A team of security experts have published a manual outlining how existing international laws can be applied to conflicts in cyber-space.
The 215-page study, titled "The Tallinn Manual on the International Law Applicable to Cyber Warfare" examines existing international law that allows countries to legally use force against other nations, as well as laws governing the conduct of armed conflict. The rules of conventional warfare are more difficult to apply in cyber-space, making this analysis critical.
The scope and manner of how international law applies to offensive and defensive cyber-operations have "remained unsettled," Michael N. Schmitt, project director and chairman of the International Law Department at the U.S. Naval War College, wrote in the induction to the manual. Since attribution, or knowing who was actually behind a cyber-attack, is so difficult, governments have traditionally struggled with questions such as how to legally respond to an attack.
"The threshold questions are whether the existing law applies to cyber issues at all, and, if so, how," Scmitt wrote.
A group of experts from Australia, Canada, and United States, the Netherlands, and the United Kingdom worked on the manual under the auspices of the Cooperative Cyber Defense Center of Excellence (CCDCOE). Founded in 2008 in Tallinn, Estonia, CCDOE is an institute that assists NATO with technical and legal issues associated with cyber-warfare-related issues.
The manual addresses questions such as sovereignty, jurisdiction, and state responsibility.
Many security experts believe the term cyber-warfare is overused, and there is plenty of disagreement over what makes an incident an act of cyber-war as opposed to just an attack. Even though many incidents have been called an act of cyber-war, the only one that comes close to the definition under international law was Stuxnet, according to the manual. The damage the Stuxnet malware caused the centrifuges used in Iranaian nuclear facilities reached the "armed attack" threshold, the authors wrote.
"No international cyber-incidents have, as of 2012, been unambiguously and publically characterized by the international community as reaching the threshold of an armed attack," the authors wrote.
The disagreement over what constitutes an armed attack was apparent in the manual, as the authors were divided over how to characterize a cyber-operation as an act of war.
In the case of a cyber-espionage operation by State A against State B that unexpectedly resulted in significant damage to State B's cyber-infrastructure, some experts were not willing to call State A's action as an armed attack, according to the manual. The majority of the experts working on the manual took the view that "intention is irrelevant in quantifying an operation as an armed attack and that only scale and effects matter," the manual said.
Governments around the world are beginning to consider cyberspace as a critical component of their overall security. Many countries, such as China, have a cyber-unit within their military. The Department of Defense released its "Strategy for Operating in Cyberspace" which designated cyber-space as an operational domain and clearly indicated the United States would respond in the event of an cyber-attack.
The United Kingdom characterized "cyber-attack, including by other States, and by organized crime and terrorists" as one of four "Tier One" threats to British national security back in 2010, Schmitt wrote in the introduction.
The Tallinn manual is "not a manual on 'cyber security' as that term is understood in common usage," since international law does not apply to cyber-espionage, theft of intellectual property, and other cyber-crimes, wrote Schmitt. It also doesn't apply to kinetic-to-cyber operations, such as an aerial attack deploying bombs against a cyber-control center.
The Tallinn Manual focuses on "jus ad bellum," the international law governing the resort to force as an instrument of national policy, and "jus in bello," the international law regulating the conduct of armed conflict, according to a post on the CCDOE blog. Other related areas, such as the law of State responsibility and the law of the sea are also addressed in the manual. The Tallinn Manual focuses only on the existing law and its interpretation in the cyber-context, according to a CCDOE statement. It does not propose or aim to contribute to the discussions on norms of behavior and codes of conduct, CCDOE said.
The manual's emphasis is on "cyber-to-cyber operations, strictu ensu," such as attacks against a state's critical infrastructure, or one targeting enemy command and control systems, Schmitt said.
Published by Cambridge University Press, the manual is intended to be a reference for legal advisors at various government agencies. Until the book form is available, CCDOE has a draft version available online.
The Tallinn Manual is not intended to be NATO's official doctrine but a compilation of views.