Tallinn Manual 2.0: Stepping Out of the Fog in Cyberspace
Cyberspace is often portrayed as a new domain of international relations – a Wild West where there are no rules or guiding principles to govern the behavior of states. Such perceptions of anarchism have bred uncertainty over what is or is not acceptable activity among governments. This often leads to brash accusations of cyber attacks meeting the threshold of an act of war. At the same time, the blurred distinction between offensive and defensive capabilities in cyberspace creates a security dilemma, fueling a destabilizing cyber arms race.
Fortunately, there are hundreds of years of international law that can put norms surrounding cyberspace into motion. However, where does international law apply to countries’ operations in cyberspace, and what can states do to mitigate uncertainty surrounding cyber operations that lead to a potentially destabilizing cyber arms race?
The effort to place cyber activity firmly within international law first began after a series of denial of service attacks targeting Estonian sites in 2007, and then again in Georgia in 2008. Following these campaigns, primarily Euro-Atlantic countries congregated in Tallinn, Estonia, to establish the NATO Cooperative Cyber Defence Centre of Excellence, a multinational hub of cyber defense and international law expertise.
Led by Michael Schmitt, a Professor at the U.S. Navel War College, the Centre published the Tallinn Manual on the International Law Applicable to Cyber Warfare in 2013. Now known as Tallinn 1.0, the manual sought to create legal clarity over the use of cyber capabilities in war. While high-risk, such instances are ultimately unlikely, with the few potential exceptions of the Stuxnet worm discovered sabotaging Iran’s nuclear ambitions in 2010 and the disk-wiping malware destroying over 35,000 computers belonging to oil giant Saudi Aramco in 2012. Furthermore, having a manual that solely explored cyber activity during wartime could alone be destabilizing – hammers only see nails if the sole question is whether a cyber attack constitutes an act of war or not.
Therefore, Schmitt, and a more diverse group of international law experts, including some from countries such as China, Japan, and Thailand – as well as contributions from over 50 states through the Hague – endeavored to create Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations to explore the international legal landscape of cyber activity during peacetime – launched last month at the Atlantic Council in Washington. Wolff Heinstchel von Heinegg, the Chair of Public Law at the Europa-Universität Viadrina and one of the legal experts who worked on both Manuals, argues “the Tallinn Manual 2.0 is an honest effort aimed at identifying the legal principles and rules applicable to cyberspace, which is to provide political leaders, operators and others a basis for evaluation of the legality of their cyber operations.” Tallinn 2.0 finds that there is a robust body of language governing cyber operations already, providing 154 “black letter” rules governing activity in cyberspace.
However, while experts where able to unanimously agree on the wording of such rules, their interpretation and application remain contentious, as shown in the different views displayed in the manual’s commentary. Where disagreement emerges should signal a focus for states moving forward in establishing international norms in cyberspace. Under international law, for instance, states cannot direct attacks on “civilian objects,” as it would constitute a war crime, but is data considered an “object”? While the manual maintains that it is not – simultaneously asserting that “essential civilian functions” are off limits – it suggests that doing so opens the door for states to interpret the law of sovereignty differently, therefore creating a legal gray area.
For example, with the breach of the Democratic National Committee in the lead-up to last year’s U.S elections fresh in mind, some would argue that the attack constituted a coercive intervention into U.S. domestic affairs, as it manipulated the democratic process in ways it was not meant to be, and therefore breached the law of sovereignty. Others, however, would argue that the DNC hack and subsequent leaks do not constitute coercive intervention in U.S. domestic affairs as it was truthful information being provided to a liberal electorate.
While this legal gray zone is intentionally operated in by states, the United States should be wary of raising the standard of sovereignty in cyber operations, as doing so could restrict many U.S. actions in cyberspace. While espionage is not directly covered under international law, Rhea Siers, former Deputy Assistant Director for Policy at the National Security Agency, and Sharon Cardash, former Security Policy Advisor to Canada’s Minister of Foreign Affairs, note that expert opinions in Tallinn 2.0 “diverged on the question of remotely conducted computer network exploitation, which is the mainstay of intelligence organizations like the U.S. National Security Agency.”
“On this point, the manual notes that its participants ‘were incapable of achieving consensus as to whether remote cyber espionage reaching a particular threshold of severity violates international law,’” they say.
International law should not only be understood as restricting, but also clarifying avenues of response. The manual provides a framework in which states can react to cyber operations against them. Should an attack remain within the bounds of international law – for example, espionage operations such as the Office of Personnel Management breach – states can respond with retorsion, or an unfriendly yet legal action such as imposing sanctions. Should a state breach international law with a cyber attack, such as a sufficient infringement on sovereignty or targeting of critical infrastructure, the law of self-defense and proportionality kick in. For example, the United States could respond to an attack with countermeasures, or acts that would otherwise be unlawful, but are carried out in response to an unlawful act to return the original offender to a lawful course of action. This could include “hacking back,” such as responding to the Sony breach by targeting North Korea’s cyber infrastructure and proportionally disrupting their functions, or rather than responding in-kind with cyber, instead, block legal passage of North Korean sea vessels along American shorelines.
However, Heinstchel von Heinegg notes, “the problem with countermeasures in response to unlawful cyber attacks is attribution. Only if the cyber attack can be attributed to a given state with a strong level of certainty is it possible to resort to countermeasures against that state.” If attribution is wrong, the responding state will be in breach of international law and susceptible to countermeasures themselves.
The use of proxies to conduct cyber operations on behalf of states is important in this regard, as it blurs what is already a difficult process of attribution. Siers and Cardash note that “Tallinn 2.0 looks to the ways in which a state may or may not be "in effective control” of non-state actors, whereby “factors to consider include financing, equipping, and target selection.” Furthermore, should cyber attacks be launched from a third party, such as North Korea attacking U.S. systems from China, then the country being used as a launch-pad has a due diligence obligation – to the extent that is feasible – to halt serious attacks emanating from their territory. Should it not adequately fulfill this obligation, the third party – in this case China – could open itself up to countermeasures. Ultimately, the level of certainty in attribution demanded depends on the situation, while the policy response depends on the certainty of attribution.
So while establishing international norms in cyberspace – much like in any other domain – has proven challenging, the portrayal of cyberspace as an ungoverned domain, wholly outside the realm of established international law, is not only misleading, but undermines the very international norms states seek to establish. The more governments have a common understanding of how each other will operate in cyberspace, the less likely cyber operations will result in escalation.
Levi Maxey is the cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.