The Cybersecurity Canon: Tallinn Manual on the International Law Applicable to Cyber Warfare

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Robert Clark: Tallinn Manual on the International Law Applicable to Cyber Warfare

Executive Summary

The director of this project states it best:

[T]he product of a three-year project by twenty renowned international law scholars and practitioners, the Tallinn Manual identifies the international law applicable to cyber warfare and sets out ninety-five ‘black-letter rules’ (95 rules) governing such conflicts.  It addresses topics including sovereignty, State responsibility, the jus ad bellum, international humanitarian law, and the law of neutrality.  An extensive commentary accompanies each rule, which sets forth each rule's basis in treaty and customary law, explains how the Group of Experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rule's application. [1]

Key to understanding this application of international law to cyberspace operations is  understanding what the Tallinn Manual is not.  It is not a commentary on cyber activities that occur below the level of a ‘use of force' as set forth in the UN Charter, such as cyber criminality; moreover, it only comments on the legality of cyber intelligence activities as they relate to the issues of ‘use of force' or ‘armed attack.' [2]  Also, the Tallinn Manual recognizes that cyber espionage and theft of intellectual property pose real and serious threats to all states, as well as corporations and private individuals, but it is not the aim of the authors to address such matters. [3]

Cybersecurity Canon candidate books are supposed to be essential to the cybersecurity practitioner.  As a practicing computer network operational attorney, this book is not only required reading: it is malpractice if you don't read it.  Similarly, for technologists and cybersecurity practitioners, it is a must read, particularly after the redefining of computer network defense roles due to the Sony cyberattack. [4]  To understand the various authorities of the multiple disciplines involved in computer network defense requires, first and foremost, an understanding of the incidents, intrusions, use of force, and yes, attacks that occur in cyberspace.  The Tallinn Manual provides an essential education into these legal differences.

About the People

The Tallinn Manual was drafted by an "International Group of Experts,” including distinguished legal academics and practitioners, supported by a team of technical experts. [5]  A select group of peer reviewers offered comments on the various drafts, as did a number of states that were willing to informally and unofficially do so. [6]

The initial criticism of the Tallinn Manual focuses on the fact that [T]he legal experts that wrote it have distinctly American and Old European backgrounds.[7]  Similarly, others noted the absence and criticism of China or the Russian Federation. [8]  The Russian authorities have taken a very guarded view of the Manual.  Moscow thinks its publication is a step toward legitimizing the concept of cyberwars. [9]

Moreover, it is hard to overlook that there was a complete lack of scientists from the former Warsaw Pact countries among the legal experts partaking in the project.  It seems that despite there being a NATO competence centre in Tallinn, the leaders of the project seem to think that there is not much competence in international law in the area.  Even if we excluded the Baltic states – was it really impossible to find top-level legal experts from Poland, Hungary, the Czech Republic or Slovakia who could have had a say on the topics of the legality of the use of armed force, international humanitarian law, and the responsibility of the state? [10]

This criticism did note:

[N]obody is forbidding other countries from starting their own science projects or telling the scientists who were not invited to Tallinn not to write and express their opinions. [11]  A point emphasized by the "Experts" as they "assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected “all reasonable positions” on the issues it took up and that there were only a few amendments worth pondering. [12]

The Story

The main tenet of the Tallinn Manual is that cyber warfare is governed by international law already in force, particularly the rules that regulate the commencement of an armed attack (jus ad bellum, UN charter, mostly effective since 1945) and the rules that regulate the conduct of armed conflict (jus in bello, including, for example, The Hague Convention of 1899 and the Geneva Convention of 1949, the latter with the 1977 amendment protocols). [13]  (The Manual has a great compendium of international law of armed conflict or international humanitarian law.) [14]

The Manual consists of 95 rules and accompanying commentary.  The rules set forth the International Group of Experts' conclusions (black-letter rules) as to the broad principles and specific norms that apply in cyberspace.  The accompanying commentary indicates the rules' legal basis, applicability in international and non-international armed conflicts, and normative content.  Also included are differing or opposing positions among the Experts.  This is important because several complex issues produced debates amongst the Experts.  The Manual's editors attempted to capture all of the views expressed in the deliberations, as well as other reasonable positions that they were aware of from outside the group. [15]

While covering all of the salient portions of the Manual is far beyond the scope of this review, I will concur with other reviewers who noted:

Particular attention was paid to terminology.  An array of terms has been employed in, and beyond the legal literature: computer network attack, computer network exploitation, cyber attack, cyber operation, cyberspace operation, cyber incident, cyber terrorism, cyber conflict etc.  To circumvent this semantic inconsistency, the Tallinn Manual operates with four key notions.  First, a “cyber operation” connotes the employment of cyber capabilities for achieving a particular objective, and is one of the few terms that is not derived from a legal term with a concrete meaning.  Next, a “cyber use of force” and “cyber armed attack” are cyber operations that rise to the levels of a use of force, and armed attack, in the way those terms are used in Articles 2(4) and 51 of the UN Charter, respectively. Lastly, a “cyber attack” carries the meaning of an attack, as defined in Article 49(1) of Additional Protocol I to the Geneva Conventions; its usage is restricted to the law of armed conflict analysis.  This consolidation of legal terminology allows for a reduced number of terms to be used consistently throughout the book, contributing to the clarity of the positions expressed therein. [16]

Conclusion

The Tallinn Manual is not just a worthy book for the Canon candidate list; it is a must for induction into the Canon proper, both for lawyers and policymakers (non-techies) and for techies in the community. As pointed out:

[T]he Manual is designed as a reference tool for State legal advisors, policymakers, and operational planners, although scholars and students will hopefully find it useful as well.  NATO CCD COE has launched a three-year follow-on project, ‘Tallinn 2.0,’ that will expand the scope of the Tallinn Manual.  The Tallinn Manual is strictly an expression of opinions of the International Group of Experts, and, as such, does not represent the official positions of the Centre or NATO.  This will also be the status of Tallinn 2.0. [17]

Still, others observe:

[T]he intense interest in developing clearer international norms to regulate different facets of cyber activity is running up against two hard facts. The first is that some states, especially those with sophisticated cyber capacities, such as the United States, are content to state at a general level that they will apply existing, general international rules to cyber.  But these states have limited incentives to reveal in any detail HOW they apply those norms.  The second is that the major cyber players (Russia, China, and the United States) remain on different conceptual pages as to how to proceed. [18]

Whatever the focus and direction Tallinn 2.0 takes, this version is a must read, and when 2.0 is released, at least I'll have more material to include in the Canon process!

Sources

1. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, loc 3 of 7915, Kindle Ed.
2. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, p. 3 of 282, Kindle Ed.
3. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, p. 4 of 282, Kindle Ed.
4. DHS Chief to Companies: Prepare Yourselves for Cyber Attacks, http://www.weeklystandard.com/blogs/dhs-chief-companies-prepare-yourselves-cyber-attacks_821904.html
5. Michael N. Schmitt, International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 Harvard Journal of International Law 13, 2012, p. 14–15, http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf.
6. Michael N. Schmitt, International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 Harvard Journal of International Law 13, 2012, p 15, http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf.
7. Lauri Mälksoo, The Tallinn Manual as an international event found at http://www.diplomaatia.ee/en/article/the-tallinn-manual-as-an-international-event/.
8. See Lauri Mälksoo, The Tallinn Manual as an international event found at http://www.diplomaatia.ee/en/article/the-tallinn-manual-as-an-international-event/ citing For example see Elena Chernenko, Virtual'nyi front, Kommersant Vlast' 27.05.2013, http://www.kommersant.ru/doc/2193838, p14; Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, May 31, 2015 found at http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/.
9. Elena Chernenko, Russia warns against NATO document legitimizing cyberwars May 29, 2013, Kommersant-‐Vlast found at http://rbth.com/international/2013/05/29/russia_warns_against_nato_document_ legitimizing_cyberwars_26483.html.
10. Lauri Mälksoo, The Tallinn Manual as an international event found at http://www.diplomaatia.ee/en/article/the-tallinn-manual-as-an-international-event/.
11. Id.
12. Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, May 31, 2015 found at http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/.
13. Lauri Mälksoo, The Tallinn Manual as an international event found at http://www.diplomaatia.ee/en/article/the-tallinn-manual-as-an-international-event/.
14. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, loc 209 - 351 of 7915, Kindle Ed.
15. Liis Vihul, The Tallinn Manual on the International Law applicable to Cyber Warfare Published on April 15, 2013 found at http://www.ejiltalk.org/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/.
16. Id.
17. Id.
18. Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, May 31, 2015 found at http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/.

References

Michael N. Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013. 300 p.