Eneken Tikk is currently associated with the International Institute for Strategic Studies (IISS), and was project coordinator for the Tallinn Manual on the International Law Applicable to Cyber Warfare. In Ten Rules for Cyber Security (.pdf), an article published in Survival vol. 53, no. 3, 2011, Tikk identifies ten rules focused on issues and working solutions in cyber conflict. Although Tikk’s understanding has undoubtedly advanced since 2011, those rules remain relevant and useful as input for thought/debate. Partially as a reminder to myself, I hereby list Tikk’s ten rules:

1. The Territoriality Rule: Information infrastructure located within a state’s territory is subject to that state’s territorial sovereignty.
2. The Responsibility Rule: The fact that a cyber attack has been launched from an information system located in a state’s territory is evidence that the act is attributable to that state.
3. The Cooperation Rule: The fact that a cyber attack has been conducted via information systems located in a state’s territory creates a duty to cooperate with the victim state.
4. The Self-Defence Rule: Everyone has the right to self-defence.
5. The Data Protection Rule: Information infrastructure monitoring data are perceived as personal unless provided for otherwise (the prevalent interpretation in the EU).
6. The Duty of Care Rule: Everyone has the responsibility to implement a reasonable level of security in their information infrastructure.
7. The Early Warning Rule: There is an obligation to notify potential victims about known, upcoming cyber attacks.
8. The Access to Information Rule: The public has a right to be informed about threats to their life, security and well-being.
9. The Criminality Rule: Every nation has the responsibility to include the most common cyber offences in its substantive criminal law.
10. The Mandate Rule: An organisation’s capacity to act (and regulate) derives from its mandates.

Feel free to comment. (Please read Eneken’s article before commenting.)