Chinese Network Warfare ~ 中國網絡戰

Chinese Rules of Engagement for Network Warfare and the “Tallinn Manual on Cyberwar & International Law”

Chinese Editorial Note: At present the international community did not reach any substantive agreement on military activities in cyberspace. In 2010, the United States and Russia and other 15 countries agreed to strengthen cybersecurity legislative proposals, did not form a rule. 2013 NATO launched the “cyberwar Tallinn Manual on International Law” (hereinafter simply referred to “Tallinn Manual”), is currently the only one in this area more common meaning of the file, but not universally acknowledged, does not constitute a direct legal binding force, We do not agree with their “cyberspace do not need new rules, existing international law applicable to cyberspace” principle. But its future cyberwar international legislation has strong demonstration effect, we need further research to help us develop the network rules of engagement and participation in the development of a global code of conduct in cyberspace.


From the 1990s, the United States first proposed the concept of network warfare began, to now have dozens of the world have a more significant cyberwarfare capabilities. This indicates that cyber warfare tactics and command and management system is constantly maturing. But contrast that cyber warfare in policy and law still faces many challenges. So now, how does cyberwarfare qualitatively apply to the law, how is it regulated? Countries can only rely on their own constraints on the military, according to their own network security policy, cyber warfare strategy and for general international understanding to control cyber warfare, to serve the real political need. This provides a good platform for the use of cyber warfare rules of engagement.

First, the basic theory…

(A) Concept. ROE (Rules of Engagement, ROE) is a term more accepted in Western armies, which refers to political or military authorities developed or approved in accordance with aspects of the political, military and legal requirements, in order to define the mission of the armed forces may be used Task force to achieve environmental, conditions, extent and manner of military instruction. The cyberwarfare rules of engagement refers to the definition of cyberwar means may be used to achieve environmental, conditions, extent and manner of the military mission of military command, such as the provisions of the other party at the time was an armed attack, air defense system on the other side can implement network attacks.

(B) Content. ROE is the Second World War, the United States and Britain and other Western countries in order to adapt to the changes and development of the international order of the military system, by its very nature that open up strategic, operational, and tactical at all levels, clarity and refinement means and methods of warfare of authorization by means of rules, to strengthen command and control of military operations, to ensure that the legitimate use of force. Rules of engagement will be an international law of armed conflict and other legislation compared foundation, but essentially unilateral authority to rule their own troops sent under constraints. Rules of engagement are different from the concept of tactical guidance, strategy guides, and military, such as the network confrontation, cyber warfare rules of engagement will only be able to take provisions which face the threat of cyber warfare means (such as air strikes), you can use what kinds of attack means (such as “worm” infection), which specific targets (such as power grids, air defense system) can be attacked, but as to which server to use to attack each network warfare units fit together, what time to launch attacks, referred to the tactical guidance.

(C) Cyber status quo. First appeared in the combat rules of engagement in the field, followed by a naval battle, Marine rules of engagement. Currently the rules of engagement are widely used in various fields of Western military practice, and Indonesia, the Philippines and other developing countries learn from. With the development of cyber warfare, the rules of engagement will naturally expand cyberspace. In the US, for example, in 2002 George W. Bush signed a presidential decree, proposed a national policy network warfare and cyber warfare rules of engagement authorize the creation, in 2006 the US Department of Defense for the first time issued a cyber warfare rules of engagement, and updated in 2013 for the first time. Presumably, there are also many other countries have also developed their own cyber warfare rules of engagement, but it is difficult to ascertain because of dense high specific circumstances.

Second, the development foundation…

ROE is a collection of political, military and legal aspects of the three requirements, and therefore political, military and legal battle with the network-related, is the basis for the development of cyber warfare rules of engagement.

(A) Political Aspect. We must first consider the overall national development strategy, the network action should serve the overall national strategy.Second, we must consider diplomatic relations with other countries, for the allies, important economic and trade partner or strategic rival of network operations, or to respond to network operations from these countries should adopt a different policy. Third, we must consider their network security policy, which is the overall security, protection, and their reliance on such factors as their networks and make a comprehensive judgment, is cyber warfare and should be an important factor to consider.

(B) The Military Aaspect. We must first consider their cyber warfare military strategy, with its rules of engagement as traction. Such as former White House officials had suggested the United States should establish a network attack to the network backbone, the power grid, the Defense Department network trinity of network defense strategy, if the US government to adopt this proposal, the rules in network defense may encounter these three Set a higher level and faster response force upgrade measures. Second, we must consider the network combat skills and tactics. If feasible, cyber warfare rules of engagement should be specific to different tactical means. Third, we must consider the different military tasks facing network operations environment and combat opponents, and then specify different network attack or defense policy in the rules of engagement.

(C) Legal aspects. First thing to consider international law applicable to their network operations. There is no special form of network warfare treaty, but both also have many of its rules constitute a direct binding force, such as the Hague Convention, the Geneva Conventions and the “UN Charter” and other, mainly related to constitute an illegal use of force or threat constitutes an armed attack, It is a violation of the legislation, how liability and so on. Second, we must consider the relevant national law, such as network security-related laws, decrees and other military command. Third, we must consider the current dispute the basic consensus of the international community and major cyber warfare relevant legal issues, because it reflected his country’s attitude and responses may encounter after the network action.

Third, the main content…

A complete network warfare rules of engagement file should normally include the following:

(1) to develop the basis, lists what national policies, strategies guidelines, drafted in accordance with the operational plan and other documents; and

(2) to judge the situation, indicating that the task background, operational environment and the need to achieve military objectives;

(3) Enable Time, the case of the usual rules of engagement, then once released can choose to enable, in the case of wartime rules of engagement can be specified with a battle plan enabled, or the state of war by command announced the opening and the like;

(4) the scope of such behavior may provide all the national forces participating in the network operations or any conduct by certain forces and personnel Cyber ​​Command command, it can also apply to civilian employment to participate in cyber warfare, participation foreign soldiers multinational joint action;

(5) the principle of requirements, such as all actions obey orders, law-abiding principle, the minimum necessary use of force principle, the minimum collateral damage principles;

(6) the implementation of policy, described the feedback the opinions, interpret or amend the Supplemental Rules, carry out relevant education and training, disposal procedures and methods of violations related to the confidentiality provisions and the like;

(7) the substantive rules, that can be used to specifically define cyberwar means to achieve environmental, conditions, extent and manner of the military mission, which is network warfare the main content of the rules of engagement, the main rule cyberspace may include self-defense, target selection rules, the rules of network defense, network attack rules.

(A) self-defense rules.

Means of self-defense against a hostile act or hostile intent obviously, in order from the effects of attack or attack will occur immediately the use of force. The rules of self-defense in the rules of engagement usually says: Who can in order to protect against any attack and to use what force. In cyber warfare includes two self-defense, first implemented in response to cyber attacks in self-defense, the second is to exercise the right of self-defense and implementation of the network action. For the latter, the current rules of international law and not to be clear restrictions, so that they meet the general requirements to exercise the right of self-defense, the former there are still many legal problems.

First, what network behavior may exercise the right of self-defense against. “Tallinn Manual” that a State may exercise the right of self-defense against armed attack reached (armed attack) network operations. Are network actions constitute an armed attack, depending on their scope and consequences.The United States on such “scope and consequences” proposed a standard. Obama suggested that “the United States to undermine or destroy our military, government or critical infrastructure cyber attacks against the same target actions are deemed to produce the same effect of kinetic energy attack” and said it would use all the power that can be used to fight back. However, due to the attack with air strikes and other kinetic ratio, scope and consequences of network operations more difficult to assess judgment, rules of engagement should be appropriate to improve the decision-making level, such as the theater, the military services level, and even Defense Minister or Head of State level. The United States will exercise the right of self-defense is defined as the national president right now, but the US military standard rules of engagement have been explicitly granted to self-defense under the specific conditions of different levels of force, does not require presidential approval to take action.

Second, who can protect the exercise of the right of self-defense while.Protected body is subjected to the body attacks its definition is actually included in the network operations, “the scope and consequences” of the judgment. As mentioned above, Obama focus on US government, military and critical infrastructure. Of course, critical infrastructure is a broad concept. NATO also proposed action may exercise collective self-defense on the network, but also to the protection of allies and exercise self-defense against cyber attacks.

Third, for whom the exercise of self-defense. Cyberspace easier for attackers to hide their identity. While Obama declared that the US “has the ability to determine the attribution of responsibility on the extent needed,” but did not give clear criteria and procedures. He also declared that “If a country refuses to timely prevent attacks emanating from the country, may be considered equivalent to the Government’s participation in the attacks,” “We will also investigate the attack process does not provide effective cooperation considered as equivalent to participation in the attack.” .However, this argument has no legal basis. “Tallinn Manual” that “only network to launch action or government network infrastructure originating from the fact that the action does not constitute attributable to the country’s sufficient evidence” only “indicates that the suspicious behavior associated with that country”; ” network operations within the network infrastructure via a country, can not constitute the act attributable to the country’s sufficient evidence. ” So if you can not determine the source of attack, the rules of engagement should only provides network defense measures and tracing measures before sufficient evidence can be taken.

Fourth, how to deal with network actions do not constitute an armed attack. Such action is not sufficient to start the right of self-defense, only the provisions of the rules of engagement should adopt a “do not constitute the use of force necessary and appropriate action,” such as a similar degree of retaliation. “Tallinn Manual” also expressed approval, that “if a country suffers internationally wrongful act, can take counter-measures, including network, including the counter-measures commensurate with the responsibility for the country.” Of course, in addition to military counter-measures, countries level diplomatic protest may also take other measures or economic sanctions.

(B) target selection rules.

On target selection, the law has been formed to the principle of distinction, the principle of proportionality as the core of a more sophisticated rules. These rules generally do not consider what means of warfare is only concerned with the goal itself, and therefore equally applicable to network operations. When considering the target selection in cyber warfare rules of engagement, we should focus on the following issues.

First, it should be differentiated according to whether the constitution network attacks. “Tallinn Manual” that “network attack is reasonably foreseeable will lead to personal injury or death, damage to or destruction of the object of offensive or defensive action network.” If a network does not constitute an attack action, not that distinction limitation principle and the principle of proportionality, such as advocacy of war through the network, etc., may target civilians or civilian network. Of course, action does not constitute a network attack, does not mean its unfettered and control, but should also be based on military necessity.

Second, the network constitutes an attack only against military objectives. In cyber warfare rules of engagement in both principles laid purposes only, it can also be targets for specific network actions enumerated in detail, such as military networks, military satellite communications, air defense systems. Dual-use computers, computer networks and network infrastructure targets belonging to military objectives, such as dual-use airport computer network.

Third, the collateral damage assessment. Target cyberspace often associated with numerous livelihood industry, when you set the rules of engagement should be required before the formal implementation of network attacks collateral damage assessment and follow incidental injury to specify different approval levels. For example, the American government allowed foreign banks to implement the hacking system to collect information, but you need to change the data at the same time Secretary of State and Minister of Finance for approval. During collateral damage assessment, does not need to consider the impact does not constitute harm, such as just cause is inconvenient or temporary loss of access.

(C) network defense rules

Risk security risks of cyberspace, mainly from computer networks, network defense occupy an important position in the network war. Served as Special Adviser to US President Richard network security? A? Clark believes that protect the US from cyber attacks are overarching objectives of cyber warfare strategy. Network defense measures including in the data stream is detected, scanning computer system vulnerabilities or secret door, and so on. On rules of engagement, in the peacetime army should only be responsible for the protection of military facilities, namely involving military computer networks and network infrastructure data monitoring and vulnerability scanning, an important place also for all data and operations can conduct real-time monitoring. For example, the United States will protect US private and private targets (such as banks, power companies, railways) network defense right is given to the Department of Homeland Security, the Department of Defense is responsible only for network defense military installations.

If it is in wartime, or may be based on a country’s military forces need to expand the scope of protection, including the subject of wartime control areas (such as the financial sector, transportation systems, etc.) of the data center and backbone network for deep packet inspection, the blockade and the known attack packets similar packets. Network attacks are often by way of network security is relatively backward countries, if such countries suffer from unknown attacks, in a coordinated basis through the diplomatic network defense measures will be extended to the country. The impact of network defense actions offensive action to be smaller than the approval level can be lower than offensive operations, such as the US military rules of engagement theater commander and joint force commander (joint force commanders) have the right to approve cyber defense action.

(D) network spying rules

Spying network is entering the network, computer or database in another country without permission to collect sensitive information. If the action does not modify or delete data, or cause other devastating effects, the act itself belongs to intelligence activities traditionally not prohibited by international law, only constrained by domestic law. “Tallinn Manual” also pointed out that “in the conduct of armed conflict enemy spy network or other forms of information for gathering does not violate the law of armed conflict.” In cyber warfare rules of engagement, and should be limited to sabotage in spying operations, to carry out sabotage attack rules shall apply to the network, including the secret invasion after implantation in the other system logic bombs and other war preparations. As for the network should be carried out spying activities against which countries or entities, is based on political considerations and military needs necessary to consider the rules of engagement may be listed in the specific list or range. Richard? A? Clark believes that every year should be approved by the US president a guide, clear the US military network which countries should invade to gather intelligence.

(E) Network attack rules

Network offensive cyber warfare refers to the defense in addition to the network, the network spying network operations. In cyber warfare rules of engagement, network attack rule focuses level approval, should be used in cyber warfare means against targets and the extent of damage caused by: For approval level, the extent of the impact of network attack is usually greater than the network defense and network spy, and therefore desirable to provide a higher level of approval, such as the requirements of the US rules of engagement, offensive network operations often need to get the president or authorized by the Secretary of Defense; on cyber warfare means, the current network attacks including eavesdropping attack, information bomb attacks, Trojans, denial of service attacks, mail server attacks, DNS server attacks, web server attacks, password attacks, protocol exploits, spoofing attacks in different ways, there is no specific law to prohibit or restrict the use of cyber warfare tools; on in terms of the target of attacks, which may be one area (government systems, banking systems, etc.) or an entity of data on a computer network or the computer and networks; terms of the extent of damage that can be destroyed, weakened, interference or prevent. These rules may have many different combinations, the need for targeted design according to the task situation.

In the design of the network attack rules, consideration should pay attention to several special problems. One should pay attention to the impact associated with other combat areas. For example, a state of crisis with each other and did not at war, if an attack on its air defense network, could be interpreted as the air strikes, the person may then take pre-emptive measures to make escalation. At this point it should be banned or severely restricted in the rules of engagement in such attacks. Second, only use enough to cyberattacks offensive measures in peacetime, it may constitute an illegal use of force. In the civilian apparatus sacrificing network backdoor attack or invade other network arrangement logic bombs and other acts of the current legislation has not qualitative, although it does not pose a direct harmful consequences, but it is closely associated with a network attack, it should be used with caution. Third, pay special attention to critical infrastructure.These facilities (such as electricity, oil and gas pipelines, railways, aviation, telecommunications and banking, etc.) often in times of peace for civil, but in wartime may be used for military purposes, and network vulnerability, destroy a large influence, the most vulnerable to cyber attacks. One of the relevant United Nations code of conduct in cyberspace is that no country should be allowed to “intentional destruction of critical infrastructure, or otherwise affect the use and operation of providing services to the public key infrastructure,” the action. Currently China and the US have a shared commitment to the standards of the UN, not the first to use cyber weapons destroy other critical infrastructure in peacetime.Therefore, in peacetime rules of engagement, and we should claim a certain level unless approved ban might damage critical infrastructure, or for the use and operation as a public key infrastructure to provide services caused by the impact of cyber attacks. In wartime attacks to critical infrastructure should also be very cautious. For example, the United States has the ability to destroy the war in Iraq and other countries in Iraq to destroy Saddam Hussein’s financial network financial assets, but the American government lawyers worried that attacks the financial account will be treated as violations of international law in other countries, but also that Network Financial looting America would choose the wrong object accounts, or undermine the entire financial system. So the United States ultimately did not implement this action.

(Source: China Information Security)

Read Original Mandarin Chinese article:



 海军军事学术研究所法律研究室研究实习员 曹成程





(一)概念。交战规则(Rules of Engagement,ROE)是西方军队中较为通行的一个术语,它是指政治或军事当局根据政治、军事和法律等方面要求而制定或批准,用以界定武装部队执行任务中可使用武力达成任务的环境、条件、程度和方式的军事指令。而网络战交战规则则是指界定可以使用网络战手段来达成军事任务的环境、条件、程度和方式的军事指令,比如规定在遭到他方武力攻击时,可以对对方防空系统实施网络攻击。











首先,针对什么网络行为可行使自卫权。《塔林手册》认为,一国可以针对达到武装攻击(armed attack)的网络行动行使自卫权。网络行动是否构成武装攻击,取决于其范围和后果。美国就这种“范围和后果”提出了一种标准。奥巴马提出,“美国把破坏或摧毁我们军队、政府或关键基础设施的网络攻击行动视同于针对同样目标、产生同等效果的动能攻击”,并表示将动用一切所能使用的力量予以反击。但由于与空袭等动能攻击比,网络行动的范围与后果更难以评估判断,交战规则中宜将决策层级适当提高,比如战区、军种层级,甚至国防部长或国家元首层级。美国将行使国家自卫权界定为总统权利,但美军标准交战规则已明确将特定条件下的自卫授予不同级别的部队,不需要总统批准即可采取行动。










如果是在战时,一国军队或可基于军事需要而扩大保护范围,包括对受战时管制领域(如金融行业、交通系统等)的数据中心和基干网络进行深层封包检测,封锁与已知攻击数据包相类似的数据包。网络攻击往往假道网络安全防护比较落后的国家,若遭到来源于此类国家的不明攻击,可在经过外交协调的基础上将网络防御措施拓展到该国。网络防御行动的影响比进攻行动要小,审批级别可以低于进攻行动,比如美军交战规则规定战区司令和联合部队司令(joint force commanders)有权批准网络防御行动。






中國網絡衝突討論,信息與研究 // Chinese Cyber Conflict Discussions, Information & Research