No longer can a professed cyber expert pronounce, “When is a cyber attack an act of war? This is an interesting question.” The Tallinn Manual, compiled by a distinguished group of legal scholars and to be launched tomorrow at an Atlantic Council event, asks this and many more questions and—a novelty for the field of cyber statecraft—actually provides answers.
The Manual will guide cyber practitioners, entice thoughtful commentators to build on their work and, best of all, expose charlatans who ask questions but never provide answers.
The Tallinn Manual will be launched at an Atlantic Council event on Thursday, March 28.
Recent headlines have been shrill and most miss the point of the manual:
- NATO cyberwar directive declares hackers military targets
- Killing hackers is justified in cyber warfare, says NATO-commissioned report
The Manual was indeed organized under the auspices of the NATO Cooperative Cyber Defense Center of Excellence, in Tallinn Estonia, to examine how international humanitarian law (aka the Law of Armed Conflict) applies to cyber conflict. But it is not a NATO policy document. And while the manual does conclude that a cyber attack could result in a lethal military counterstrike, it makes it clear that this would only be justified for a cyber attack that was itself lethal or destructive. Just as importantly, it concludes that
To date, no international armed conflict has been publicly characterized as having been solely precipitated in cyberspace. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold of international armed conflict.
Cyber conflict has been divided by two schools of thought, the first of which feels that cyber is so new, so different that no existing laws, customs or norms can apply. This has long been the position of technological utopians and (though for very different reasons) China and sometimes Russia. These nations assert, for example, that a new treaty is needed to regulate how states use cyberspace for military purposes. But cyber conflicts have actually been far more similar to conflicts in the air, land and sea than popularly realized.
The United States, the United Kingdom and other like-minded nations have accordingly taken the opposite approach, asserting for years that the world should first embrace existing laws and only create new ones to address the gaps. The Tallinn Manual is firmly in this second school, as the legal experts concluded unanimously that existing international law, such as the Geneva and Hague Conventions, apply to cyber conflict. Hackers could theoretically be targeted, but only if they directly participated in military hostilities. The Manual did not speak, however, on most of today’s cyber problems; it ignores cyber crime to solely examine cyber warfare.
Chaired by Naval War College professor Michael Schmitt, the group of twenty international experts built on previous efforts, much of which is ancient, in cyber terms.
Nearly fifteen years ago, in 1999, Schmitt, wrote the most important guidelines. Using criteria derived from traditional international humanitarian law, the “Schmitt Analysis” looked at key factors of an attack such as the severity, immediacy, and invasiveness to determine if it was a use of force or armed attack, and thus a violation of the UN Charter and thus international law.
The same year, the general counsel of the US Department of Defense released their own document on “An Assessment of International Legal Issues in Information Operations,” as cyber operations were then known. Rather than being the vexing questions that policymakers have been told, this document argued that the law of armed conflict “is probably the single area of international law in which current legal obligations can be applied with the greatest confidence” to information operations.
Indeed, within the US military and policy communities, these issues have largely been settled for some time. America’s supreme cyber commander, General Keith Alexander of Cyber Command, testified to Congress that “All military operations, to include actions taken in cyberspace, must comply with international law that governs military operations,” though noting that there “is no international consensus on a precise definition of a use of force, in or out of cyberspace.”
The Tallinn Manual is only an assessment of “black-letter law,” which means it only tries to apply the law as it exists today; the book is silent on what the law should say on a topic. Only policymakers (and future treaties or court cases) can take that next step.
The United States, and like-minded nations, should now publicly press China and Russia to accept that the laws of armed conflict apply to cyber operations, providing much needed limits to military conduct during wartime. To believe otherwise is to accept that hospitals and other purely civilian objects could become legitimate military targets.
Every cyber expert since 1999 that said the application of the laws of armed conflict to cyberspace was an “interesting question” meant they were likely just ignorant of the answers being churned out by legal experts in academia and the military. When you next hear this, politely pin down the cyber “expert” for answers on where the Tallinn Manual got it right or wrong or what the law should be. Progress in cyber statecraft has been too long stalled by those willing to offer questions but never any answers.
Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict, and competition on Twitter @Jason_Healey.