Benzel also describes other crisis scenarios. For example, she says, there are programs that open and close gates on American dams that are potentially vulnerable. Benzel is worried that a clever hacker could open America's dams at will.
Should Preemptive Strikes Be Allowed?
These and other cases are currently being tested in Cyber City, a virtual city US experts have built on their computers in New Jersey to simulate the consequences of data attacks. Cyber City has a water tower, a train station and 15,000 residents. Everything is connected in realistic ways, enabling the experts to study the potentially devastating effects cyber attacks could have on residents.
In Europe, it is primarily intelligence agencies that are simulating digital war games. Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), also has a unit that studies the details of future wars. It is telling that the BND team doesn't just simulate defensive situations but increasingly looks at offensive scenarios, as well, so as to be prepared for a sort of digital second strike.
"Offensive Cyber Operations," or OCOs, are part of the strategy for future cyberwars in several NATO countries. The Tallinn manual now establishes the legal basis for possible preemptive strikes, which have been an issue in international law since former US President George W. Bush launched a preemptive strike against Iraq in March 2003.
The most contentious issue during the meetings in Tallinn was the question of when an offensive strike is permissible as an act of preventive self-defense against cyber attacks. According to the current doctrine, an attack must be imminent to trigger the right to preventive self-defense. The Tallinn manual is more generous in this respect, stating that even if a digital weapon is only likely to unfold its sinister effects at a later date, a first strike can already be justified if it is the last window of opportunity to meet the threat.
The danger inherent in the application of that standard becomes clear in the way that the international law experts at Tallinn treated Stuxnet, the most devastating malware to date, which was apparently smuggled into Iranian nuclear facilities on Obama's command. The data attack destroyed large numbers of centrifuges used for uranium enrichment in the Natanz reprocessing plant. Under the criteria of the Tallinn manual, this would be an act of war.
Could the US be the perpetrator in a war of aggression in violation of international law? Cologne international law expert Kress believes that what the Tallinn manual says parenthetically about the Stuxnet case amounts to a "handout for the Pentagon," namely that Obama's digital attack might be seen as an "act of preventive self-defense" against the nuclear program of Iran's ayatollahs.
The Fog of Cyber War
According to the Tallinn interpretation, countless virtual espionage incidents of the sort that affect all industrialized nations almost daily could act as accelerants. Pure cyber espionage, which American politicians also define as an attack, is not seen an act of war, according to the Tallinn rules. Nevertheless, the international law experts argue that such espionage attacks can be seen as preparations for destructive attacks, so that it can be legitimate to launch a preventive attack against the spy as a means of self-defense.