However, applying the framework of international conflict and security law to cyber-operations can be deeply problematic. The laws of armed conflict, for example, are based on a series of principal distinctions, such as the distinction between war and peace, military and non-military objects, combatants and civilians or international and non-international armed conflicts. All these distinctions prove problematic when applied to cyberwars, especially when such wars take place in a twilight zone of war and peace, when the origins of the attack are difficult to trace and when clear marks setting military targets and combatants apart from non-military targets and civilians are absent. In a similar fashion, applying the basic provisions of the UN Charter to cyber-attacks raises foundational questions: can cyber-attacks as such ever qualify as a use of force prohibited by article 2(4) of the Charter? Can cyber-attacks ever be regarded as armed attacks that give the victim state a right to self-defense under article 51?
Of course, these questions are not entirely new to international law. The rise of irregular warfare, transboundary terrorism, and policies of targeted killing, for example, have already raised similar questions regarding the applicability and boundaries of international conflict and security law. However, the use of cyberspace at the same time as a weapon and a battlefield has radicalized age-old questions regarding the legal regulation of irregular warfare and has given them new meaning and force. It is not the same as how businesses face cyber attacks, where solutions like virtual CISO might help the company lead with the required security strategy. In light of the fundamental problems relating to the applicability of conflict and security law to cyber-operations, it may not come as a surprise that NATO not only recognized cyberwar as a new threat in its 2010 Strategic Concept but also sought to clarify the legal problems surrounding the regulation of cyberwar. In 2009, the NATO Cooperative Cyber Defence Centre of Excellence invited an international group of experts to set out the law applicable to cyberwar. The group of experts produced the so-called “Tallin Manual”, the first full draft of which appeared in August 2012. The Manual will be published by Cambridge University Press in 2013. The Manual’s focus is limited to cyber-to-cyber operations, such as cyber-attacks on the informational infrastructure of an enemy state.
The Manual brings together an impressive amount of primary and secondary material, taking the reader through issues of jurisdiction and sovereignty, the rules governing the legality of the resort to armed force, and the laws of armed conflict. At several places, the experts manage to draw firm and relatively unambiguous conclusions. The Manual makes it clear, for example, that the mere fact that a cyber-operation is launched from a state’s territory or routed via infrastructure located on a state’s territory is insufficient evidence for attributing that operation to the state in question.[4] However, when it comes to more controversial issues pertaining to the use of force and to the conduct of hostilities, the experts fail to reach consensus, and manage only to come up with open-ended formulations. Take for instance the thorny issue of self-defense against armed attacks conducted by private actors. On this topic the group of experts proved as divided as international legal scholarship in general, with a majority holding self-defense to be permissible when the state from the territory of which the attack is launched is unable or unwilling to take effective action to halt the attack, and a minority rejecting a right of self-defense against attacks that cannot be attributed to a foreign state.[5] The majority position moreover acknowledged that the requirements of necessity and immediacy cannot be spelled out in detail in advance, but are context-specific.[6] Similar disagreements among experts occurred in relation to the applicability of the laws of armed conflict,[7] the geographical limitations of cyber-operations,[8] the distinction between international and non-international armed conflicts,[9] or the definition of ‘direct participation in hostilities’.[10]
Of course, one cannot blame the group of experts for not reaching agreement on some of the fundamental challenges to international conflict and security law. It is not any lack of will, knowledge or imagination on the part of the experts, but the mismatch between the structure of international law and the nature of many contemporary armed conflicts that generates this uncertainty and indeterminacy. Although the main aim of the Manual is to clarify the laws applicable to cyber-war, its conclusions on several core issues unavoidably reflect rather than resolve the uncertainties surrounding the international legal regulation of cyber-operations. The fact that these uncertainties are now officially acknowledged and confirmed by leading experts in the field makes them even more pertinent. Anyone now claiming that (s)he knows with certainty that a rule should be applied in a particular way will be confronted with a lack of consensus among reputable experts on the application of that very rule (“who are you to claim that you know better than the experts who could not agree?”). The Manual, in other words, demonstrates the extent to which the application of conflict and security law to cyber-operations is dependent on context and on the assessments of those in a position to decide.
A good illustration of this point is the way in which the Manual deals with the question whether cyber-attacks can be regarded as uses of force under article 2 (4) of the UN Charter. The experts were in agreement that the distinction between force and other forms of coercion should be made on the basis of the ‘scale and effects’ of a particular action.[11] The ‘scale and effects’ criterion, however, is still rather ill-defined. The Manual acknowledges this and tries to reduce the uncertainty surrounding this criterion by listing a range of factors that states could take into account when assessing the nature of a cyber-operation.[12] The factors are taken from an article written by the chairman of the group some 14 years ago and include factors such as the severity of the attack, the immediacy of the response, the directness of the link between the attack and the harm done, the invasiveness of the attack, the measurability of the effects, the military character of the attack, state involvement in the attack and the presumptive legality of actions under international law generally. [13]
It remains to be seen, however, whether the list included in the manual actually helps to reduce the uncertainty surrounding the application of Article 2(4) to cyberwars. The factors, after all, are not intended to serve as legal criteria, but merely as suggestions that states could (and perhaps do) take into account. How they relate to positive legal obligations remains uncertain. In addition, it is unclear how the different factors should be weighed and balanced. There are so many possible factors suggested in the Manual that the concrete application of article 2 (4) becomes highly contextual. This point is also acknowledged by the group of experts itself. They even go one step further by arguing that the suggested factors are not to be taken as exhaustive and that states “depending on the circumstances may look to others, such as the prevailing political environment, whether the operation portends the future use of military force and the identity of the attacker, any record of cyberoperations of the attacker (…)”.[14] By tying in the political environment, risk assessments and conjectures as to the status of the attacker, the Manual quite explicitly moves legal considerations into the realm of political deliberation and contextual analysis. No doubt this is a realistic and defendable position. It is, however, also a position that once more shows that the Tallin Manual is not just about the application of international law to cyber-operations. It is also a document about the disturbing consequences of the rise of new forms of warfare for long-established categories and distinctions in international law.
[1] See US Department of Defense, Strategy for Operating in Cyberspace (2011), Russian Federation, Conceptual Views Regarding the Activities of Armed Forces of the Russian Federation in Information Space (2011).
[2] I will use the term ‘conflict and security law’ here as umbrella term for the bodies of law regulating the decision to go to war (ius ad bellum) and the laws regulating conduct in times of armed conflict (ius in bello).
[3] See for example, W.G. Werner, The Changing Face of Enmity, Carl Schmitt’s International Theory and the Evolution of the Legal Concept of War, International Theory (2010) 2 (3), 351-380.
[9] Rule 22, para 9, see also para 14 for disagreement on the criterion of an ‘armed’ conflict. See also rule 23, where the group of experts proved divided on the definition of an ‘non-international armed conflict’ (para 3)
[12] Rule 11, under 8. Note that the Manual uses the careful formulation ‘took notice’. The rest of the text, however, does more than just ‘noticing’: it takes up the approach as an apparently useful tool in assessing cyberattacks.
2 thoughts on “The Tallin Manual on Cyberwarfare”
Comments are closed.