In April 2007, political differences between Estonia and Russia over the interpretation of the relocation of the Bronze Soldier of Tallinn led to a catastrophic cyberattack targeted at the Estonian Organisation. It was a Distributed Denial of Service(DDOS) attack aimed at websites of the Estonian organizations, including Estonian parliament, banks, ministries, newspapers, and broadcasters.
The North Atlantic Treaty Organisation (NATO) conducted an internal assessment as a cybersecurity and infrastructure defense. As a result of this, cyber defense policy was created, along with the creation of the NATO Cooperative Cyber Defence Centre of Excellence(CCDCOE). It was followed by the development of the Tallinn Manual 1.0.
The gap in legal assistance
A criminal investigation into the matter was initiated under the Estonian Penal Code, and assistance into it was requested to the Russian Federation’s Supreme Procurator under the Mutual Legal Assistance Treaty(MLAT) between Estonia and Russia. However, the Russian authorities refused any assistance on the matter, claiming that the applicable MLAT did not cover the proposed investigative process. Later, there was speculation that it might be a state-sponsored attack. Also, the dearth of an International Law to deal with this scenario led to the making of the Tallinn Manual.
So, what is the Tallinn Manual?
“Ultimately, Tallinn Manual 2.0 must be understood only as an expression of the opinions of the two International Groups of Experts as to the state of the law… This Manual is meant to be a reflection of the law as it existed at the point of Manual’s adoption by the two International Groups of Expert in June 2016. In is not a ‘best practices’ guide, does not represent ‘progressive development of the law’, and is policy and politics-neutral. In other words, Tallinn Manual 2.0 is intended as an objective restatement of the lex lata” — Introduction to the Tallinn Manual 2.0
In response to this widespread state-sponsored cyberattacks, including the cyber incident in Estonia, the Cooperative Cyber Defense Center of Excellence(CCDCOE) in Tallinn hosted a multi-year process designed to provide the views from a group of renowned experts on the application of international law to cyber incidents. The first Tallinn Manual dealt with the law applicable to armed conflict. The second Tallinn Manual (known as Tallinn 2.0) deals with a much broader type of cyber operations — those both in and out of armed conflict. The Manuals were written by a group of international legal experts gathered under the leadership of Michael N. Schmitt, faculty from the U.S. NAVAL WAR COLLEGE, a prominent global cyber expert.
The first group included the law of armed conflict (LOAC) experts primarily from the Western Hemisphere. In response to criticism, the international group of experts for Tallinn 2.0 was broader both in origin (including members from Thailand, Japan, China, and Belarus) and substantive expertise (including experts in human rights, space law, and international telecommunications law). The International Committee of the Red Cross (ICRC) was invited to send observers to both groups, as were other states and organizations. It is essentially a massive 642 page narrative on the legal landscape of cyber today, as seen through a global lens — especially in the west. Also, the Manual is divided into four parts. Part one deals with general international law and cyberspace. The second part covers specialized regimes of international law and cyberspace. Then the concerns international peace and security and cyber activities are highlighted, which is drawn mostly from Tallinn 1.0. The last part is the rest of Tallinn 1.0 and applies to the law of cyber armed conflict.
Major Issues Covered by the Tallinn Manual — In Brief
The Manual presents a myriad of legal questions that commonly arise in cyber operations and discusses the current state of international law and how it might apply to each given scenario. In many cases, its panel of drafters was unable to reach a consensus, illustrating the complexities that still haunt the cyber world.
With regards to sovereignty, the manual suggests that the states do not have sovereignty over the internet, but that they do have sovereignty over components of the Internet in their territory. Regarding the public prominence of cyber espionage, the manual explores the legality of the kinds of methods employed by the NSA. It finds that its panelists “were incapable of achieving consensus as to whether remote cyber espionage reaching a particular threshold of severity violates international law.”
Countermeasures to a cyber operation
The rule nine of the Tallinn Manual states the countermeasures to a cyber operation. While rules six, seven, and sight outline some norms for attributing cyberattacks in rather ordinary fashion. These rules establish that the mere fact alone that a cyberattack originates in a state’s territory and that a cyberattack is routed through a state’s cyber infrastructure is not enough to attribute that attack to the state in question. Therefore, rule nine regulates a victimized state’s potential countermeasures to a cyber operation.
“[a] State injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures, against the responsible State.”
Prohibition of Threat or Use of Force Rule
Rule ten of the manual regulates the prohibition of the threat or use of force to cyber operations that constitute a threat or use of force. Both the prohibition and the presumption on the issue of force could be considered part of customary international law on the use of force. By using and extending customary international law to cyberconflict, the Tallinn Manual has disambiguated the nature of cyber operations and sends a clear legal message to nation-states: because a given cyber attack may not rise to the level of an “armed attack” does not mean that it is not illegal. The Tallinn Manual did treat the issue of the use of force in cyberspace adequately: it clearly and unequivocally stated that a use of force, regardless of the means, is a violation of customary international law. Despite this clarification, uncertainties remain in the right approach to cyber operations under the law of war paradigm.
Categorizing cyber incidents as an act of war
Rule Eleven clarifies this issue. The factors used for classification are — severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement, and presumptive legality. While all of these factors are useful for determining whether an act is a use of force, some factors are more pertinent than others. The factor of “severity” is the most important consideration when characterizing a cyber operation as an act of war. The Tallinn Manual notes that severity is a de minimis element: acts resulting in physical harm to persons or property will always be a use of force, while minor acts that are little more but will never be a use of force. Cyber operations that fall in the middle, however, are subject to an analysis based on the other factors and other subordinate components of “severity,” such as a state’s critical interests, scope, intensity, and duration.
Protection of the prisoners of war in the cyber era
“Prohibited cyber actions include posting defamatory information that reveals embarrassing or derogatory information or their emotional state. This would embrace, for example, posting information or images on the Internet that could be demeaning or that could subject prisoners of war or interned protected persons to public ridicule or public curiosity… guard against intrusion by public and private actors into the communications, financial assets, or electronic records of prisoners of war or interned protected persons.”
The authors interpret traditional Geneva Convention protections for prisoners of war in the cyber era and suggest that it is expressly prohibited to publish on the Internet humiliating or degrading information gathered from the prisoners or imagery taken of them in confinement.
Safeguarding cultural property in the digital age
“the use of digitised historical archives regarding a population to determine the ethnic origin of individuals with a view to facilitating genocide, crimes against humanity, or war crimes is clearly unlawful.”
The concept of cultural property and the digitization of physical artifacts receive attention as well. In the past, destroying the cultural heritage of a nation or peoples could deny them a critical connection to their past. In today’s digital world, that heritage is increasingly being digitized, meaning that even if the original photograph, statue, building, or other work is destroyed by occupying military forces, the item will live on as a digital memory. [The Manual also touches on the frightening emerging world in which the most intimate details from our medical conditions to our sexual preferences to our very genetic makeup are digitized and available in vast searchable databases.]
Do we need a Tallinn Manual 3.0?
The criticism in the previous efforts was many states felt sidelined as their viewpoints were not taken into consideration. Therefore, many experts suggest that we need a Tallinn Manual 3.0, taking into account the private interests and the interests of the Non-NATO member states from a much broader spectrum.
Another challenge highlighted in the previous capacity building effort was that “the states didn’t want anyone to tell them what to do in the cyberspace.” They want to leverage the cyberspace to fight a proxy war. Therefore, Tallinn Manual 3.0 must be made with defined mechanisms of accountability, and all the ambiguities must be addressed. Also, it must take into account incidents of cyber-espionage and deem the act wrongful.