A group of international law experts met in Tallinn, Estonia, after the 2007 onslaught of cyber attacks against sites in the country, to create the Tallinn Manual in order to clarify what constitutes an act of war in cyberspace and how countries could lawfully respond. The vast majority of everyday cyber attacks, however, do not constitute an act of war, so the recent release of the Tallinn Manual 2.0 is an attempt to place cyber operations below the threshold of war within an international legal framework. The Cipher Brief spoke with Wolff Heintschel von Heinegg, the Chair of Public Law at the Europa-Universität Viadrina and one of the legal experts who worked on both Tallinn Manuals, about where cyber operations fall in international law and how the manual can help countries navigate a complex landscape in cyberspace.
The Cipher Brief: What is the Tallinn Manual 2.0 and what does it hope to accomplish?
Wolff Heintschel von Heinegg: Like its predecessor, it reflects the unanimous opinion of a group of international experts as to the principles and rules of international law that apply to operations in and through cyberspace. The unanimity is reflected in the so-called black letter rules. However, the experts were not always able to arrive at an equally unanimous interpretation of the identified rules. Their diverging opinions on how to interpret the rules are pronounced in the commentaries accompanying the rules
The more governments are prepared to adopt the rules identified in the manual the more authoritative it is.
TCB: How much of existing international law actually applies to cyberspace? Do we need a digital Geneva Convention?
WHvH: Actually, quite a lot. At least like-minded states, such as the United States and its NATO allies, agree that the existing international law applies online and offline. They do, of course, recognize the need for some modifications, but with regard to the fundamental principles and rules governing sovereignty, the use of force and self-defense, or the conduct of hostilities, they have continuously emphasized that they see no need for new rules.
Certainly, a digital Geneva Convention is unnecessary and it would most probably be a dangerous undertaking. The contemporary law of armed conflict – or international humanitarian law – is the product of a long development that began more than 150 years ago. Any attempt to amend it by specific digital rules would shatter the fine balance that has been accomplished. The Tallinn Manual provides ample proof of the adequacy of the existing law of war to regulate the conduct of hostilities in and through cyberspace.
It must be borne in mind, however, that in particular China and the Russia have been insisting on an international arms control agreement for state conduct in and through cyberspace. Hopefully, other governments will not pursue this course because such an agreement would only be abused for one-sided accusations.
TCB: What are the modes of response to state-sponsored cyber attacks allowed to governments under international law?
WHvH: International law provides a wide variety of lawful responses to state-sponsored cyber attacks that range from self-defense and countermeasures to protests. The problem is that it is still rather difficult – although not impossible – to attribute a cyber attack to a given state. Cyber attacks against critical infrastructure, however, could bring into existence a state of necessity that would entitle the target state to protect its critical infrastructure by violating the rights of the other state without being required to resort to countermeasures.
TCB: What are countermeasures and where do they fall under international law? Could you provide examples?
WHvH: Countermeasures are responses to prior violations of international law by another state. They allow the victim state to respond to such violations by violating the rights of the wrongdoer with a view to inducing the wrongdoer to return to lawful conduct. Again, the problem with countermeasures in response to unlawful cyber attacks is attribution. Only if the cyber attack can be attributed to a given state with a strong level of certainty is it possible to resort to countermeasures against that state.
For example, had it been possible to attribute the cyber attacks against the German Parliament to State A, Germany could have responded by violating that State A’s rights by, for instance, unilaterally suspending a bilateral treaty on investment protection. Germany would not have been limited to countermeasures by cyber means.
TCB: What are the challenges of deterrence in cyberspace, particularly with the understanding that governments often hack for defensive purposes and offensive capabilities are difficult to discern from defensive ones?
WHvH: The distinction between defensive and offensive cyber operations is rather artificial and hence, not useful. Apart from that, an effective cyber defense requires the capability of conducting offensive cyber operations. However, between states the best deterrence is their common vulnerability. The critical infrastructure in many states is heavily dependent upon cyberspace. Any attack on such infrastructure by one state will most likely trigger a similar response by the target state. Therefore, the real problem is non-state actors against whom deterrence does not work.
TCB: What does the Tallinn Manual 2.0 say about using cyber espionage to facilitate information operations to influence foreign elections?
WHvH: Firstly, espionage is not prohibited. All states to a greater or lesser extent engage in espionage, including cyber espionage. However, national elections are protected by the principle of sovereignty. No state is allowed to interfere in the domestic affairs and, thus, the elections, of another state. The Tallinn Manual addresses these issues in its section on sovereignty. It is unsettled whether the mere dissemination of “fake news” qualifies as a prohibited interference into domestic affairs. The reactions by some governments, such as in the United States, France, and Germany, to such “fake news” seem to suggest that they are prepared to consider them an unlawful interference.