacks(but in such a case how they'd determine the hacker's location is beyond me).

Please explain your understanding of the role 'due process' plays in international wars. Are acts of war preceded by international trials of some kind? Who provides the judge?

I meant in cases when military is damaged by a foreign spy working on American soil. If he is an American citizen would he receive chance to defend or just be summarily executed?

Someone hide Ally Sheedy and Matthew Broderick!!

...what? What part of "killing is bad" don't these people understand?!

What part of "killing by electronic means is just as bad as other killing" don't you understand?

I totally get that, killing by way of attacking critical infrastructure is totally morally wrong, but it doesn't justify retaliation by killing or "counterstrike". It's the reason I don't agree with the death penalty, but I also get that the death penalty is a contentious issue. My point is, killing is bad all the time regardless of reasoning (barring self defence), and justifying killing by saying "oh, they did it first" isn't ok. Surely it would be better to go about it in such a way that all killing was marked as wrong, and retaliation would be confined to reasonable legal measures, such as jailtime etc.

I don't see why it wouldn't be. We live in high tech times. Cyber warfare is nothing different then physical violence.

> Cyber warfare is nothing different then physical violence.

So you wouldn't mind then if I secretly install a program that makes your computer attempt to hack some US military network? Because that's a huge difference between physical violence and cyber "violence": in meat space, I can't hijack your body to commit crimes.

"Casualties of war" are, like it or not, a given. In war, if X is an active lethal threat, and the best expedient option is to destroy it ASAP, bystanders caught in the destruction are deemed acceptable losses. If a program running on your computer unbeknownst to you is doing something causing grave harm to others right now, those being harmed have the natural right to do whatever it takes, including at least equal harm, to make it stop.

In fact, that's the whole point of war: all other viable options for self-preservation (personal and national) have been exhausted, leaving only killing people and breaking things until the threat stops.

The whole point of modern war, is that you make other people kill each other, in order to profit from selling them both weapons and "help" them rebuild after the destruction.

If someone sneaks a bomb into your luggage and it goes off at the airport, didn't they just hijack your body to commit a crime?

Your body wasn't hijacked, it was doing what it had already planned on doing (going to the airport). When your computer is hijacked, it is actively controlled to do something it had no plan to do. The point I'm trying to make is that there's an element of control that is clearly in one to a high degree that is absent or debatable in the other.

This whole argument can get philosophical, but I see your point.

This is a problem of collecting evidence about who is responsible. It doesn't address the underlying nature of the responsibility. In your hypothetical, you are the one who is responsible both for the hacking of the military network (in the context of this discussion, presumably to do physical work like killing people) and for fingering someone else. This is indeed not very different from physically committing a murder and planting evidence pointing to someone else. Yet that does not cause us to challenge the notion of responsibility for murder.

Time to start working on the script for "Meat Hackers".

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact