In this age, cyberspace is perceived by many authors as a battlefield you cannot see, a hidden space where a cyber-war takes place. So it is obvious that this so-called fifth dimension of warfare gains importance and starts to resemble conventional warfare. However, conventional war has its legal regulations which cyber-war does not. Due to this, many authors, journalists or just ordinary people ask questions: Under which circumstances can a cyber-attack be considered an act of war? Can these attacks actually generally fall under the label of “warfare“? How can a country defend itself against this kind of attack? “Tallinn Manual on the International Law Applicable to Cyber Warfare“, is trying to answer precisely these questions.
Director of the project Michael N. Schmitt, who was asked by the NATO Co-operative Cyber Defense Centre of Excellence (CCDCoE) to look into this issue, chaired a three-year long project that brought together 20 academics and practitioners from all over the world. This outcome of their efforts was published in March 2013 by Cambridge University Press.
First of all, I have to say that without doubt, it is a very unique and quite groundbreaking book. Due to the specificity of a cyberspace mentioned above, it is impossible to simply apply the current international law to the cyber warfare dimension. Therefore it is necessary to create an extra new law and this is possible only with help of an intense international debate which this Manual launched. Specifically, the main reason of the book was to examine how extant legal norms applied to the new form of warfare, in the hope of bringing some clarity to the complex legal issues surrounded by cyber operations, with a particular attention paid to those including jus ad bellum and jus in bello.
As mentioned above, the Manual results from an expert-driven process designed to produce a non-binding document applying existing law to a cyber-warfare. It contains 95 rules according to which NATO states and others can orient themselves to the issue of cyber-warfare. The whole book has 300 pages and is divided into two main parts. The first called “International cyber security law” and the other “The law of cyber armed conflict”. These parts contain many sections and each of them consists of a group of rules with a commentary and at the end of the Manual, there is also a synoptical glossary. Nevertheless, these rules are not legally binding, so of course it is still just a guidebook, but authors are completely aware of it and a reader has to think of it as of mere guidebook or a reference tool for state legal advisors, policymakers, scholars or students.
The main point of the book (which was extensively publicized) represents a rule that a country which is a victim of a cyber-attack that causes damage or death may also retaliate, either through cyber-warfare or through conventional weapons. This kind of rule, in this kind of a worldwide known book has of course raised a wave of indignation (and unsurprisingly mainly in the cyberspace – blogs, articles in tabloids, etc.) leading to simplifications in a way of articles about legal killing of unarmed hackers by the army. However, this type of information is wrong. According to the Manual, a state has a true right to use even conventional weapons against cyber attackers but only in case that its sovereignty has been violated and also that there have been some serious damage or deaths caused. In case of cyber-attacks directed just against critical infrastructure that cause no serious physical harm, state cannot retaliate by the use of armed force. Moreover, this rule and the whole book are very specifically aimed at individuals who engage in cyber-warfare on behalf of states and non-state actors (e.g. terrorists or rebels). There is no intent to legitimize use of force against individual hackers or group of hackers such as Anonymous and also not against cyber spies. In the light of permanent acts of espionage for example by Chinese hackers, an important message from the authors is that cyber espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict.
Therefore it is obvious that in the Manual the authors agreed that cyber operations that cause mere inconvenience or irritation are not qualified as preconditions to use of force. On the other hand the question, as to where exactly the threshold of a serious damage and not inconvenience or irritation lies (for example when attacks have extensive negative consequences such as a significant financial loss or a disruption of a state economy) remains unanswered.
Other key conclusion of the Manual is that states cannot knowingly allow using cyber infrastructure located in their territory by other actors for acts that adversely affect other states. States should be responsible for all cyber operations directed against other states, even though those operations were not conducted by government or security agencies. Moreover, a state itself has to be responsible for any actions of individuals or groups who act under its direction. For instance, a state that calls on hacktivists to conduct cyber operations against other states will be responsible for those actions as if it has conducted them itself. This is also a groundbreaking statement, because significant proportion of cyber-attacks is considered to be sponsored by the states such as Russia, China, Iran, North Korea, etc. But someone could say that even if these states agree with the Manual, it is doubtful that they will draw conclusions in the form of change of policy or behavior. But it is not the intent of the Manual. I welcome this kind of rules as a first step to publicly pressure Russia, China and others to accept the western liberal democratic style of thinking about cyber, because unlike other fields (nuclear, chemical or biological), there is still no global treaty that would have done so.
The Manual spurred lot of criticism by other authors. Despite frequent misinterpretation of certain rules (that I mentioned above), the Manual deals with the most common one. For example for Thomas Rid, (the author of a new book provocatively titled “Cyber War Will Not Take Place”) such effort seems to be an interesting exercise for legal scholars, but one with little practical application today. But we have to realize that the today´s world is more IT-interdependent than ever before, so it is natural evolution that the existing international law is applied to the new fifth dimension of warfare – cyber-warfare. So Rid´s arguments are wrong. According to the many interviews of Schmitt and his colleagues, the main purpose was not to make strict rules. The Manual should generate further research and policy outcomes. The authors are aware of the fact that the international law can be interpreted in several different ways and there is still no international regulation against cyber warfare or cyber security. They believe that legal advisors, ministries of defense, interior and foreign affairs and academics will think through this and find out that some points of the Manual deserve attention and of course policy consequences, law regulation efforts etc.
In sum, I think that the needed international law regulations on cyber warfare cannot currently take place at least because of the lack of a very definition of cyber warfare. So at this moment when it is doubtful if we really need a legally binding international treaty on cyber warfare, I find this non-binding manual highly successful. Despite the fact that every state can easily deny it, it represents a step towards creation of a consensus or an international treaty. I also think that it will still have an effect on how states formulate their approaches and positions in this issue and the Manual could easily be the foundation of international law codification.