How should nations behave in the face of cyber attacks? Can you distinguish between civilians and combatants in cyberspace? Are the laws of war capable of guiding actions in the age of cyber conflict? The newly released Tallinn Manual addresses these and many other questions about modernizing international law to address cyber war.
The latest guidance on cyber warfare comes not from governments or treaties, but from a group of experts who researched and wrote for three years. Their efforts resulted in the guidelines that became the Tallinn Manual, released in late March. The authors worked for NATO’s think tank, the NATO Co-operative Cyber Defence Centre of Excellence, which requested the guidelines’ creation. The authors emphasize, however, that this manual is not an official NATO document and the guidelines do not have standing in a court of law. The authors believe these guidelines will be a reference for courts and military decision-makers or lawyers dealing with cyber attacks and their fallout. The manual’s name comes from Tallinn, Estonia – the nation’s capital and the location of the manual’s compilation.
The guidance is welcomed, but controversial: some worry that the guidelines give nations permission to execute hackers involved in cyber conflict. Michael Schmitt, lead author of the Tallinn Manual, clarified that a hacker would only be a target within the context of an armed conflict – “State A versus State B” – when that hacker was “directly participating in hostilities.” Within the cyber world, armed attacks are not clearly defined, but Rule 30 of the Tallinn Manual defines them as “[a] cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Situations like Stuxnet, the alleged cyber attack by the US and Israel against Iran, arguably falls within the definition of an armed attack or “act of force,” although other examples are unclear. The idea of an armed attack meshes with attacks coming specifically from certain countries. A Mandiant report released in mid-February traced attacks to Shanghai, prompting media and government claims that a Chinese military unit was attacking and spying on the US and other countries including Canada, UK, and Japan.
Laws of war apply even in the cyber context, meaning hospitals, power plants, including dams and nuclear power generators, and other sensitive civilian sites are off-limits for attacks. Some argue that cyber attacks (and espionage) have now risen above terrorism to become the primary security threat in the United States. The Tallinn Manual is timely because the law is struggling to catch up to the reality of cyber conflict. At the same time, the manual leaves many grey areas because it aims to be broad enough to encompass as many situations as possible. There are problems with accurate identification and attribution of cyber attacks, and there are problems dealing with non-combatants. The Tallinn Manual is a good first step toward meshing the laws of armed conflict with the realities of cyber attacks, and its publication begins the process of moving this conversation into a public and legal arena.
Kaiti Carpenter is a third-year law student at the University of Denver, and is a staff editor on the Denver Journal of International Law and Policy.
