NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE), based in Tallinn Estonia, has published ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.’ Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17.
Tallinn 2.0 incorporates Tallinn 1.0, published in 2012. While Tallinn 1 sought to define how international law relates to cyberwar, Tallinn 2 expands the content to include cyber activity that falls short of actual warfare. To reflect this expansion in content, the name has changed from ‘applicable to cyber warfare’ to ‘applicable to cyber operations’.
The Tallinn Manual takes no moral standpoint. It starts from the observation that cyber operations are subject to existing pre-cyber international law, and then defines how that law should be applied to different cyber operations. This forces it to confront many of the apparent difficulties in international cyber behavior head on — such as the applicability of self-defense and the right to strike back, and attribution.
The Tallinn Manual process is led by Michael Schmitt, an expert in the law of armed conflict, Professor of Public International Law at Exeter Law School, and a Senior Fellow at the United States Naval War College. It is authored by nineteen international law experts. Although it has no legal standing and does not represent the views of NATO per se, it has become an influential resource for legal advisers dealing with cyber issues.
Schmitt told SecurityWeek that the Manual 1.0 publication became far more popular than was expected. He thought one reason was that it provided a legal position that didn’t force governments to declare their own preference. “Governments,” he suggested, “want to set legal bars high for potential aggressors while setting them as low as possible for themselves.” The Manual takes away that dilemma be presenting the existing legal position under international law.
Tallinn 2.0 expands this legal exploration beyond cyber warfare into civilian situations. This makes it more complex because it includes the multitude of cyber intrusions faced by commercial organizations every day. But it is international law rather than any national law that is explored.
For example, there is growing enthusiasm for the right for private industry to strike back at aggressors, almost as an extension of self-defense. The law, however, is relatively simple — they cannot. Schmitt gave an example. “If a foreign nation launched an attack against Exeter University, there would be a right for retaliatory action; but not by Exeter University. The attack could be considered as an attack against the UK; but only the UK government could respond.”
Attribution is another difficult area. The law cannot be applied against a transgressor if the transgressor is not definitively known. There have been attempts to develop acceptable methods of attribution; most notably perhaps by Microsoft. Microsoft’s proposal would be for an international committee of independent experts who would decide on and name transgressors.
Schmitt is not a great supporter of this approach; not because it is bad, but because it ultimately depends on recommendations. The law is not about recommendations, but about clear mandates. “I don’t know about technical attribution,” he told SecurityWeek. “I’ve heard arguments that it is and it is not possible. But whenever I talk to intelligence agencies, they all say attribution is not based on simple technology, but on the summation of intelligence information — signals intelligence, field agents, geopolitics and so on.”
Once a government is confident in its attribution — and particularly if other governments agree with that attribution — then the Tallinn Manual can explain the legally permissible response.
Tallinn 2, explains the associated CCDCOE announcement, “covers a full spectrum of international law applicable to cyber operations ranging from peacetime legal regimes to the law of armed conflict, covering a wide array of international law principles and regimes that regulate events in cyberspace. Some pertain to general international law, such as the principle of sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialised regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law, are examined in the context of cyber operations.”
Tallinn Manual 2.0 is available from Cambridge University Press.