Call to define rules of cyber war Published duration 14 October 2010

image caption Cyber attacks, like nuclear weapons, should force a change in defence policy

Nations need to define the rules of engagement for acts of cyber terror.

The call for clarity was issued by Michael Chertoff, former head of the US Department of Homeland Security, at the RSA security conference in London.

He said the lack of direction was giving the initiative to criminals and hampering co-ordinated responses to the growing number of hi-tech attacks.

Countries should be able to defend themselves, he suggested, if an attack posed imminent danger to human lives.

"It's the least understood threat and the one where our doctrine is least developed," said Mr Chertoff.

Graded response

The need for such a doctrine was as pressing now as it was in 1950s, he said, when the emergence of nuclear weapons rendered irrelevant earlier policies governing when and why conflicts were fought.

That vacuum was filled by the policy of deterrence which defined what response could be expected from the US depending on how its territory or citizens were threatened.

"It was very clear to an adversary the consequences of an attack," he said.

In a similar way, said Mr Chertoff, a nation's cyber defence doctrine would lay out a range of responses depending on the severity of the attack.

"We have to treat espionage as different from attack or massive fraud or theft of information," he said.

Theft and espionage could be dealt with through the legal system, he said, with the strongest responses being reserved for the most serious cases.

"If you cause imminent danger of loss of life by attacking a network that's a different story," he said. "Theft is bad but murder is worse."

International laws of self-defence would allow a nation to respond to remove the threat posed by an imminent or unfolding attack, he said.

He admitted that such serious attacks on national infrastructure, such as rolling blackouts that led to deaths in hospitals, had not happened yet, but added: "I would not like to experience the first one."

"There seem to be very few entities that are perfectly immune from these types of attacks," said Mr Chertoff who now heads the Chertoff Group, which advises nations and governments on risks and security.

By defining a doctrine, he suggested, all nations would be encouraged to police domestic networks better to avoid incurring a strong response.

"The greatest stress you can have on security is when there is uncertainty," he said. "We are now in a state of uncertainty."

The need to develop response scenarios and an over-arching doctrine was becoming pressing, he said, as those involved in hacking for money carried out ever more attacks.