Civilian hackers who cause death or damage to property could be legitimate targets for conventional weapons, according to the first international 'handbook' on cyber warfare.
In further proof that cyber warfare is not science fiction, but a fact of modern life, Nato has released a 'handbook' to try and codify how international law applies to state-sponsored hacking, and its role in future wars.
The Tallinn manual advises that cyber-attacks must not be targeted at hospitals, dams and nuclear power stations "even when they are military objectives".
It includes provisions allowing states to respond with conventional weapons to a cyber attack by another state that causes death or significant damage to property.
Attacks designed to spread terror are also forbidden under its guidelines.
But it also says that "hacktivists" who lead or participate in cyber attacks during conflict can be targeted. Even though such hackers are technically civilians they may still be legitimate targets, the manual says:
The key is whether civilains engage in "an act of direct participation in hostilities", in a similar way to non-military civilian fighters using conventional weapons in a legitimate conflict.
But experts were divided on exactly when such a hacker might be a target.
Page 103 of the manual says:
"Consider the example of an individual hacktivist who has, over the course of one month, conducted seven cyber attacks against the enemy's command and control system. By the first view the hacktivist was only targetable while conducting each attack. By the second he was targetable for the entire month. Moreover in the absence of a clear indication that the hacktivist was no longer engaging in such attacks, he or she would have remained targetable beyond that period."
It defines a 'Hacktivist' as:
A private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious, or patriotic reasons.
The manual is not an official Nato document, and according to experts there is still no wide consensus on many aspects of how the law applies to online attacks.
The handbook was drawn up by Nato's Co-operative Cyber Defence Centre of Excellence, who worked with 20 lawyers, the International Committee of the Red Cross and the US Cyber Command.
The three-year project is the first full attempt to decide how international law applies to online conflict.
It was launched in 2008 after attacks on Estonia from hackers inside Russia caused damage to infrastructure.
The book includes 95 "black letter rules" detailing how states can carry out and respond to cyber attacks within the boundaries of international law.
Despite major incidents such as the Stuxnet virus which targeted alleged Iranian nuclear enrichment facilities, or the Flame virus discovered last year, the manual states that "To date, no international armed conflict has been publicly characterised as having been solely precipitated in cyberspace".