Cybersecurity

What does international law mean for cyber warfare?

world map

A NATO document seeks to establish a global framework for cyberwar. (Stock image)

Creating rules of engagement for operations in cyberspace has been an ongoing process at the Defense Department, where such rules -- if and when they are finished -- will remain classified. Now some say a new international manual intended for application to cyber warfare could provide a boost for the Pentagon.

The Tallinn Manual, commissioned by NATO but created by several dozen experts, builds on established international law, much as the Pentagon’s cyber rules are modeled on existing rules of engagement. The manual particularly focuses on the principles of jus ad bellum, which regulates use of force in international law, and jus in bello, which governs conduct in armed conflict.

Verbatim

From The Tallinn Manual, Sections 13 and 14 of Rule 22, the Characterization of International Armed Conflict:

"To be 'armed,' a conflict need not involve the employment of the armed forces. Nor is the involvement of the armed force determinative. For example, should entities such as civilian intelligence agencies engage in cyber operations otherwise meeting the armed criterion, an armed conflict may be triggered. Similarly, using the armed forces to conduct tasks that are normally the responsibility of non-military agencies does not alone initiate an armed conflict."

According to cyber and legal experts, the Tallinn Manual will help supplement DOD’s guidelines for cyber warfare by offering additional insight and references to international law that can help with strategic, tactical and operational decision-making.

"I think the manual will have greater influence on battlefield rules of engagement because there’s a lot more granularity in the section on the use of in bello and humanitarian law," said Michael Schmitt, chairman of the International Law Department at the Naval War College. "I think that will feed into battlefield [rules of engagement], as distinct from the day-to-day [rules of engagement]."

Schmitt, who spoke as part of a panel convened by the Atlantic Council on March 28 in Washington, noted that one of the toughest aspects of cyber conflict is determining use of force, which the manual addresses. Furthermore, determining what constitutes a cyberattack has also been a sticking point in U.S. policy-making, the panelists said.

"For years, U.S. policy has been frozen, sort of burdened, with this overly generous definition of computer network attacks that the Defense Department had put forth," said Gary Brown, deputy legal adviser for the U.S. and Canadian regional delegation at the International Committee of the Red Cross. "That made it difficult to move forward because folks were reluctant to say that international humanitarian law applies to…everything we do in cyber that denies, degrades, disrupts or destroys cyber systems. That’s a very broad range of cyber activities that would be governed by [international law], so there was a reluctance to put pen to paper."

Brown, a retired Air Force colonel, said that attitude has changed in recent months -- something that might be reflected in how the Tallinn Manual affects DOD’s cyberspace operations.

"It will have some effect, and it will have positive effect because the United States is going to comply with international laws and comport with the rules as presented," he said. "We don’t know what the rules are, but just this month [Gen. Keith Alexander, commander of U.S. Cyber Command] came out and indicated there will be specific offensive teams, so one wonders what the rules of engagement will be to govern these offensive cyber teams. The manual can’t hurt."

Verbatim

The Tallinn Manual, from Rule 30, Sections 2-3:

"The notion of an 'attack' is a concept that serves as the basis for a number of specific limitations and prohibitions in the law of armed conflict. For instance, civilians and civilian objects may not be 'attacked' (Rule 32). This rule sets forth a definition that draws on that found in Article 49(1) of Additional Protocol 1: 'attacks means acts of violence against the adversary, whether in [offense or defense]. By this widely accepted definition, it is the use of violence against a target that distinguishes attacks from other military operations. Non-violent operations, such as psychological cyber operations or cyber espionage, do not qualify as attacks."

Although the military’s cyber rules of engagement remain classified for national security reasons, some transparency could help gauge where DOD stands on cyber conflict’s most significant issues. Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, said that although Pentagon officials have noted the need to respond quickly to cyber threats, fast reactions are not necessarily as important as some believe.

"Seeing how much engagement in conflicts can take weeks, months and years, I’m personally cautious the [rules of engagement] will be built by people who have dealt with this tactically, saying ‘A strike could come at us from nowhere, and we have to respond quickly,’" Healey said. "Which is absolutely true, but that can be true in all the other domains of warfare also. So I’m concerned we could be focused on the technical truths rather than the strategic truths, which say we have more time."

As the United States and other countries struggle to define cyberattacks, officials also must consider how to handle activities in cyberspace that do not necessarily constitute an attack but do have malicious intent, such as disruptive actions or espionage, the panelists said.

"One of the big challenges now is we’ve drawn that line in the sand of what a cyberattack is and what might constitute armed conflict in cyber," Brown said. "That leaves unanswered most of the issues around what’s happening now outside the context of armed conflict. Most things we read about fall into this second category. It’s not part of a conflict, it’s not part of an ongoing war. These are things that aren’t really addressed by laws of warfare because it doesn’t fall under that definition of warfare. But the main reason the manual is incredibly important is because it finally draws the line."

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Wed, Apr 3, 2013 Harvey

If I take this correctly, a cyberattack involving large scale disruptions of power grid and water systems would be illegal as it impacts many more civilians than non-civilians due to the indiscriminate behavior of such attacks.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above