Before the Estonian incident, organisations tended to treat their risks and arrangements in isolation. Cyber security was merely the sum of individual contingency plans having little to do with more temic risks.
The spectrum of cyber conflict ranges from breaches of internal policy or regulations (not patching software, for example) to breaches of legal obligations (such as not reporting illegal activity) to crime to national-security threats to outright cyber warfare ("cyber armed attack").
Ten rules focused on issues and working solutions arising from discussions among experts or in the course of cyber-incident handling can be identified:
1. The Territoriality Rule
2. The Responsibility Rule
3. The Cooperation Rule
4. The Self-Defence Rule
5. The Data Protection Rule
6. The Duty of Care Rule
7. The Early Warning Rule
8. The Access to Information Rule
9. The Criminality Rule
10. The Mandate Rule
In this paper, the Author analyses these ten rules that outline key concepts and areas that must be included or addressed in a comprehensive legal approach to cyber security. They are intended to raise awareness about existing legal complications involving cyber security and the ways to overcome them, to serve as a focus for debate and coordination within and across disciplines, and to inform wellgrounded proposals for additional legislation on the international level.