Into the Intro: The Tallinn Manual on the International Law Applicable to Cyber Warfare
Go Into the Intro of The Tallinn Manual on the International Law Applicable to Cyber Warfare
The NATO-commissioned guide to the changing ways of war and the new threats of a digital world. Should civilian hackers be considered military targets? Should victims of damaging cyber attacks be able to strike back with weapons against the offender?
In 2009, the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), an international military organization based in Tallinn, Estonia, and accredited in 2008 by NATO as a ‘Centre of Excellence’, invited an independent ‘International Group of Experts’ to produce a manual on the law governing cyber warfare. In doing so, it followed in the footsteps of earlier efforts, such as those resulting in the International Institute of Humanitarian Law’s San Remo Manual on International Law Applicable to Armed Conflicts at Sea and the Harvard Program on Humanitarian Policy and Conflict Research’s Manual on International Law Applicable to Air and Missile Warfare. The project brought together distinguished international law practitioners and scholars in an effort to examine how extant legal norms applied to this ‘new’ form of warfare. Like its predecessors, the Manual on the International Law Applicable to Cyber Warfare, or ‘Tallinn Manual’, results from an expert-driven process designed to produce a non-binding document applying existing law to cyber warfare.
Cyber operations began to draw the attention of the international legal community in the late 1990s. Most significantly, in 1999 the United States Naval War College convened the first major legal conference on the subject. In the aftermath of the attacks of 11 September 2001, transnational terrorism and the ensuing armed conflicts diverted attention from the topic until the massive cyber operations by ‘hacktivists’ against Estonia in 2007 and against Georgia during its war with the Russian Federation in 2008, as well as cyber incidents like the targeting of the Iranian nuclear facilities with the Stuxnet worm in 2010.
There is a risk that cyber practice may quickly outdistance agreed understandings as to its governing legal regime.
These and other events have focused the attention of States on the subject. For instance, in its 2010 National Security Strategy the United Kingdom characterized ‘cyber attack, including by other States, and by organised crime and terrorists’ as one of four ‘Tier One’ threats to British national security, the others being international terrorism, international military crises between States, and a major accident or natural hazard. The United States’ 2010 National Security Strategy likewise cited cyber threats as ‘one of the most serious national security, public safety, and economic challenges we face as a nation’ and in 2011 the US Department of Defense issued its Strategy for Operating in Cyberspace, which designates cyberspace as an operational domain. In response to the threat, the United States has now established US Cyber Command to conduct cyber operations.
During the same period, Canada launched Canada’s Cyber Security Strategy, the United Kingdom issued The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digitized World, and Russia published its cyber concept for the armed forces in Conceptual Views Regarding the Activities of the Armed Forces of the Russian Federation in Information Space. NATO acknowledged the new threat in its 2010 Strategic Concept, wherein it committed itself to ‘develop further our ability to prevent, detect, defend against and recover from cyber attacks, including by using the NATO planning process to enhance and coordinate national cyber-defence capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations’.
One of the challenges States face in the cyber environment is that the scope and manner of international law’s applicability to cyber operations, whether in offence or defence, has remained unsettled since their advent. After all, at the time the current international legal norms (whether customary or treaty-based) emerged, cyber technology was not on the horizon. Consequently, there is a risk that cyber practice may quickly outdistance agreed understandings as to its governing legal regime.
The threshold questions are whether the existing law applies to cyber issues at all, and, if so, how. Views on the subject range from a full application of the law of armed conflict, along the lines of the International Court of Justice’s pronouncement that it applies to ‘any use of force, regardless of the weapons employed’, to strict application of the Permanent Court of International Justice’s pronouncement that acts not forbidden in international law are generally permitted. Of course, the fact that States lack definitive guidance on the subject does not relieve them of their obligation to comply with applicable international law in their cyber operations.
The community of nations is understandably concerned about this normative ambiguity. In 2011, the United States set forth its position on the matter in the International Strategy for Cyberspace: ‘The development of norms for State conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Long-standing international norms guiding State behavior – in times of peace and conflict – also apply in cyberspace.’ Nevertheless, the document acknowledged that the ‘unique attributes of networked technology require additional work to clarify how these norms apply and what additional understandings might be necessary to supplement them’.
This project was launched in the hope of bringing some degree of clarity to the complex legal issues surrounding cyber operations, with particular attention paid to those involving the jus ad bellum and the jus in bello. The result is this ‘Tallinn Manual’.
The Tallinn Manual examines the international law governing ‘cyber warfare’. As a general matter, it encompasses both the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt with in the context of these topics.
Cyber activities that occur below the level of a ‘use of force’ (as this term is understood in the jus ad bellum), like cyber criminality, have not been addressed in any detail. Nor have any prohibitions on specific cyber actions, except with regard to an ‘armed conflict’ to which the jus in bello applies. For instance, the Manual is without prejudice to other applicable fields of international law, such as international human rights or telecommunications law. The legality of cyber intelligence activities is examined only as they relate to the jus ad bellum notions of ‘use of force’ and ‘armed attack’, or as relevant in the context of an armed conflict governed by the jus in bello. Although individual States and those subject to their jurisdiction must comply with applicable national law, domestic legislation and regulations have likewise not been considered. Finally, the Manual does not delve into the issue of individual criminal liability under either domestic or international law.
In short, this is not a manual on ‘cyber security’ as that term is understood in common usage. Cyber espionage, theft of intellectual property, and a wide variety of criminal activities in cyberspace pose real and serious threats to all States, as well as to corporations and private individuals. An adequate response to them requires national and international measures. However, the Manual does not address such matters because application of the international law on uses of force and armed conflict plays little or no role in doing so. Such law is no more applicable to these threats in the cyber domain than it is in the physical world.
The Tallinn Manual’s emphasis is on cyber-to-cyber operations, sensu stricto. Examples include the launch of a cyber operation against a State’s critical infrastructure, or a cyber attack targeting enemy command and control systems. The Manual is not intended for use in considering the legal issues surrounding kinetic-to-cyber operations, such as an aerial attack employing bombs against a cyber control centre. It likewise does not address traditional electronic warfare attacks, like jamming. These operations are already well understood under the law of armed conflict.
Finally, the Manual addresses both international and non-international armed conflict. The Commentary indicates when a particular Rule is applicable in both categories of conflict, limited to international armed conflict, or of uncertain application in non-international armed conflict. It should be noted in this regard that the international law applicable to international armed conflict served as the starting point for the legal analysis. An assessment was subsequently made as to whether the particular Rule applies in non-international armed conflict.
There are no treaty provisions that directly deal with ‘cyber warfare’. Similarly, because State cyber practice and publicly available expressions of opinio juris are sparse, it is sometimes difficult to definitively conclude that any cyber-specific customary international law norm exists. This being so, any claim that every assertion in the Manual represents an incontrovertible restatement of international law would be an exaggeration.
This uncertainty does not mean cyber operations exist in a normative void. The International Group of Experts was unanimous in its estimation that both the jus ad bellum and jus in bello apply to cyber operations. Its task was to determine how such law applied, and to identify any cyber-unique aspects thereof. The Rules set forth in the Tallinn Manual accordingly reflect consensus among the Experts as to the applicable lex lata, that is, the law currently governing cyber conflict. It does not set forth lex ferenda, best practice, or preferred policy.
When treaty law directly on point or sufficient State practice and opinio juris from which to discern precise customary international law norms was lacking, the International Group of Experts crafted the Rules broadly. In these cases, the Experts agreed that the relevant principle of law extended into the cyber realm, but were hesitant to draw conclusions as to its exact scope and application in that context. Where different positions as to scope and application existed, they are reflected in the accompanying Commentary.
To the extent the Rules accurately articulate customary international law, they are binding on all States, subject to the possible existence of an exception for persistent objectors. At times, the text of a Rule closely resembles that of an existing treaty norm. For instance, Rule 38 regarding military objectives is nearly identical to the text of Article 52(2) of Additional Protocol I. In such cases, the International Group of Experts concluded that the treaty text represented a reliable and accurate restatement of customary international law. Users of this Manual are cautioned that States may be subject to additional norms set forth in treaties to which they are Party.
The Rules were adopted employing the principle of consensus within the International Group of Experts. All participating experts agreed that, as formulated, the Rules replicate customary international law, unless expressly noted otherwise. It must be acknowledged that at times members of the Group argued for a more restrictive or permissive standard than that eventually agreed upon. The Rule that emerged from these deliberations contains text regarding which it was possible to achieve consensus.
Although the observers (see below) participated in all discussions, the unanimity that was required for adoption of a Rule was limited to the International Group of Experts. Therefore, no conclusions can be drawn as to the position of any entity represented by an Observer with regard to the Rules.