The Tallinn Manual on the International Law applicable to Cyber Warfare

Liis Vihul is the Tallinn Manual Project Manager, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.

Although scholars began to assess how international law applies in the cyber context during the late 1990s, it was not until the 2007 cyber operations directed at Estonia that the international community became fully sensitised to the subject. For the first time, it became publicly clear that cyber operations are a powerful tool for conveying political or strategic messages by States, non-State groups and individual hackers.  The operations also made the international community aware of how cyber operations could be used to dramatically disrupt life in a country.

The incidents led in part to the establishment of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), an international military organisation located in Tallinn, the capital of Estonia.  The Centre is a partnership between eleven States.

In late 2009, NATO CCD COE invited a group of twenty international law scholars and operational legal advisers (the International Group of Experts), under the directorship of Professor Michael Schmitt of the United States Naval War College, to conduct a three year research project examining the norms applicable during cyber warfare. The product of this effort is the “Tallinn Manual on the International Law Applicable to Cyber Warfare”, published in March by Cambridge University Press.

The Tallinn Manual’s primary focus is the jus ad bellum (the law governing the use of force) and jus in bello (international humanitarian law). To a lesser extent, it touches upon related areas of international law, such as the concepts of sovereignty and jurisdiction, as well as the law of State responsibility. The Manual is designed as a reference tool for State legal advisors, policymakers, and operational planners, although scholars and students will hopefully find it useful as well.  NATO CCD COE has launched a three-year follow-on project, “Tallinn 2.0”, that will expand the scope of the Tallinn Manual.  The Tallinn Manual is strictly an expression of opinions of the International Group of Experts and as such does not represent the official positions of the Centre or NATO.  This will also be the status of Tallinn 2.0.

The International Group of Experts limited its conclusions to the lex lata. It did so because the Experts were acutely aware that they were often working in uncharted waters. Therefore, they concluded that the greatest contribution they could make at the present time was to identify the extant law applicable in cyberspace and objectively explore the various interpretations of that law that States might wish to adopt.

The book is divided into black-letter rules and accompanying commentary. The rules set forth the International Group of Experts’ conclusions as to the broad principles and specific norms that apply in cyberspace. Each rule is the product of unanimity among the authors. The accompanying commentary indicates the rules’ legal basis, applicability in international and non-international armed conflicts, and normative content.  It also outlines differing or opposing positions among the Experts as to the rules’ scope or interpretation. The latter point is especially important because several complex issues produced vibrant debates among the Experts.  The Manual’s editors endeavoured to capture all of the views expressed in the deliberations, as well as other reasonable positions that they were aware of from outside the group.

Particular attention was paid to terminology. An array of terms has been employed in and beyond the legal literature: computer network attack, computer network exploitation, cyber attack, cyber operation, cyberspace operation, cyber incident, cyber terrorism, cyber conflict etc. To circumvent this semantic inconsistency, the Tallinn Manual operates with four key notions.  A “cyber operation” connotes the employment of cyber capabilities for achieving a particular objective, and is one of the few terms that is not derived from a legal term with a concrete meaning. A “cyber use of force” and “cyber armed attack” are cyber operations that rise to the levels of a use of force and armed attack in the way those terms are used in Articles 2(4) and 51 of the UN Charter, respectively. Lastly, a “cyber attack” carries the meaning of an attack as defined in Article 49(1) of Additional Protocol I to the Geneva Conventions; its usage is restricted to the law of armed conflict analysis. This consolidation of legal terminology allows for a reduced number of terms to be used consistently throughout the book, contributing to the clarity of the positions expressed therein.

In the jus ad bellum section, defining a “cyber use of force” proved especially challenging. Given the absence of definitive criteria for characterising an act, including a cyber operation, as a use of force, an approach concentrating on an act’s “scale and effects” was adopted (Rule 11 of the Tallinn Manual). This is the same approach articulated in the armed attack context by the International Court of Justice (ICJ) in the Nicaragua judgment (para. 195). Notice was also taken of the discussions at the 1945 UN Charter drafting conference during which economic coercion was regarded by States as not constituting a use of force, as well as the proceedings leading to the UN General Assembly’s Declaration on Friendly Nations. Relying on the Nicaragua judgment, the Tallinn Manual concludes that merely funding a hactivist group that is conducting cyber operations as part of an insurgency would not qualify as a use of force, whereas arming and training an organised armed group to carry out cyber operations against another State would.

Given the lack of a definitive definition of the term “use of force”, the International Group of Experts offered a non-exhaustive list of eight indicative criteria that States will likely take into account when assessing whether a particular cyber operation has reached the use of force threshold. These factors include severity, directness, and military character.

If a State has been the victim of an unlawful cyber use of force, the question of potential reactive measures arises. To date, most commentators have placed actions falling short of a cyber armed attack in the law enforcement paradigm, and regrettably little attention has been paid to the law of State responsibility. While not its primary focus, the Tallinn Manual briefly touches upon the subject (Rules 6-9). Yet, as set forth in Articles 22 and 49–53 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts, victim States are entitled to resort to non-forcible countermeasures in reaction to internationally wrongful acts committed by offending States. While these Articles do not enjoy treaty status, the customary right of States to opt for countermeasures, if the conditions precedent are met and subject to various limitations, is confirmed by jurisprudence.

The majority of International Group of Experts took the position that countermeasures may not involve the threat or use of force, thereby agreeing with Article 50(1)(a) of the Articles. A minority of the experts favoured the position articulated in the separate opinion of Judge Simma in the ICJ’s Oil Platforms judgment, according to which a limited degree of military force in countermeasures is permissible once the use of force threshold has been crossed so long as they are proportionate.

“Armed attack” was unanimously seen as a higher threshold than use of force by the Experts (commentary accompanying Rule 13).  However, identifying a cyber armed attack could nevertheless prove difficult. Although the Tallinn Manual does not adopt this position, notice was taken of the view that no gap exists between the two thresholds or is so narrow as to be insignificant. However, none of the experts expressed any doubt as to a cyber operation’s potential to constitute either a use of force or an armed attack solely because of the means through which it was executed—a position reflected in the ICJ’s Nuclear Weapons Advisory Opinion (para. 39).

The much-debated topic of whether a cyber operation of a non-injurious or non-destructive nature that nevertheless causes extensive negative consequences (e.g., significant financial loss) can reach the armed attack threshold is left unanswered in the Tallinn Manual. This issue divided the Experts.  Those unwilling to adopt a standard based primarily on the severity of the adverse consequences argued that any such approach would represent lex ferenda, not lex lata.

In the law of armed conflict analysis, the major hurdles for the experts were defining a cyber attack for the purposes of Article 49(1) of Additional Protocol I and the related issue of the permissibility of conducting cyber operations that do not injure civilians or damage civilian property. In the Tallinn Manual, attacks include operations that cause injury or death to people or damage or destroy objects (Rule 30); any attack directed against civilians or civilian objects with these consequences is unlawful (Rules 31-32). Some experts stretched the “cyber attack” notion to include a cyber operation that engenders loss of functionality and thereby requires repair of the system.

Attribution of a cyber operation to a State is another pressing issue. This issue arises irrespective of whether the situation involves attributing an internationally wrongful act for the purposes of establishing state responsibility, an armed attack for the purposes of the victim State’s right to resort to force in self-defence under the jus ad bellum, or a cyber attack for the purposes of establishing the existence of an armed conflict in the context of the jus in bello. While it is true that the first steps in the attribution process follow the digital footprints, the attribution determination is not required by law to be based only or primarily on technical data. Instead, the victim State is bound by the standard of overall reasonableness. In other words, considering all the factual evidence in the aggregate, such as technical data, the prevailing political environment, record of previous cyber operations by States, etc., the victim State is required to reach an attribution conclusion on par with that of a reasonable State in the same or similar circumstances.

Ultimately, the International Group of Experts concluded that it is up to individual States to shape the evolution of the law through State practice, especially in matters where controversy exists as to the interpretation of the various norms. The cyber landscape has transformed considerably since the events in Estonia in 2007.  States must be sensitive to the fact that their actions and pronouncements regarding cyber conflict have normative significance.