Security Experts:

Connect with us

Hi, what are you looking for?



NATO Publishes Tallinn Manual 2.0 on International Law Applicable to Cyber Ops

NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.’ Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.

NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.’ Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.

Tallinn 2.0 incorporates Tallinn 1.0, published in 2012. While Tallinn 1 sought to define how international law relates to cyberwar, Tallinn 2 expands the content to include cyber activity that falls short of actual warfare. To reflect this expansion in content, the name has changed from ‘applicable to cyber warfare’ to ‘applicable to cyber operations’.

Tallinn Manual 2.0 CoverThe Tallinn Manual takes no moral standpoint. It starts from the observation that cyber operations are subject to existing pre-cyber international law, and then defines how that law should be applied to different cyber operations. This forces it to confront many of the apparent difficulties in international cyber behavior head on — such as the applicability of self-defense and the right to strike back, and attribution.

The Tallinn Manual process is led by Michael Schmitt, an expert in the law of armed conflict, Professor of Public International Law at Exeter Law School, and a Senior Fellow at the United States Naval War College. It is authored by nineteen international law experts. Although it has no legal standing and does not represent the views of NATO per se, it has become an influential resource for legal advisers dealing with cyber issues.

Schmitt told SecurityWeek that the Manual 1.0 publication became far more popular than was expected. He thought one reason was that it provided a legal position that didn’t force governments to declare their own preference. “Governments,” he suggested, “want to set legal bars high for potential aggressors while setting them as low as possible for themselves.” The Manual takes away that dilemma be presenting the existing legal position under international law.

Tallinn Manual

Tallinn 2.0 expands this legal exploration beyond cyber warfare into civilian situations. This makes it more complex because it includes the multitude of cyber intrusions faced by commercial organizations every day. But it is international law rather than any national law that is explored.

For example, there is growing enthusiasm for the right for private industry to strike back at aggressors, almost as an extension of self-defense. The law, however, is relatively simple — they cannot. Schmitt gave an example. “If a foreign nation launched an attack against Exeter University, there would be a right for retaliatory action; but not by Exeter University. The attack could be considered as an attack against the UK; but only the UK government could respond.”

Attribution is another difficult area. The law cannot be applied against a transgressor if the transgressor is not definitively known. There have been attempts to develop acceptable methods of attribution; most notably perhaps by Microsoft. Microsoft’s proposal would be for an international committee of independent experts who would decide on and name transgressors.

Schmitt is not a great supporter of this approach; not because it is bad, but because it ultimately depends on recommendations. The law is not about recommendations, but about clear mandates. “I don’t know about technical attribution,” he told SecurityWeek. “I’ve heard arguments that it is and it is not possible. But whenever I talk to intelligence agencies, they all say attribution is not based on simple technology, but on the summation of intelligence information — signals intelligence, field agents, geopolitics and so on.”

Once a government is confident in its attribution — and particularly if other governments agree with that attribution — then the Tallinn Manual can explain the legally permissible response. 

Tallinn 2, explains the associated CCDCOE announcement, “covers a full spectrum of international law applicable to cyber operations ranging from peacetime legal regimes to the law of armed conflict, covering a wide array of international law principles and regimes that regulate events in cyberspace. Some pertain to general international law, such as the principle of sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialised regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law, are examined in the context of cyber operations.”

Tallinn Manual 2.0 is available from Cambridge University Press.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.