An Inconvenient or Irritating Truth: Applying Law to the New Face of Modern Warfare

In war, there are rules. Some were written long ago in treaties. Others are found in binding customs written in volumes of commentary compiled over time. The point is that these rules can all be found in written form to cite and to reference. They can be used to describe who can be targeted in conflict and explain why hospitals and cultural property are largely off limits in war. They draw lines for when states can attack other states and what threshold determines when an attack has crossed the line. Importantly for civilians, these rules describe when a civilian loses the protection of these rules and may be targeted for taking direct participation in hostilities. As technology has evolved, transforming weapons from missiles to malware, no one bothered to write down what rules might apply to the new face of modern warfare; until now.

The Tallinn Manual can be purchased here.

Jason Healy: Reason Finally Gets a Voice: The Tallinn Manual on Cyber War and International Law

The Tallinn Manual, a three-year project sponsored by NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia, finally carves out in writing how the laws of war extend to regulate conflicts in cyberspace. The group includes distinguished legal academics, practitioners, and military lawyers from NATO countries, working alongside non-voting observers from the International Committee of the Red Cross, United States Cyber Command, and NATO’s Allied Command Transformation. The result is not a statement of official policy by NATO or any of its member governments, but rather reflects a consensus view of the group’s members in their personal capacities.

Decision makers, pundits, and analysts have relied on legal ambiguity to rhetorically ask, without answering, whether international laws of armed conflict apply to cyberspace or if a new treaty is required to establish binding rules. In a sound and unanimous response, the authors of the Tallinn Manual rejected any characterization of cyberspace as a distinct domain subject to a discrete body of law. Instead, they started from the premise that to conduct cyber activities, a person must be located at a particular place using tangible infrastructure. Therefore, “the mere fact that a computer (rather than a more traditional weapon, weapon system, or platform) is used during an operation has no bearing on whether that operation amounts to a ‘use of force.’” From this conclusion, determining what relevant legal principles from international law should be applied to a specific cyber activity is merely a matter of identifying the person, place, object, or type of activity in question.

One of the most widely accepted international legal principles is set forth in Article 2(4) of the UN Charter: “All Members [of the United Nations] shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations.” This is the phrase that makes it a violation of international law for one state to attack another state without first qualifying under specific exceptions for either self-defense or UN Security Council authorization.

Cyber operations, comparable to non-cyber operations in scale and effect, “that injure or kill persons or damage or destroy objects” are the most obvious examples of uses of force in violation of international law. In effect, the scale and effect of an operation are what determine a use of force and not whether the operation is cyber or kinetic in nature. In addition, and consistent with non-cyber operations, a “use of force need not involve the employment of military or other armed forces by the State in question.” This means that independent hacker crews, a kid in his grandma’s basement, or other unattributed non-state actors are bound to the same use of force restrictions under international law that apply to States.

By applying existing rules of international law, cyber has also inherited existing unsettled ambiguities as well. One such instance is the unsolved question of how to determine where the threshold lies for a use of force in cases not involving physical harm. Lacking consensus, the authors of the Tallinn Manual sought to calculate the probability that states will characterize a cyber operation as a use of force. Befitting a group of lawyers, they used a nonexclusive eight factor balancing test, considered on a case-by-case basis, depending on a holistic assessment of the incident in light of attendant circumstances. They posit that the following factors determine when a state has crossed the line into prohibited conduct.

1. Severity:

The most significant factor in the analysis, the severity of cyber operations considers the impact to critical national interests, scope, duration, and intensity of the consequences. Importantly, cyber operations generating mere inconvenience or irritation will never cross the use of force threshold.

2. Immediacy:

Cyber operations are more likely to be characterized as a use of force if they produce results immediately, rather than weeks or months later, because immediate consequences give states less opportunity to seek peaceful accommodation of a dispute.

3. Directness:

The closer the connection between the initial cyber operation and its consequences (cause and effect), the more likely the act is a violation of the prohibition on the use of force.

4. Invasiveness:

This considers the degree to which cyber operations intrude into the cyber systems and are contrary to the interests of a target state. When used only as a highly invasive tool of modern espionage, computer network exploitation does not rise to the level of a use of force.

5. Measurability of Effects:

Cyber operations with quantifiable and identifiable sets of consequences are more likely to be characterized as a use of force.

6. Military Character:

The connection of a cyber operation to ongoing military activities increases the probability of a use of force characterization.

7. State involvement:

The more state involvement in cyber operations, the more likely they will be characterized as a use of force by that state.  

8. Presumptive Legality:

In international law, acts that are not forbidden are permitted and are presumptively legal and therefore less likely to be considered by as uses of force.

An eight factor balancing test that considers attendant circumstances may not yield an easily applicable objective standard. But such standards were never the goal of the Tallinn Manual and are not often constructed in international law. More important than drawing a line once and for all for every potential cyber conflict is shifting the conversation from whether any law applies to how to apply the law.

Jason Thelen is the assistant director of the Cyber Statecraft Initiative of the Brent Scowcroft Center on International Security.

Related Experts: Jason Healey

Image: tallinnmanualcover.jpg