When nations eventually adopt ground rules for conflict in cyberspace as they apply in an actual kinetic war, the Tallinn Manual on the International Law Applicable to Cyber Warfare, is likely to be their key reference material in doing so.
The Tallinn Manual, officially released late last week, is a 302-page treatise on the applicability of international law to cyberspace. Though NATO-commissioned, it is not an official NATO guidance or official expression by any country of how they will proceed in times of conflict with regard to cyber. Instead, it lays out 95 rules that explain rules of sovereignty, state responsibility, laws of neutrality, and more from a legal context.
“What happens next and how it is adopted is up to the states,” said Tallinn Manual editor Michael N. Schmitt, chairman of the international law department at the United States Naval War College in Newport, R.I. “I’d like to think we did a thorough job identifying and capturing a complete interpretation of international law as it applies to cyber and hope it’s used by states to fashion their own legal positions.”
The document was nearly four years in the making, and focused exclusively on what Schmitt said were the upper layers of severity, rather than day to day attacks such as cybercrime, intellectual property theft and APT-style espionage; version 2.0 of the Tallinn Manual will attempt to tackle those areas, he said.
“We were worried about attacks such as the ones on Estonia in 2007 and Georgia in 2008, those in the upper levels and upper reaches of intensity,” Schmitt said, adding that the 20-person committee charged with creating the manual specialized in the legal aspects of war and cyber.
“There were more gray areas in what we dealt with. Once you move to the level of armed conflict and the use of force against another nation, states make the law vague because it protects them, and it constrains them,” Schmitt said. “The area we worked in was much grayer and ambiguous. The other areas are infinitely more complex because we’re dealing with the criminal space, intellectual property law, telecommunications law, human rights law. We’ll deal with those in the next version.”
The terrorist attacks of Sept. 11, 2001, put a halt to the initial wave of investment in looking at this issue, Schmitt said. Instantly, the focus immediately went toward counterterrorism and did not shift toward cyber until the massive denial-of-service attacks against government and civilian services in Estonia in 2007, and again in 2008 in parallel to an armed conflict against Georgia. In such a case, the manual says, hackers who participate in such a conflict can be considered military targets.
“With regard to hackers, the only mention is in the section of the manual that deals with war and armed conflict; in an ongoing armed conflict, if civilians attack us through the Internet, the law is different in no way than how the law applies on the battlefield,” Schmitt said. “If a civilian shoots at me or implants an IED (improved explosive device) to blow up a vehicle, then they are taking direct part in the hostilities. Their protections as civilians are taken away. All we were saying is if we were at war and civilians start helping the enemy, they become the same combatants as far as targeting.”
Stuxnet, a malware attack used to damage Iran’s ability to enrich uranium and destroy part of its nuclear program, was considered in the manual a use of force.
“However, you have to understand what use of force is,” Schmitt said. “States cannot use it unless there’s a reason, like self-defense or the Security Council approves it. We said Stuxnet was a use of force because the type of harm it causes qualifies it as unlawful unless you can justify self-defense. We don’t for sure know the originators of Stuxnet. If the use of force was harmful and rose to the level of a harmful attack, Iran could have struck back. Even in that case, when Iran learned it was a cyberattack, the attack was over. It had no right to retaliate because it wasn’t defending itself.”
The difficulties in attack attribution are a major sticking point with any type of legal action or military retaliation. Yet, Schmitt said, states can respond even without 100 percent certainty the identity of an attacker.
“A state can act in self-defense if it reasonably believes it knows it did it; it can respond,” Schmitt said. “International law doesn’t demand you be correct, it demands you be reasonable. The legal question is whether you reasonably concluded they were the attacker while the attack was going on.”
Schmitt said the group of legal experts and scholars who wrote the Tallinn Manual had conflicting senses they were being proactive on the issue, yet at the same time were still behind the curve. This was in large part due to so much activity, such as Stuxnet and the Iranians’ claims of hacking into a U.S. military system to take down a drone aircraft. He also said he didn’t expect to find as much applicability between international law and cyberspace because of the unique characteristics and speed at which technology innovates.
“The laws were designed for physical consequences. Interpretations in a cyber context are difficult,” Schmitt said. “We don’t need new (international) laws, but states need to think through how existing laws apply in cyber. This isn’t new.”