Connect with us

Hi, what are you looking for?



NATO Publishes Tallinn Manual 2.0 on International Law Applicable to Cyber Ops

NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.’ Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.

NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.’ Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.

Tallinn 2.0 incorporates Tallinn 1.0, published in 2012. While Tallinn 1 sought to define how international law relates to cyberwar, Tallinn 2 expands the content to include cyber activity that falls short of actual warfare. To reflect this expansion in content, the name has changed from ‘applicable to cyber warfare’ to ‘applicable to cyber operations’.

Tallinn Manual 2.0 CoverThe Tallinn Manual takes no moral standpoint. It starts from the observation that cyber operations are subject to existing pre-cyber international law, and then defines how that law should be applied to different cyber operations. This forces it to confront many of the apparent difficulties in international cyber behavior head on — such as the applicability of self-defense and the right to strike back, and attribution.

The Tallinn Manual process is led by Michael Schmitt, an expert in the law of armed conflict, Professor of Public International Law at Exeter Law School, and a Senior Fellow at the United States Naval War College. It is authored by nineteen international law experts. Although it has no legal standing and does not represent the views of NATO per se, it has become an influential resource for legal advisers dealing with cyber issues.

Schmitt told SecurityWeek that the Manual 1.0 publication became far more popular than was expected. He thought one reason was that it provided a legal position that didn’t force governments to declare their own preference. “Governments,” he suggested, “want to set legal bars high for potential aggressors while setting them as low as possible for themselves.” The Manual takes away that dilemma be presenting the existing legal position under international law.

Tallinn Manual

Tallinn 2.0 expands this legal exploration beyond cyber warfare into civilian situations. This makes it more complex because it includes the multitude of cyber intrusions faced by commercial organizations every day. But it is international law rather than any national law that is explored.

For example, there is growing enthusiasm for the right for private industry to strike back at aggressors, almost as an extension of self-defense. The law, however, is relatively simple — they cannot. Schmitt gave an example. “If a foreign nation launched an attack against Exeter University, there would be a right for retaliatory action; but not by Exeter University. The attack could be considered as an attack against the UK; but only the UK government could respond.”

Attribution is another difficult area. The law cannot be applied against a transgressor if the transgressor is not definitively known. There have been attempts to develop acceptable methods of attribution; most notably perhaps by Microsoft. Microsoft’s proposal would be for an international committee of independent experts who would decide on and name transgressors.

Schmitt is not a great supporter of this approach; not because it is bad, but because it ultimately depends on recommendations. The law is not about recommendations, but about clear mandates. “I don’t know about technical attribution,” he told SecurityWeek. “I’ve heard arguments that it is and it is not possible. But whenever I talk to intelligence agencies, they all say attribution is not based on simple technology, but on the summation of intelligence information — signals intelligence, field agents, geopolitics and so on.”

Advertisement. Scroll to continue reading.

Once a government is confident in its attribution — and particularly if other governments agree with that attribution — then the Tallinn Manual can explain the legally permissible response. 

Tallinn 2, explains the associated CCDCOE announcement, “covers a full spectrum of international law applicable to cyber operations ranging from peacetime legal regimes to the law of armed conflict, covering a wide array of international law principles and regimes that regulate events in cyberspace. Some pertain to general international law, such as the principle of sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialised regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law, are examined in the context of cyber operations.”

Tallinn Manual 2.0 is available from Cambridge University Press.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...