Chinese Network Warfare ~ 中國網絡戰

Chinese Rules of Engagement for Network Warfare and the “Tallinn Manual on Cyberwar & International Law”

Chinese Editorial Note: At present the international community did not reach any substantive agreement on military activities in cyberspace. In 2010, the United States and Russia and other 15 countries agreed to strengthen cybersecurity legislative proposals, did not form a rule. 2013 NATO launched the “cyberwar Tallinn Manual on International Law” (hereinafter simply referred to “Tallinn Manual”), is currently the only one in this area more common meaning of the file, but not universally acknowledged, does not constitute a direct legal binding force, We do not agree with their “cyberspace do not need new rules, existing international law applicable to cyberspace” principle. But its future cyberwar international legislation has strong demonstration effect, we need further research to help us develop the network rules of engagement and participation in the development of a global code of conduct in cyberspace.

网络战交战规则初探

From the 1990s, the United States first proposed the concept of network warfare began, to now have dozens of the world have a more significant cyberwarfare capabilities. This indicates that cyber warfare tactics and command and management system is constantly maturing. But contrast that cyber warfare in policy and law still faces many challenges. So now, how does cyberwarfare qualitatively apply to the law, how is it regulated? Countries can only rely on their own constraints on the military, according to their own network security policy, cyber warfare strategy and for general international understanding to control cyber warfare, to serve the real political need. This provides a good platform for the use of cyber warfare rules of engagement.

First, the basic theory…

(A) Concept. ROE (Rules of Engagement, ROE) is a term more accepted in Western armies, which refers to political or military authorities developed or approved in accordance with aspects of the political, military and legal requirements, in order to define the mission of the armed forces may be used Task force to achieve environmental, conditions, extent and manner of military instruction. The cyberwarfare rules of engagement refers to the definition of cyberwar means may be used to achieve environmental, conditions, extent and manner of the military mission of military command, such as the provisions of the other party at the time was an armed attack, air defense system on the other side can implement network attacks.

(B) Content. ROE is the Second World War, the United States and Britain and other Western countries in order to adapt to the changes and development of the international order of the military system, by its very nature that open up strategic, operational, and tactical at all levels, clarity and refinement means and methods of warfare of authorization by means of rules, to strengthen command and control of military operations, to ensure that the legitimate use of force. Rules of engagement will be an international law of armed conflict and other legislation compared foundation, but essentially unilateral authority to rule their own troops sent under constraints. Rules of engagement are different from the concept of tactical guidance, strategy guides, and military, such as the network confrontation, cyber warfare rules of engagement will only be able to take provisions which face the threat of cyber warfare means (such as air strikes), you can use what kinds of attack means (such as “worm” infection), which specific targets (such as power grids, air defense system) can be attacked, but as to which server to use to attack each network warfare units fit together, what time to launch attacks, referred to the tactical guidance.

(C) Cyber status quo. First appeared in the combat rules of engagement in the field, followed by a naval battle, Marine rules of engagement. Currently the rules of engagement are widely used in various fields of Western military practice, and Indonesia, the Philippines and other developing countries learn from. With the development of cyber warfare, the rules of engagement will naturally expand cyberspace. In the US, for example, in 2002 George W. Bush signed a presidential decree, proposed a national policy network warfare and cyber warfare rules of engagement authorize the creation, in 2006 the US Department of Defense for the first time issued a cyber warfare rules of engagement, and updated in 2013 for the first time. Presumably, there are also many other countries have also developed their own cyber warfare rules of engagement, but it is difficult to ascertain because of dense high specific circumstances.

Second, the development foundation…

ROE is a collection of political, military and legal aspects of the three requirements, and therefore political, military and legal battle with the network-related, is the basis for the development of cyber warfare rules of engagement.

(A) Political Aspect. We must first consider the overall national development strategy, the network action should serve the overall national strategy.Second, we must consider diplomatic relations with other countries, for the allies, important economic and trade partner or strategic rival of network operations, or to respond to network operations from these countries should adopt a different policy. Third, we must consider their network security policy, which is the overall security, protection, and their reliance on such factors as their networks and make a comprehensive judgment, is cyber warfare and should be an important factor to consider.

(B) The Military Aaspect. We must first consider their cyber warfare military strategy, with its rules of engagement as traction. Such as former White House officials had suggested the United States should establish a network attack to the network backbone, the power grid, the Defense Department network trinity of network defense strategy, if the US government to adopt this proposal, the rules in network defense may encounter these three Set a higher level and faster response force upgrade measures. Second, we must consider the network combat skills and tactics. If feasible, cyber warfare rules of engagement should be specific to different tactical means. Third, we must consider the different military tasks facing network operations environment and combat opponents, and then specify different network attack or defense policy in the rules of engagement.

(C) Legal aspects. First thing to consider international law applicable to their network operations. There is no special form of network warfare treaty, but both also have many of its rules constitute a direct binding force, such as the Hague Convention, the Geneva Conventions and the “UN Charter” and other, mainly related to constitute an illegal use of force or threat constitutes an armed attack, It is a violation of the legislation, how liability and so on. Second, we must consider the relevant national law, such as network security-related laws, decrees and other military command. Third, we must consider the current dispute the basic consensus of the international community and major cyber warfare relevant legal issues, because it reflected his country’s attitude and responses may encounter after the network action.

Third, the main content…

A complete network warfare rules of engagement file should normally include the following:

(1) to develop the basis, lists what national policies, strategies guidelines, drafted in accordance with the operational plan and other documents; and

(2) to judge the situation, indicating that the task background, operational environment and the need to achieve military objectives;

(3) Enable Time, the case of the usual rules of engagement, then once released can choose to enable, in the case of wartime rules of engagement can be specified with a battle plan enabled, or the state of war by command announced the opening and the like;

(4) the scope of such behavior may provide all the national forces participating in the network operations or any conduct by certain forces and personnel Cyber ​​Command command, it can also apply to civilian employment to participate in cyber warfare, participation foreign soldiers multinational joint action;

(5) the principle of requirements, such as all actions obey orders, law-abiding principle, the minimum necessary use of force principle, the minimum collateral damage principles;

(6) the implementation of policy, described the feedback the opinions, interpret or amend the Supplemental Rules, carry out relevant education and training, disposal procedures and methods of violations related to the confidentiality provisions and the like;

(7) the substantive rules, that can be used to specifically define cyberwar means to achieve environmental, conditions, extent and manner of the military mission, which is network warfare the main content of the rules of engagement, the main rule cyberspace may include self-defense, target selection rules, the rules of network defense, network attack rules.

(A) self-defense rules.

Means of self-defense against a hostile act or hostile intent obviously, in order from the effects of attack or attack will occur immediately the use of force. The rules of self-defense in the rules of engagement usually says: Who can in order to protect against any attack and to use what force. In cyber warfare includes two self-defense, first implemented in response to cyber attacks in self-defense, the second is to exercise the right of self-defense and implementation of the network action. For the latter, the current rules of international law and not to be clear restrictions, so that they meet the general requirements to exercise the right of self-defense, the former there are still many legal problems.

First, what network behavior may exercise the right of self-defense against. “Tallinn Manual” that a State may exercise the right of self-defense against armed attack reached (armed attack) network operations. Are network actions constitute an armed attack, depending on their scope and consequences.The United States on such “scope and consequences” proposed a standard. Obama suggested that “the United States to undermine or destroy our military, government or critical infrastructure cyber attacks against the same target actions are deemed to produce the same effect of kinetic energy attack” and said it would use all the power that can be used to fight back. However, due to the attack with air strikes and other kinetic ratio, scope and consequences of network operations more difficult to assess judgment, rules of engagement should be appropriate to improve the decision-making level, such as the theater, the military services level, and even Defense Minister or Head of State level. The United States will exercise the right of self-defense is defined as the national president right now, but the US military standard rules of engagement have been explicitly granted to self-defense under the specific conditions of different levels of force, does not require presidential approval to take action.

Second, who can protect the exercise of the right of self-defense while.Protected body is subjected to the body attacks its definition is actually included in the network operations, “the scope and consequences” of the judgment. As mentioned above, Obama focus on US government, military and critical infrastructure. Of course, critical infrastructure is a broad concept. NATO also proposed action may exercise collective self-defense on the network, but also to the protection of allies and exercise self-defense against cyber attacks.

Third, for whom the exercise of self-defense. Cyberspace easier for attackers to hide their identity. While Obama declared that the US “has the ability to determine the attribution of responsibility on the extent needed,” but did not give clear criteria and procedures. He also declared that “If a country refuses to timely prevent attacks emanating from the country, may be considered equivalent to the Government’s participation in the attacks,” “We will also investigate the attack process does not provide effective cooperation considered as equivalent to participation in the attack.” .However, this argument has no legal basis. “Tallinn Manual” that “only network to launch action or government network infrastructure originating from the fact that the action does not constitute attributable to the country’s sufficient evidence” only “indicates that the suspicious behavior associated with that country”; ” network operations within the network infrastructure via a country, can not constitute the act attributable to the country’s sufficient evidence. ” So if you can not determine the source of attack, the rules of engagement should only provides network defense measures and tracing measures before sufficient evidence can be taken.

Fourth, how to deal with network actions do not constitute an armed attack. Such action is not sufficient to start the right of self-defense, only the provisions of the rules of engagement should adopt a “do not constitute the use of force necessary and appropriate action,” such as a similar degree of retaliation. “Tallinn Manual” also expressed approval, that “if a country suffers internationally wrongful act, can take counter-measures, including network, including the counter-measures commensurate with the responsibility for the country.” Of course, in addition to military counter-measures, countries level diplomatic protest may also take other measures or economic sanctions.

(B) target selection rules.

On target selection, the law has been formed to the principle of distinction, the principle of proportionality as the core of a more sophisticated rules. These rules generally do not consider what means of warfare is only concerned with the goal itself, and therefore equally applicable to network operations. When considering the target selection in cyber warfare rules of engagement, we should focus on the following issues.

First, it should be differentiated according to whether the constitution network attacks. “Tallinn Manual” that “network attack is reasonably foreseeable will lead to personal injury or death, damage to or destruction of the object of offensive or defensive action network.” If a network does not constitute an attack action, not that distinction limitation principle and the principle of proportionality, such as advocacy of war through the network, etc., may target civilians or civilian network. Of course, action does not constitute a network attack, does not mean its unfettered and control, but should also be based on military necessity.

Second, the network constitutes an attack only against military objectives. In cyber warfare rules of engagement in both principles laid purposes only, it can also be targets for specific network actions enumerated in detail, such as military networks, military satellite communications, air defense systems. Dual-use computers, computer networks and network infrastructure targets belonging to military objectives, such as dual-use airport computer network.

Third, the collateral damage assessment. Target cyberspace often associated with numerous livelihood industry, when you set the rules of engagement should be required before the formal implementation of network attacks collateral damage assessment and follow incidental injury to specify different approval levels. For example, the American government allowed foreign banks to implement the hacking system to collect information, but you need to change the data at the same time Secretary of State and Minister of Finance for approval. During collateral damage assessment, does not need to consider the impact does not constitute harm, such as just cause is inconvenient or temporary loss of access.

(C) network defense rules

Risk security risks of cyberspace, mainly from computer networks, network defense occupy an important position in the network war. Served as Special Adviser to US President Richard network security? A? Clark believes that protect the US from cyber attacks are overarching objectives of cyber warfare strategy. Network defense measures including in the data stream is detected, scanning computer system vulnerabilities or secret door, and so on. On rules of engagement, in the peacetime army should only be responsible for the protection of military facilities, namely involving military computer networks and network infrastructure data monitoring and vulnerability scanning, an important place also for all data and operations can conduct real-time monitoring. For example, the United States will protect US private and private targets (such as banks, power companies, railways) network defense right is given to the Department of Homeland Security, the Department of Defense is responsible only for network defense military installations.

If it is in wartime, or may be based on a country’s military forces need to expand the scope of protection, including the subject of wartime control areas (such as the financial sector, transportation systems, etc.) of the data center and backbone network for deep packet inspection, the blockade and the known attack packets similar packets. Network attacks are often by way of network security is relatively backward countries, if such countries suffer from unknown attacks, in a coordinated basis through the diplomatic network defense measures will be extended to the country. The impact of network defense actions offensive action to be smaller than the approval level can be lower than offensive operations, such as the US military rules of engagement theater commander and joint force commander (joint force commanders) have the right to approve cyber defense action.

(D) network spying rules

Spying network is entering the network, computer or database in another country without permission to collect sensitive information. If the action does not modify or delete data, or cause other devastating effects, the act itself belongs to intelligence activities traditionally not prohibited by international law, only constrained by domestic law. “Tallinn Manual” also pointed out that “in the conduct of armed conflict enemy spy network or other forms of information for gathering does not violate the law of armed conflict.” In cyber warfare rules of engagement, and should be limited to sabotage in spying operations, to carry out sabotage attack rules shall apply to the network, including the secret invasion after implantation in the other system logic bombs and other war preparations. As for the network should be carried out spying activities against which countries or entities, is based on political considerations and military needs necessary to consider the rules of engagement may be listed in the specific list or range. Richard? A? Clark believes that every year should be approved by the US president a guide, clear the US military network which countries should invade to gather intelligence.

(E) Network attack rules

Network offensive cyber warfare refers to the defense in addition to the network, the network spying network operations. In cyber warfare rules of engagement, network attack rule focuses level approval, should be used in cyber warfare means against targets and the extent of damage caused by: For approval level, the extent of the impact of network attack is usually greater than the network defense and network spy, and therefore desirable to provide a higher level of approval, such as the requirements of the US rules of engagement, offensive network operations often need to get the president or authorized by the Secretary of Defense; on cyber warfare means, the current network attacks including eavesdropping attack, information bomb attacks, Trojans, denial of service attacks, mail server attacks, DNS server attacks, web server attacks, password attacks, protocol exploits, spoofing attacks in different ways, there is no specific law to prohibit or restrict the use of cyber warfare tools; on in terms of the target of attacks, which may be one area (government systems, banking systems, etc.) or an entity of data on a computer network or the computer and networks; terms of the extent of damage that can be destroyed, weakened, interference or prevent. These rules may have many different combinations, the need for targeted design according to the task situation.

In the design of the network attack rules, consideration should pay attention to several special problems. One should pay attention to the impact associated with other combat areas. For example, a state of crisis with each other and did not at war, if an attack on its air defense network, could be interpreted as the air strikes, the person may then take pre-emptive measures to make escalation. At this point it should be banned or severely restricted in the rules of engagement in such attacks. Second, only use enough to cyberattacks offensive measures in peacetime, it may constitute an illegal use of force. In the civilian apparatus sacrificing network backdoor attack or invade other network arrangement logic bombs and other acts of the current legislation has not qualitative, although it does not pose a direct harmful consequences, but it is closely associated with a network attack, it should be used with caution. Third, pay special attention to critical infrastructure.These facilities (such as electricity, oil and gas pipelines, railways, aviation, telecommunications and banking, etc.) often in times of peace for civil, but in wartime may be used for military purposes, and network vulnerability, destroy a large influence, the most vulnerable to cyber attacks. One of the relevant United Nations code of conduct in cyberspace is that no country should be allowed to “intentional destruction of critical infrastructure, or otherwise affect the use and operation of providing services to the public key infrastructure,” the action. Currently China and the US have a shared commitment to the standards of the UN, not the first to use cyber weapons destroy other critical infrastructure in peacetime.Therefore, in peacetime rules of engagement, and we should claim a certain level unless approved ban might damage critical infrastructure, or for the use and operation as a public key infrastructure to provide services caused by the impact of cyber attacks. In wartime attacks to critical infrastructure should also be very cautious. For example, the United States has the ability to destroy the war in Iraq and other countries in Iraq to destroy Saddam Hussein’s financial network financial assets, but the American government lawyers worried that attacks the financial account will be treated as violations of international law in other countries, but also that Network Financial looting America would choose the wrong object accounts, or undermine the entire financial system. So the United States ultimately did not implement this action.

(Source: China Information Security)

Read Original Mandarin Chinese article:

网络战交战规则初探——兼评《塔林网络战国际法手册》

网络战交战规则初探——兼评《塔林网络战国际法手册》

 海军军事学术研究所法律研究室研究实习员 曹成程

2015年11月30日09:23

编者按:目前国际社会没有就网络空间军事活动达成任何实质性协议。2010年,中美俄等15个国家达成协议,就加强网络安全立法提出了建议,并未形成规则。2013年北约推出《塔林网络战国际法手册》(文中简称《塔林手册》),是目前这一领域唯一一份较为普遍意义的文件,但并未得到普遍承认,不构成直接的法律拘束力,我们也不同意其“网络空间不需要新规则,现有国际法适用于网络空间”的原则。但其对将来网络战国际立法具有较强的示范效应,需要我们深入研究,以有助于我们制定网络战规则和参与全球网络空间行为准则制定。

从上世纪90年代美国率先提出网络战概念开始,到如今全球已有数十个拥有了较为可观的网络战能力。这表明网络战技战术和指挥管理体制等正不断走向成熟。但与之对比的是,网络战在政策和法律上依然面临着诸多难题。因此目前网络战在法律上如何定性、如何规制,各国只能依靠自身对军队的约束,根据自身网络安全政策、网络战战略及对一般国际法的理解来管控网络战,以服务于现实政治需要。这为网络战交战规则的运用提供了良好平台。

一、基本理论

(一)概念。交战规则(Rules of Engagement,ROE)是西方军队中较为通行的一个术语,它是指政治或军事当局根据政治、军事和法律等方面要求而制定或批准,用以界定武装部队执行任务中可使用武力达成任务的环境、条件、程度和方式的军事指令。而网络战交战规则则是指界定可以使用网络战手段来达成军事任务的环境、条件、程度和方式的军事指令,比如规定在遭到他方武力攻击时,可以对对方防空系统实施网络攻击。

(二)内涵。交战规则是二战后,美英国等西方国家为了适应国际秩序变迁而发展的军事制度,其本质在于通过规则化手段打通战略、战役、战术各个层次,明确和细化对作战手段和方式的授权,以加强对军事行动的指挥控制、确保合法使用武力。交战规则会以武装冲突法等国际法规则为基础,但本质上是当局向己方部队下发的单方面的规则约束。交战规则也不同于军事上的战术指导、战略指南等概念,比如在网络对抗中,网络战交战规则只会规定面对哪些威胁(如空袭)时可以采取网络战手段、可动用哪几种攻击手段(如“蠕虫”感染)、可以袭击哪些特定目标(如电力网、防空系统),而至于利用哪些服务器来发起攻击、各网络战分队如何协同、什么时刻发动攻击等,则交由战术指导。

(三)现状。交战规则最早出现在空战领域,随后出现了海战、陆战交战规则。目前交战规则广泛运用于西方各领域军事实践,并为印尼、菲律宾等发展中国家所借鉴。随着网络战的发展,交战规则自然将向网络空间拓展。以美军为例,2002年小布什签署总统令,提出了网络战国家政策,并授权创制网络战交战规则,2006年美国国防部首次颁布了网络战交战规则,并于2013年进行了首次更新。可以推测,其他也有很多国家也制定了本国网络战交战规则,只是因密级高而难以探知具体情况。

二、制定基础

交战规则是政治、军事和法律三个方面要求的集合,因此与网络战相关的政治、军事和法律,是制定网络战交战规则的基础。

(一)政治方面。首先要考虑本国的整体发展战略,网络行动应服务于国家战略全局。其次要考虑与其他国家的外交关系,针对盟友、重要经贸伙伴或战略对手的网络行动,或者对来自这些国家的网络行动的回应,应采取不同政策。第三要考虑本国网络安全政策,这是基于本国网络的整体安全性、防护能力以及对其的依赖程度等因素而做出的综合判断,也是网络战应该予以考虑的重要要素。

(二)军事方面。首先要考虑本国网络战军事战略,以其作为交战规则的牵引。比如曾有前白宫高官建议,美国应建立以网络基干、电力网、国防部网络三位一体的网络防御战略,如果美国政府采纳这一建议,则在网络防御规则中可就这三者遇到的网络攻击设置更高的响应级别和更快的武力升级措施。其次要考虑网络战技战术。如果可行的话,网络战交战规则应该具体到不同的战术手段。第三要考虑不同军事任务所面临的网络作战环境和作战对手,进而在交战规则中规定不同的网络进攻或防御政策。

(三)法律方面。首先要考虑适用于本国网络行动的国际法。目前没有形成网络战专门条约,但既有规则中也有许多对其构成直接拘束力,比如海牙公约、日内瓦公约以及《联合国宪章》等,主要涉及是否构成非法武力使用或威胁、是否构成武装攻击、是否违反中立法、如何归责等等。其次要考虑本国相关法律,如网络安全相关法令、军事指挥的法令等。第三要考虑目前国际社会对网络战相关法律问题的基本共识和主要争议,因为这反映了他国遭遇网络行动后可能的态度和回应措施。

三、主要内容

一份完整的网络战交战规则文件,通常应包含以下内容:(1)制定依据,列出是根据哪些国家政策、战略指南、作战方案等文件起草的;(2)形势判断,说明任务背景、行动环境和需要达成的军事目标;(3)启用时间,如是平时交战规则,则一经发布就可择机启用,如是战时交战规则,则可规定随某作战方案启用,或进入战争状态后通过指令宣布启用等;(4)适用范围,比如可规定为本国军队参与网络行动的所有行为或受某网络司令部指挥的部队及人员的所有行为,也可同时适用于受聘参与网络战的平民、参与多国联合行动的外国军人;(5)原则要求,比如一切行动听指挥、守法原则、最小必要武力原则、最小附带损伤原则等;(6)实施政策,说明反馈实施意见、解释或者修订补充规则、开展相关教育训练、处置违反行为的方法程序以及相关保密规定等等;(7)实体规则,也即具体界定可使用网络战手段来达成军事任务的环境、条件、程度和方式,这是网络战交战规则的主体内容,主要可包括网络空间的自卫规则、目标选择规则、网络防御规则、网络进攻规则等。

(一)自卫规则。自卫是指针对敌对行为或明显的敌对意图,为了免受攻击或马上将发生的攻击的影响而使用武力。在交战规则中自卫规则的通常内容为:可以为了保护谁免受什么攻击而使用什么武力。在网络战中包括两种自卫,一是为应对网络攻击而实施自卫,二是为行使自卫权而实施网络行动。对于后者,目前国际法上并没有规则予以明确限制,因此只要符合行使自卫权的一般要件即可,前者则还存在不少法律难题。

首先,针对什么网络行为可行使自卫权。《塔林手册》认为,一国可以针对达到武装攻击(armed attack)的网络行动行使自卫权。网络行动是否构成武装攻击,取决于其范围和后果。美国就这种“范围和后果”提出了一种标准。奥巴马提出,“美国把破坏或摧毁我们军队、政府或关键基础设施的网络攻击行动视同于针对同样目标、产生同等效果的动能攻击”,并表示将动用一切所能使用的力量予以反击。但由于与空袭等动能攻击比,网络行动的范围与后果更难以评估判断,交战规则中宜将决策层级适当提高,比如战区、军种层级,甚至国防部长或国家元首层级。美国将行使国家自卫权界定为总统权利,但美军标准交战规则已明确将特定条件下的自卫授予不同级别的部队,不需要总统批准即可采取行动。

其次,可以为保护谁而行使自卫权。受保护的主体也是遭受攻击的主体,对其的界定实际上包含在对网络行动“范围与后果”的判断中。如前文所述,奥巴马重点关注美国政府、军队和关键基础设施。当然关键基础设施是一个宽泛的概念。北约还提出,可对网络行动行使集体自卫权,也即可为保护盟国免受网络攻击而行使自卫。

第三,针对谁行使自卫。网络空间中攻击者更容易隐藏身份。虽然奥巴马宣称美国“有能力在所需要的程度上确定责任归属”,却未给出明确的标准和程序。他还宣称“如某国拒绝及时阻止从该国发出的攻击,可视为等同于该国政府参与了攻击行动”,“我们也会将调查攻击过程中不提供有效合作视为等同于参与攻击”。但是这种说法并没有法律依据。《塔林手册》提出“仅网络行动发动或起源于政府网络基础设施这一事实,不能构成该行动归责于该国的充分证据”,只能“表明该可疑国家与该行为有关联”;“网络行动经由位于一国的网络基础设施,不能构成该行动归责于该国的充分证据”。因此如果无法确定攻击来源,交战规则宜只规定在掌握充分证据前可采取的网络防御措施和追查措施。

第四,如何应对不构成武装攻击的网络行动。这种行动不足以启动自卫权,交战规则宜只规定采取“不构成使用武力的必要且适度的行动”,比如类似程度的报复行动。《塔林手册》对此也表示认可,提出“一国如果遭受国际不法行为损害,可针对责任国采取包括网络反制措施在内的相称的反制措施。”当然,除军事反制措施,国家层面还可以采取外交抗议或经济制裁等措施。

(二)目标选择规则。关于目标选择,国际法上已经形成了以区分原则、比例原则为核心的较为成熟的规则。这些规则通常并不考虑作战手段是什么,只关注目标本身,因此同等地适用于网络行动。在网络战交战规则中考虑目标选择时,要重点关注下列问题。

首先,应根据是否构成网络攻击进行区分。《塔林手册》指出,“网络攻击是指可合理预见的会导致人员的伤害或死亡、物体的损害或毁坏的进攻性或防御性的网络行动。”如果某网络行动并不构成攻击,则不受区分原则和比例原则的限制,比如通过网络开展宣传战等,可以以平民或民用网络为目标。当然网络行动不构成攻击,不意味着其不受约束和控制,而是同样应该基于军事必要。

其次,构成攻击的网络行为仅能针对军事目标。在网络战交战规则中既可以仅作原则规定,也可将特定网络行动所针对的目标详细列举出来,比如军用网络、军用卫星通信、防空系统等等。军民两用的计算机、计算机网络和网络基础设施目标属于军事目标,比如军民两用机场的计算机网络。

第三,附带损伤评估。网络空间的目标常与众多民生行业相关联,在设置交战规则时宜要求在实施网络攻击前进行正式的附带损伤评估,并按照附带损伤程度来规定不同的审批级别。比如美国政府允许对外国银行系统实施黑客行动以收集情报,但更改数据则需要国务卿和财政部长同时批准。在进行附带损伤评估时,不需要考虑不构成伤害的影响,比如只是造成不方便或临时的丢失访问。

(三)网络防御规则

网络空间的风险性主要来自计算机网络的安全隐患,网络防御在网络战中占据重要地位。曾担任美国总统网络安全特别顾问的理查德?A?克拉克认为,保护美国免受网络攻击是网络战战略的首要目标。网络防御措施主要包括在对数据流进行检测、扫描计算机系统的漏洞或暗门等等。就交战规则而言,在和平时期军队宜只负责保护军事设施,即对涉及到军方计算机网络和网络基础设施进行数据监测和漏洞扫描,重要场所还可以对所有数据和操作行为进行实时监控。比如美国将保护美国私有及私营目标(如银行、电力公司、铁路)的网络防御权利赋予给了国土安全部,国防部只负责军事设施的网络防御。

如果是在战时,一国军队或可基于军事需要而扩大保护范围,包括对受战时管制领域(如金融行业、交通系统等)的数据中心和基干网络进行深层封包检测,封锁与已知攻击数据包相类似的数据包。网络攻击往往假道网络安全防护比较落后的国家,若遭到来源于此类国家的不明攻击,可在经过外交协调的基础上将网络防御措施拓展到该国。网络防御行动的影响比进攻行动要小,审批级别可以低于进攻行动,比如美军交战规则规定战区司令和联合部队司令(joint force commanders)有权批准网络防御行动。

(四)网络刺探规则

网络刺探是在未经许可的情况下进入另一国的网络、计算机或数据库,以收集敏感信息。如果这一行为并未修改或删除数据,或造成其他破坏性影响,则行为本身就属于传统上的情报活动,并不受国际法禁止,仅受到国内法约束。《塔林手册》也指出“在武装冲突中针对敌方的网络刺探行为或其他形式的信息搜集不违反武装冲突法”。在网络战交战规则中,应限制在刺探行动中从事破坏活动,开展破坏活动应适用网络进攻规则,包括秘密入侵后在对方系统植入逻辑炸弹等战场准备活动。至于应针对哪些国家或实体开展网络刺探活动,是需要基于政治考量和军事必要来综合考虑的,交战规则中可以列出具体名单或范围。理查德?A?克拉克认为,每年应该由美国总统批准一项指南,明确美军应侵入哪些国家的网络来收集情报。

(五)网络进攻规则

网络进攻是指在网络战中除网络防御、网络刺探以外的网络行动。在网络战交战规则,网络进攻规则主要关注审批的级别、应选用的网络战手段、所针对的攻击目标和所造成的破坏程度:就审批级别而言,网络进攻的影响程度通常要大于网络防御和网络刺探,因此宜规定更高的审批级别,如美军交战规则要求,进攻性网络行动通常需要得到总统或国防部长的授权;就网络战手段而言,当前网络攻击主要包括网络监听攻击、信息炸弹攻击、木马程序攻击、拒绝服务攻击、邮件服务器攻击、DNS服务器攻击、web服务器攻击、口令攻击、协议漏洞攻击、欺骗攻击等不同方式,目前没有国际法禁止或限制特定网络战手段的使用;就攻击的目标而言,其可以是某个领域(政府系统、银行系统等)或某个实体的计算机、网络或者计算机和网络上的数据;就破坏程度而言,可以是摧毁、削弱、干扰或阻止。这些规则可能有许多不同组合,需要根据任务情况进行有针对性的设计。

在设计网络进攻规则时还应该注意几个特殊问题。一是应注意与其他作战领域的关联影响。比如与对方处于危机状态而并未开战时,如果对其防空网络实施攻击,可能会被解读为将发动空袭,对方可能进而采取先发制人的措施,使得局势升级。此时应在交战规则中禁止或严格限制此类攻击。二是在和平时期只能动用不够成网络攻击的进攻措施,否则可能构成非法使用武力。在民用设备中为网络攻击留取后门,或者侵入对方网络布置逻辑炸弹等行为目前法律上还没有定性,虽然其并不构成直接的危害后果,但与网络攻击紧密关联,也应该谨慎使用。三是要特别关注关键基础设施。这些设施(如电力、油气管道、铁路、航空、电信和银行等)在和平时期常为民用,但是在战时可能用于军事用途,而且网络脆弱、破坏影响大,最易遭到网络攻击。联合国有关网络空间行为准则之一是,任何国家都不应该允许“有意破坏关键基础设施,或通过其他方式影响为公众提供服务的关键基础设施的使用和运营”的行动。目前中美已经共同承诺借鉴联合国这一标准,在和平时期不首先使用网络武器破坏另一方的关键基础设施。因此,在平时交战规则中,宜要求除非经过特定级别批准,禁止可能会对关键基础设施造成破坏,或对为公众提供服务的关键基础设施的使用和运营造成影响的网络攻击。在战时对于关键基础设施的攻击也应该非常谨慎。比如,美国在伊拉克战争中有能力摧毁伊拉克和其他国家的金融网络来毁掉萨达姆的金融资产,但美国政府律师团担心,袭击金融账户将被其他国家视为违反国际法的行为,还担心美国的网络金融劫掠行为会选错了对象账户,或者破坏了整个金融体系。所以美国最终并没有实施这一行动。(来源:中国信息安全)

中國網絡衝突討論,信息與研究 // Chinese Cyber Conflict Discussions, Information & Research