What does international law mean for cyber warfare?

As DOD determines rules of cyber engagement, a NATO-commissioned manual offers guidance of a different sort.

world map

A NATO document seeks to establish a global framework for cyberwar. (Stock image)

Creating rules of engagement for operations in cyberspace has been an ongoing process at the Defense Department, where such rules -- if and when they are finished -- will remain classified. Now some say a new international manual intended for application to cyber warfare could provide a boost for the Pentagon.

The Tallinn Manual, commissioned by NATO but created by several dozen experts, builds on established international law, much as the Pentagon’s cyber rules are modeled on existing rules of engagement. The manual particularly focuses on the principles of jus ad bellum, which regulates use of force in international law, and jus in bello, which governs conduct in armed conflict.

Verbatim

From The Tallinn Manual, Sections 13 and 14 of Rule 22, the Characterization of International Armed Conflict:

"To be 'armed,' a conflict need not involve the employment of the armed forces. Nor is the involvement of the armed force determinative. For example, should entities such as civilian intelligence agencies engage in cyber operations otherwise meeting the armed criterion, an armed conflict may be triggered. Similarly, using the armed forces to conduct tasks that are normally the responsibility of non-military agencies does not alone initiate an armed conflict."

According to cyber and legal experts, the Tallinn Manual will help supplement DOD’s guidelines for cyber warfare by offering additional insight and references to international law that can help with strategic, tactical and operational decision-making.

"I think the manual will have greater influence on battlefield rules of engagement because there’s a lot more granularity in the section on the use of in bello and humanitarian law," said Michael Schmitt, chairman of the International Law Department at the Naval War College. "I think that will feed into battlefield [rules of engagement], as distinct from the day-to-day [rules of engagement]."

Schmitt, who spoke as part of a panel convened by the Atlantic Council on March 28 in Washington, noted that one of the toughest aspects of cyber conflict is determining use of force, which the manual addresses. Furthermore, determining what constitutes a cyberattack has also been a sticking point in U.S. policy-making, the panelists said.

"For years, U.S. policy has been frozen, sort of burdened, with this overly generous definition of computer network attacks that the Defense Department had put forth," said Gary Brown, deputy legal adviser for the U.S. and Canadian regional delegation at the International Committee of the Red Cross. "That made it difficult to move forward because folks were reluctant to say that international humanitarian law applies to…everything we do in cyber that denies, degrades, disrupts or destroys cyber systems. That’s a very broad range of cyber activities that would be governed by [international law], so there was a reluctance to put pen to paper."

Brown, a retired Air Force colonel, said that attitude has changed in recent months -- something that might be reflected in how the Tallinn Manual affects DOD’s cyberspace operations.

"It will have some effect, and it will have positive effect because the United States is going to comply with international laws and comport with the rules as presented," he said. "We don’t know what the rules are, but just this month [Gen. Keith Alexander, commander of U.S. Cyber Command] came out and indicated there will be specific offensive teams, so one wonders what the rules of engagement will be to govern these offensive cyber teams. The manual can’t hurt."

Verbatim

The Tallinn Manual, from Rule 30, Sections 2-3:

"The notion of an 'attack' is a concept that serves as the basis for a number of specific limitations and prohibitions in the law of armed conflict. For instance, civilians and civilian objects may not be 'attacked' (Rule 32). This rule sets forth a definition that draws on that found in Article 49(1) of Additional Protocol 1: 'attacks means acts of violence against the adversary, whether in [offense or defense]. By this widely accepted definition, it is the use of violence against a target that distinguishes attacks from other military operations. Non-violent operations, such as psychological cyber operations or cyber espionage, do not qualify as attacks."

Although the military’s cyber rules of engagement remain classified for national security reasons, some transparency could help gauge where DOD stands on cyber conflict’s most significant issues. Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, said that although Pentagon officials have noted the need to respond quickly to cyber threats, fast reactions are not necessarily as important as some believe.

"Seeing how much engagement in conflicts can take weeks, months and years, I’m personally cautious the [rules of engagement] will be built by people who have dealt with this tactically, saying ‘A strike could come at us from nowhere, and we have to respond quickly,’" Healey said. "Which is absolutely true, but that can be true in all the other domains of warfare also. So I’m concerned we could be focused on the technical truths rather than the strategic truths, which say we have more time."

As the United States and other countries struggle to define cyberattacks, officials also must consider how to handle activities in cyberspace that do not necessarily constitute an attack but do have malicious intent, such as disruptive actions or espionage, the panelists said.

"One of the big challenges now is we’ve drawn that line in the sand of what a cyberattack is and what might constitute armed conflict in cyber," Brown said. "That leaves unanswered most of the issues around what’s happening now outside the context of armed conflict. Most things we read about fall into this second category. It’s not part of a conflict, it’s not part of an ongoing war. These are things that aren’t really addressed by laws of warfare because it doesn’t fall under that definition of warfare. But the main reason the manual is incredibly important is because it finally draws the line."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.