The Tallinn Manual: Legal Aspects of Cyber Warfare

By Corrie Becker 

The Tallinn Manual is “an academic, non-binding study on how international law, in particular the jus ad bellum and international humanitarian law, apply to cyber conflicts and cyber warfare.” The goal of this piece is to explore the uses and intent of the Tallinn Manual, and to identify questions and answers surrounding it. Within the International System, states observe treaties out of a sense of legal obligation, Opinio Juris. I am suggesting the Tallinn Manual may be a useful guide to ensure that everyone playing the same game with the same set of rules.

Jus ad bellum (Latin for "right to war") is a set of criteria that are to be consulted before engaging in war, in order to determine whether entering into war is permissible; that is, whether it is a just war.

Jus in Bello, (the law of war) is a legal term of art that refers to the aspect of public international law concerning acceptable justifications to engage in war (jus ad bellum) and the limits to acceptable wartime conduct (jus in bello or International humanitarian law). The effort to define and govern the conduct of individuals, nations, and other groups in war dates from antiquity. 

Some policy practitioners think that the present case law for international armed conflict is less then compatible with contemporary cyber security practice. It is true that states within the international system have never engaged in a cyber conflict that rises to the level of “war.” The Tallinn Manual's main goal is to build a framework to understand how to interpret international law in the context of cyber operations and cyber warfare. The Manual does not assume that we are engaging in cyber warfare as a state, individual or organization within the international system. A group of Western experts surveyed International laws and treaties and wrote down 95 rules which are applicable to Cyber. The discussion listed under each rule stems from areas of ambiguity surrounding the aspect of that treaty and it general applicability.

You may ask, if we have not been nor are we now engaged in cyber warfare, does most if not all of ongoing cyber activities/operations fall outside the scope of existing international law? I disagree. There are two scenarios in which ongoing cyber activities may fall outside the guidance of international law: in cyber conflict, offensive operations in wargaming; and in state-led espionage. There is intellectual property theft that occurs vis-a-vis cyberspace and prosecution of perpetrators according to rules and statutes. We are seeing more occurrences of industrial espionage that fall in the spectrum of cyber conflict with China, Russia, and Brazil; this spectrum is or should be guided by the principles of international law that constrains the use of force. We offensively prepare for war by wargaming before engaging in conflict, because we are aware of the enemies’ capabilities.

If there is not an immediate, obvious, answer to some of the previous questions, then what practical application does the Manual have? It has the practicality of a ready defense; also, defensive and offensive games to promote readiness are already in place for the armies. Now with the advent of electronic warfare, the rise of cyber espionage, and theft of intellectual property, states must develop a framework for prosecuting the perpetrators of these crimes and dis-incentivizing those with similar plans on the spectrum of cyber conflict. The Tallinn Manual seeks to present guidance for state on state interaction. It is currently a normative piece and not yet codified.

The use of “force” in terms of cyber, would be use of tools and technology to disrupt, deny, degrade and exploit networks, internet service providers or systems which the Department of Defense (DoD) relies upon to perform daily activity. A cyber aggression can reach a point where kinetic response is necessary due to the gravity of the nature of activity. International norms still apply in that asymmetric warfare requires a “proportionate” response. The article suggests a scope modeling a three-legged stool balancing largely on resilience, then on cooperation and transparency.  The size of the model includes public and private sector and then allies in a close network of security and stability. The argument for the Tallinn Manual is international law that a group of western experts agree can help monitor and regulate the spectrum of cyber conflict. Each state in agreement with this model should empirically demonstrate it to promote trust between allies and players within the international system. So, the use of “force” on the cyber spectrum will have a known set of instances and proportionate responses. Essentially, everyone will be playing the same game and have the same set of rules, which is not the current situation.

Further, the Tallinn Manual views “violence” as an excessive, disproportionate use of force in asymmetrical cyber warfare. The defense or offense may begin in the cyber realm and translate into kinetic warfare with troop mobilization or fissile material use. The Geneva Convention applies to International Armed Conflict (IAC), which is defined as hostility between two states, or among a group of states. There is also conflict, which is not IAC, called non-IAC (with 6 different identified types) between a non-state actor and state actor. The Geneva Convention has been signed by most nations; there are a few newer nations which have not signed. There is an Additional Protocol (77), which addresses non-IAC, but not all states have signed on not ratified this. So, there are a lot of treaties and statues to govern war to which most nations agree. Nonetheless, the goal in cyber conflict is to reach a common ground where everyone is playing the same game with the same set of rules.