The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2011 issue (Volume 5, Issue 4), which was on the topic of Cyber Warfare:
“One of the significant problems with cyber war, versus traditional kinetic warfare, is the lack of agreed definitions and rules.
Proposals are beginning to emerge, and the NATO Cooperative Cyber Defence Centre of Excellence (www.ccdcoe.org) based in Tallinn, Estonia, has produced a reference called ‘The 10 Rules of Behaviour for Cyber Security’, which I think provides an good starting point:
1. Territoriality. Information infrastructure located within a state’s territory is subject to that state’s territorial sovereignty. Using the concepts of property, sovereignty and jurisdiction, states can enforce cyber security from a national security perspective.
2. Responsibility. The fact that a cyber attack has been launched from an information system located in a state’s territory invokes the responsibility of that state for the attack.
3. Cooperation. The fact that a cyber attack has been conducted via the information system located in a state’s territory creates a duty to cooperate with the victim state.
4. Self-defence. Everyone has the right to self-defence when facing a clear and imminent danger.
5. Data exchange. Information infrastructure monitoring data is perceived personal unless provided for otherwise.
6. Duty of care. Everyone has the responsibility to implement a reasonable level of security in their information infrastructure.
7. Early warning. Everyone has to notify the potential victims about an upcoming cyber attack.
8. Access to information. The public has the right to be informed about threats to their life, security and well-being.
9. Criminality. Every nation has the responsibility to include the most common cyber offences in its substantive criminal law.
10. Mandate. An organisation’s capacity to act (and regulate) derives from its mandate.”
A PDF version of the magazine is available online at: