Cybersecurity

Tallinn 2.0 refines the law of cyberattacks

sphere of binary data 

Legally speaking, what can a nation do when its election system is hacked by another country? That's just one of the many kinds of cases the new Tallinn Manual on the International Law Applicable to Cyber Operations attempts to address.

The new book, authored by 19 international legal experts, is an update to the 2013 "Tallinn Manual" that was commissioned by the NATO Cooperative Cyber Defense Center of Excellence.

The original manual grew out of Russia's cyber attacks on Estonia in 2007 and Georgia in 2008, when NATO's CCD COE decided to convene a group of legal experts to evaluate how existing laws of war applied to the emerging cyber domain.

The 2013 manual was designed to address cases like the Stuxnet virus or the use of cyber during armed conflict, said Liis Vihul, the managing editor of the manual, at a launch event at the Atlantic Council in Washington.

"While we were writing the first Tallinn manual we were acutely aware of the fact that even though those types of incidents are the most critical from a national security perspective, states on a day-to-day basis are not grappling with these types of issues," she said.

The new version explores analysis of peacetime laws and how they apply to recent cases like the Sony, OPM and DNC hacks that are considered "below the threshold" of armed conflict.

Like the original, the updated manual does not represent official NATO policies or views, and is billed as an academic resource for states and the international community to use as a guide to establish international norms and legal regimes around cyber.

"It's meant for primarily state legal advisors to assist them in thinking through the legal issues that arise," Vihul said, "when either their states are planning to engage in certain types of cyber operations or when their states are taking hits from abroad and to assess what the international law implications in these situations are."

The book consists of 154 black letter rules of international law with commentary on the rules and debates between the lawyers who wrote the manual.

Michael Schmitt, a law professor at U.S. Naval War College and one of the scholars who wrote the Tallinn Manual, said the areas of consensus are not the most important piece of the book.

"It's where we disagreed, because that's where the play should be with regard to states," he said. "States should be looking at areas where we disagreed and saying, 'that's where states need to roll into the game and start firming up the norms.'"

Schmitt said the book makes clear that existing law and norms are significant, but do not provide all the answers.

"We wanted to give people at [U.S. Cyber Command] a tool which they could use as they begin to deconstruct what had just happened, and how they could respond to it within the framework of international law," he said.

There are a number of "gray areas" of international law, he said, and there will be ongoing debate about what constitutes a cyber act of war or war crime – such as destroying critical civilian data -- and what is a violation of a nation's sovereignty in cyberspace.

"We agreed almost across the group that you can have a cyber operation that is not destructive and is not injurious, but it could qualify as a use of force," Schmitt said, though he added that not all cases of cyber use of force would allow the victim to respond with force.

Schmitt said the book uses the example of elections to highlight the legal principle of "domaine réservé" or the prohibited intervention into the domestic affairs of another nation. He argued that Russia committed a prohibited intervention into the U.S. election by hacking the DNC and releasing data, but that the law is far from settled in that case.

"The Russians have selected an area of law in which to operate in which it will hard for states to come to a consensus that [Russia] violated international law," he said. "We will be squabbling among each other in the interagency process and the international process over did they do it and did they violate international law or not."

Schmitt said if the West isn't more forceful in response to actions like Russia's election interference and information operations, opponents will continue to "play in this gray area."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.