Send to Kindle

When nations eventually adopt ground rules for conflict in cyberspace as they apply in an actual kinetic war, the Tallinn Manual on the International Law Applicable to Cyber Warfare, is likely to be their key reference material in doing so.

The Tallinn Manual, officially released late last week, is a 302-page treatise on the applicability of international law to cyberspace. Though NATO-commissioned, it is not an official NATO guidance or official expression by any country of how they will proceed in times of conflict with regard to cyber. Instead, it lays out 95 rules that explain rules of sovereignty, state responsibility, laws of neutrality, and more from a legal context.

“What happens next and how it is adopted is up to the states,” said Tallinn Manual editor Michael N. Schmitt, chairman of the international law department at the United States Naval War College in Newport, R.I. “I’d like to think we did a thorough job identifying and capturing a complete interpretation of international law as it applies to cyber and hope it’s used by states to fashion their own legal positions.”

The document was nearly four years in the making, and focused exclusively on what Schmitt said were the upper layers of severity, rather than day to day attacks such as cybercrime, intellectual property theft and APT-style espionage; version 2.0 of the Tallinn Manual will attempt to tackle those areas, he said.

“We were worried about attacks such as the ones on Estonia in 2007 and Georgia in 2008, those in the upper levels and upper reaches of intensity,” Schmitt said, adding that the 20-person committee charged with creating the manual specialized in the legal aspects of war and cyber.

“There were more gray areas in what we dealt with. Once you move to the level of armed conflict and the use of force against another nation, states make the law vague because it protects them, and it constrains them,” Schmitt said. “The area we worked in was much grayer and ambiguous. The other areas are infinitely more complex because we’re dealing with the criminal space, intellectual property law, telecommunications law, human rights law. We’ll deal with those in the next version.”

The terrorist attacks of Sept. 11, 2001, put a halt to the initial wave of investment in looking at this issue, Schmitt said. Instantly, the focus immediately went toward counterterrorism and did not shift toward cyber until the massive denial-of-service attacks against government and civilian services in Estonia in 2007, and again in 2008 in parallel to an armed conflict against Georgia. In such a case, the manual says, hackers who participate in such a conflict can be considered military targets.

“With regard to hackers, the only mention is in the section of the manual that deals with war and armed conflict; in an ongoing armed conflict, if civilians attack us through the Internet, the law is different in no way than how the law applies on the battlefield,” Schmitt said. “If a civilian shoots at me or implants an IED (improved explosive device) to blow up a vehicle, then they are taking direct part in the hostilities. Their protections as civilians are taken away. All we were saying is if we were at war and civilians start helping the enemy, they become the same combatants as far as targeting.”

Stuxnet, a malware attack used to damage Iran’s ability to enrich uranium and destroy part of its nuclear program, was considered in the manual a use of force.

“However, you have to understand what use of force is,” Schmitt said. “States cannot use it unless there’s a reason, like self-defense or the Security Council approves it. We said Stuxnet was a use of force because the type of harm it causes qualifies it as unlawful unless you can justify self-defense. We don’t for sure know the originators of Stuxnet. If the use of force was harmful and rose to the level of a harmful attack, Iran could have struck back. Even in that case, when Iran learned it was a cyberattack, the attack was over. It had no right to retaliate because it wasn’t defending itself.”

The difficulties in attack attribution are a major sticking point with any type of legal action or military retaliation. Yet, Schmitt said, states can respond even without 100 percent certainty the identity of an attacker.

“A state can act in self-defense if it reasonably believes it knows it did it; it can respond,” Schmitt said. “International law doesn’t demand you be correct, it demands you be reasonable. The legal question is whether you reasonably concluded they were the attacker while the attack was going on.”

Schmitt said the group of legal experts and scholars who wrote the Tallinn Manual had conflicting senses they were being proactive on the issue, yet at the same time were still behind the curve. This was in large part due to so much activity, such as Stuxnet and the Iranians’ claims of hacking into a U.S. military system to take down a drone aircraft. He also said he didn’t expect to find as much applicability between international law and cyberspace because of the unique characteristics and speed at which technology innovates.

“The laws were designed for physical consequences. Interpretations in a cyber context are difficult,” Schmitt said. “We don’t need new (international) laws, but states need to think through how existing laws apply in cyber. This isn’t new.”

Send to Kindle
Categories: Critical Infrastructure, Hacks

Comment (1)

  1. Jarno Limnéll
    1

     

    The cyber landscape is the modern wild west. State actors are openly showing their ‘weapons’ and can do whatever they please with little fear of open retaliation – because there are no rules or limitations. Most states are preparing for a cyber-war, all are very suspicious about each other, testing one another’s capabilities and there are no accepted rules or international norms. Recent accusations and mud-slinging between North Korea, China, Russia and the US show cyber espionage, cyber-attacks and the recruitment of talented hackers are now a recognised part of strategic influence and combat.

     

    The handbook developed by Nato’s Co-operative Cyber Defence Centre of Excellence is an extremely encouraging step forward in the pursuit of international norms and laws regulating the cyber security domain. In the near future, some Western country is likely to face a catastrophic and deliberate cyber-attack mounted against its critical infrastructure. The result will include human casualties. Players in the cyber world are not restricted by geographic or by military strength, and as a result, governments and corporations must work together to think strategically, not just technically, about how to prepare, prevent and ultimately fight battles in the digital world.

     

    Now is the moment for strong state-actors to step forward and take the lead in ‘cyber-mediation’ between countries to ensure appropriate international law is developed, clarified and applied. There still has to be much more international cooperation to develop these rules and norms, much like what happened with nuclear weapons when they were introduced in the late 1940s. By the 1950s, countries were debating what laws governed the use of these weapons.

Comments are closed.