A Reference for Cyber Operations

Rhea Siers
Former Deputy Associate Director for Policy, National Security Agency

NATO’s Cooperative Cyber Defence Centre of Excellence last month published the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, a follow-on project to the first, 2013, edition of the manual, which focused on cyber operations in peacetime.

The work of a distinguished and geographically diverse group of legal experts is the culmination of a yearslong effort, and picks up where the first – the Tallinn Manual 1.0 – left off, addressing the bulk of cyber activity, which falls below the threshold of war.

Both efforts constitute a compilation of expert opinion, though neither purports to carry formal or official weight. Instead, the manuals are meant to help inform practitioners and decision-makers as they seek to counter cyber threats and navigate the broader, prevailing cyber ecosystem. Notably, the second edition goes beyond the first by including a wider set of viewpoints, including 50 countries stretching beyond the Euro-Atlantic region.

The Tallinn Manual 2.0, which includes 154 rules, could significantly shape the creation of norms applicable to the cyber domain. The extent to which the manual realizes this potential will depend upon the extent to which officials use the instrument as it was intended, as a guide to the issues and areas in which there is substantial international consensus on what is and is not lawful; and as an indicator of gray areas where more discussions and negotiations, both within and among countries, is needed to further establish parameters of acceptable behavior. The United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (better known by the acronym GGE) is one place the new manual could serve as a basis for further work in this vein.

As an example of an area simultaneously showing both potential clarity and ambiguity, the manual observes that “peacetime cyber espionage by States does not per se violate international law” (Rule 32), but that “the method by which it is carried out may do so.” Expert opinion on the legality of particular methods was in some cases divided, so further clarity will hinge upon state practice and statements over time. With the Office of Personnel Management, Sony, and Democratic National Committee hacks still fresh in mind, expert opinion also diverged on the question of remotely conducted computer network exploitation, the mainstay of intelligence organizations such as the U.S. National Security Agency. On this point, the manual says its participants “were incapable of achieving consensus as to whether remote cyber espionage reaching a particular threshold of severity violates international law.”

Although the new manual continues to recognize the state as the fundamental building block of the international system and legal order, non-state actors may play an integral and outsized role in the cyber domain, whether state-supported (explicitly or implicitly) or not. The new volume identifies legal requirements of states that must be met for states to engage properly in offensive or defensive cyber activity, when responding to non-state actors.

The line between state and non-state activity may, of course, be blurred when the state uses proxies to further specific ends. To determine whether a non-state actor may be acting on behalf of a state, Tallinn 2.0 looks to the ways in which a state may or may not be “in effective control.” Factors to consider include financing, equipping, and target selection. Even where non-state actor cyber activities are not directly attributable to a state, Tallinn 2.0 contemplates circumstances under which state support could cause the state to be held responsible.  One would be, for example, if a state were to provide malware to a non-state cyber actor. Interestingly, in the case of state-owned companies, there must also be a showing that the state itself is substantially controlling or directing the company’s cyber activity, if responsibility is to be attached to the state.

In short, the line between state and non-state activity depends on the facts, and those involved will continue to try to hide the cyber equivalent of their fingerprints on the trigger.

The manual is, of course, a creature of its times, though sometimes this may show up in unexpected ways. For instance, Tallinn 2.0 addresses the use of social media, and offers insights about the legalities surrounding its use, based on creative yet potentially realistic scenarios. The International Group of Experts considered, for example, the use of social media to broadcast planned acts of piracy. Under Rule 46, such evidence could serve as justification for counter-piracy forces to board a vessel without the consent of the flag state.  The manual also addresses other possible instances where piracy and the cyber domain might intersect, including cyber operations to disable pirated vessels and cyber activities that could enable piracy.

Another plausible but disturbing case the experts consider is the use of, or gaining access to, social media to embarrass and blackmail prisoners of war and other types of prisoners. On this point, the manual prohibits, among other things, the posting of information that reveals prisoners’ “emotional state.”

The Tallinn Manual 2.0 is a truly ambitious work that may serve as a fundamental reference for potential cyber operations, as nations develop their strategies and plans. It is no exaggeration to say that the manual raises, and seeks to grapple with, a veritable host of pivotal questions facing legal, cyber, and other officials worldwide. 

Sharon L. Cardash, J.D., is Associate Director of the Center for Cyber and Homeland Security at the George Washington University (GWU). Before joining GWU, she served as Security Policy Adviser to Canada’s Minister of Foreign Affairs.