Published by The Lawfare Institute
in Cooperation With
The Tallinn Manual on the International Law Applicable to Cyber Warfare is the most comprehensive and thoughtful work to date on the applicability of existing international law to cyber warfare. It is routinely referenced and relied upon by civilian and military practitioners across the globe and—if it has not already done so—it may very well achieve the authors’ objective of joining the ranks of the San Remo Manual on International Law Applicable to Armed Conflicts at Sea and the Manual on International Law Applicable to Air and Missile Warfare as one of the authoritative (albeit non-binding) manuals detailing the manner in which international law applies to particular forms of warfare.
No doubt the soon-to-be-released Tallinn 2.0 will prove to be equally well received.
And that is precisely the problem.
Despite the benefits of the Tallinn Manual—a proffer of increased certainty for States that international law does apply to cyber activities; a framework that adopts and applies international legal norms; the general utility of a ready reference for government officials, operators, and legal advisers; and the recording of a group of experts’ opinions that can be scrutinized by others in ways that might help to develop long-term legal consensus—the Tallinn Manual presents two dangers that we should hope Tallinn 2.0 avoids.
The first challenge presented by Tallinn 1.0 is not so much a flaw in the document itself but an error in the manner in which it is often cited. The Tallinn Manual’s authors took care to specify the limited scope of the text, but the Manual’s purpose and utility are often misunderstood.
The Tallinn Manual examines the international law governing “cyber warfare.” As a general matter, it encompasses both the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt with in the context of these topics. (Tallinn Manual at 4.)
In other words, the Tallinn Manual analyzes cyberspace activities related to going to war and fighting wars through cyberspace. Part I focuses on jus ad bellum; part II on jus in bello. And the Manual emphasizes that its “emphasis is on cyber-to-cyber operations, sensu stricto. … The Manual is not intended for use in considering the legal issues surrounding kinetic-to-cyber operations, such as an aerial attack employing bombs against a cyber control centre.” (Tallinn Manual at 5.)
Nevertheless, my sense—based on countless cyber discussions with senior U.S. Government officials, foreign partners, military and civilian operators and legal advisers, and academics since the manual was published in 2013—is that a significant number of those who refer to the Tallinn Manual or its terms fail to understand the intended scope of the work. It is not uncommon for the manual’s provisions on sovereignty, State responsibility, the use of force, means and methods of warfare, attacks, and various other sections to be referenced in fact patterns—real or theoretical—for which they are not applicable.
Perhaps the most egregious example is that the Tallinn Manual is sometimes cited as an authoritative source on cyber activities not involving the use of force or occurring outside or below the threshold of armed conflict (i.e., not having jus ad bellum or jus in bello implications). The Manual does provide some general guidance in this area based on the Group of Experts understanding of extant norms. However, it does so through a series of rules and analysis in Part I that, for the purposes of this Manual, are most relevant to questions of jus ad bellum. Most of these sections are not particularly detailed, as they were added to the Tallinn Manual late in its development to make clearer that Part II of the manual applied only to cyber operations in armed conflict. The Manual’s introduction makes this point most clearly:
Cyber activities that occur below the level of a “use of force” … like cyber criminality, have not been addressed in any detail. … For instance, the Manual is without prejudice to other applicable fields of international law, such as international human rights law or telecommunications law. …Although individual States and those subject to their jurisdiction must comply with applicable national law, domestic legislation and regulations have likewise not been considered. (Tallinn Manual at 4.)
Still there seems to be a not too uncommon opinion in certain circles that Tallinn 1.0 has asked and answered all of the international law questions relevant to national security-related activities occurring in or through cyberspace. As Paul Rosenzweig explained previously, this is simply not the case. The Tallinn Manual does a lot of good work, but it has little to say about the vast majority of cyber activities that take place amongst States or between States and non-state actors and it certainly is not an authoritative source on such matters (see, e.g., the cyber incidents that impacted the Democratic National Committee, Sony, and the Office of Personnel Management).
It is not clear to me why the Manual’s scope is so often misunderstood. Confusion about whether specific cyber operations implicate jus ad bellum or jus in bello is understandable at times—particularly if the reasonably foreseeable effects of cyber operations are difficult to forecast; when too many cyber incidents are miscast as “cyber attacks”; when cyber actions produce effects within war zones or against parties to a conflict and also impact objects outside of war zones or civilians or neutral States; when attribution is challenging; or when the existence of a non-international armed conflict is debatable or the status of an individual or group as parties to a conflict is less than certain. Surely there are other murky factors that I am missing.
But the complications of cyberspace have little to do with a basic understanding of the Manual’s scope. And there seem to be substantially fewer persons involved in the conversations that I participate in who have actually read the manual (or the three pages from its introduction that explain the manual’s threshold questions and scope) than those who cite to the Tallinn Manual as the answer to anything and everything relating to cyberspace and national security.
Again, this is due to no fault of the authors—except, perhaps, for doing too good of a job. I have listened to colleagues, such as Professor Michael Schmitt of the Naval War College and Eric Jensen of Brigham Young University (and now the Department of Defense), explain clearly the purpose and provisions of the Manual. Even when I have disagreed with certain aspects of how the Manual frames certain issues, I have enjoyed their smart explanations of the experts’ conclusions, as well as their zealous advocacy in support of the Manual’s standing as a descriptive tool and prospective source of international law. Apparently, so have many others because too many professionals involved with cyber operations believe that the Tallinn Manual is more than it is.
So here’s a first word of caution about Tallinn 2.0: understand its scope and apply accordingly.
- Legal Uncertainty (Especially) Outside of Armed Conflict
Tallinn 2.0 may cure the scope problem that has bedeviled Tallinn 1.0. After all, Tallinn 2.0 aims to address a broader spectrum of cyber activities than those germane to questions under jus ad bellum and jus in bello. As explained by the NATO Cooperative Cyber Defence Centre of Excellence:
Tallinn 2.0 is the follow-on project to the “Tallinn Manual on the International Law Applicable to Cyber Warfare.” Designed to expand the scope of the original Tallinn Manual, Tallinn 2.0 will result in the second edition of the Tallinn Manual and be published by Cambridge University Press in 2017.
… States are challenged daily by malevolent cyber operations that do not rise to the [level of armed attack or occur during armed conflict]. The Tallinn 2.0 project examines the international legal framework that applies to such cyber operations. The relevant legal regimes include the law of State responsibility, the law of the sea, international telecommunications law, space law, diplomatic and consular law, and, with respect to individuals, human rights law. Tallinn 2.0 also explores how the general principles of international law, such as sovereignty, jurisdiction, due diligence and the prohibition of intervention, apply in the cyber context.
But it remains to be seen how, precisely, Tallinn 2.0 will analyze these broader and much more frequently occurring array of “sub-use of force” cyberspace activities (actions that, when undertaken by States, I have previously described as being governed by jus extra bellum). The best case scenario is that Tallinn 2.0 might quell the scope problem and make clearer when jus ad bellum or jus in bello rules or norms apply, when another legal regime is applicable, or when international law lacks prohibitions or constraints or is otherwise silent. At worst, however, Tallinn 2.0 could overstate or misstate the applicability of international law to cyberspace activities so as to once again allow for misunderstandings about the new Manual’s scope. That may not be the same type of scope problem that has developed from the original Tallinn Manual—one largely derivative of user error. Nevertheless, it will be important to understand whether Tallinn 2.0 is able to accurately describe lex lata (international law as it currently exists) or whether the Manual is better understood as the group of experts’ lex ferenda (what they believe the law should be).
This is perhaps the most prominent flaw in the original Manual. It both acknowledges great legal uncertainty in the field (“the scope and manner of international law’s applicability to cyber operations, whether in offence or defence, has remained unsettled”; page 3) and then strongly suggests that international law clearly applies to cyberspace activities in certain ways and under particular circumstances (e.g., “providing an organized group with malware and the training to use it to carry out attacks against another state would … qualify [as a use of force]”; page 46, rule 11).
The problem with this approach—keeping in mind the concern that I raised earlier about persons accepting the Tallinn Manual as the authoritative source for national security-related cyberspace activities—is that there will be a tendency amongst many who use the manual to encounter a problem, turn to the page that addresses the issue at hand, and accept the analysis that the Manual provides without regard for the incredibly important caveats upon which the Manual is constructed (i.e., the Manual reflects the perspectives of a group of experts but offers opinions that are not settled law; it is written to address the limited issues of jus ad bellum and jus in bello; to the extent that the Manual does have application, it could only apply to those cyberspace activities that initiate armed conflict or are undertaken within an ongoing armed conflict and even then only when the action in question would meet a threshold necessary to make the rule in question applicable (e.g., a cyber operation might constitute an attack under the law of armed conflict when the cyber operation is “reasonably expected to cause injury or death to persons or damage or destruction to objects”; see Tallinn Manual Rule 30, pages 106-112)).
So the cyber lawyer is likely to turn to the Tallinn Manual as the leading cyber warfare reference that he or she has, find the applicable rule, and restate the Manual’s opinion as authoritative to the facts at hand.
Certainly it would be fair for the Manual’s authors to point out that it is better to have thoughtful, detailed opinions as to how international law might apply to cyber warfare than to have nothing, or at least very little, to work with. Consider, in contrast, that Chapter XVI of the Department of Defense’s Law of War Manual is devoted to cyber operations, but the entire chapter is only 15 pages in length. The Law of War Manual speaks largely in general terms, presenting its cyber jus in bello discussion as a “general guide” for practitioners, without providing the concrete, fact-specific analysis that legal advisers may crave and that can be found elsewhere in the Law of War Manual.
In fairness to the Department, senior Defense attorneys acknowledge that Chapter XVI is not as detailed or as useful as some other sections of the work—largely as a consequence of the unsettled nature of the applicability of jus ad bellum and jus in bello to specific cyber operations. As State Department Legal Adviser Brian Egan explained in a speech in mid-November of 2016, “there is a relative vacuum of public State practice and opinio juris concerning cyber activities.” On that point, the Defense and State Departments seem to agree. (It should be emphasized that even State practice, which may be undertaken for political, economic, security, or other purposes without a sense of legal obligation, does not by itself create customary international law.) The Law of War Manual does memorialize the Department of Defense’s perspective on certain key points pertaining to cyberspace operations (e.g., “international law applies to State behavior in cyberspace” (footnote 1); “specific law of war rules may apply to cyber operations” (rule 16.2); “[c]yber operations may in certain circumstances constitute uses of force within the meaning of Article 2(4)” (rule 16.3.1); “the question of the legality of peacetime intelligence and counterintelligence activities must be considered on a case-by-case basis” (rule 16.3.2); a “State’s inherent right of self-defense … may be triggered by cyber operations that amount to an armed attack or imminent threat thereof” (rule 16.3.3); etc.). However, Department of Defense attorneys have made a point of emphasizing that Chapter XVI should be considered a work in progress that will be shaped over time by the evolution of law and state practice in cyberspace.
On the other hand, the original Tallinn Manual seems to go too far in the other direction. A colleague who contributed to the development of the Manual explained to me that the Manual’s drafters consider its Rules to be “solid law” and the commentary under the Rules to address areas that are “more grey.” The Manual fills in some of this grey space by identifying competing interpretations—identified as the viewpoints of the majority or minority of Experts—in certain sections. But the distinction between what was considered “solid law” and where legal uncertainty exists is not obvious throughout the entirety of the text. By its terms, the Manual draws some very firm legal conclusions that simply are not settled under international law. On a macro level, the Tallinn Manual transposes concepts of sovereignty, jurisdiction, and control to computers, computer networks, and cyber infrastructure. It describes actions in and through cyberspace as applying to use of force and armed attack frameworks existing under the United Nations Charter and customary international law. The Manual accepts that jus in bello applies to cyberspace operations then goes quite far in detailing how specific jus in bello rules—modified by the Group of Experts to make them applicable to cyber operations—should be understood in this context. By and large, the conclusions contained in this effort seem reasonable. Yet the Manual remains principally a work of analysis by analogy. While Tallinn 1.0 is thorough, thoughtful, and carefully constructed, analysis by analogy tends to produce results that can be less descriptive than prescriptive.
Consider the following example:
Rule 38 – Civilian objects and military objectives
Civilian objects are all objects that are not military objectives. Military objectives are those objects which by their nature, location purpose, or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Military objectives may include computers, computer networks, and cyber infrastructure. (Tallinn Manual at 125.)
Rule 38 builds from understandings of civilian objects and military objectives as they appear in Additional Protocol I. The last sentence of the definition is a cyber-specific conclusion drawn by the Group of Experts, and it seems reasonable enough based on the use of the word “may” and the well-settled point that, at least in the kinetic sense, computers, computer networks, and cyber infrastructure may, under certain circumstances, be attacked with force such that they are objects of attack as matters of fact and law.
Where Rule 38 is of most interest for me is in its treatment of data (see pages 126-127). Rule 38 acknowledges: “[T]he law of armed conflict notion of object should not be interpreted as including data. Data is intangible and therefore neither falls within the ‘ordinary meaning’ of the term object nor comports with the explanation of it offered in the ICRC Additional Protocols Commentary.” (Tallinn Manual at 127; emphasis added.)
The Manual points out that the commentaries to the Additional Protocols describe objects as being “visible and tangible”—qualities that most would not accord to data residing in, or transiting through, cyberspace. These data-specific assessments very well could have led the Group of Experts to conclude that the Manual’s rules pertaining to objects, including rules 37-40 addressing attacks against objects, do not apply to data. Alternatively, the Experts might have concluded that it was unclear whether or to what extent international law, as it exists today, applies to actions targeting data.
But my sense is that the Group of Experts was concerned that such a determination, even if it would have been consistent with their understanding of current international law, would have constituted a statement that cyber operations targeting or affecting data during armed conflict is a sui generis matter—that is to say, that jus in bello rules applicable to objects, attacks, precautions, and so forth on land, sea, and in the air would not currently be applicable to actions targeting data in cyberspace. And the Experts wanted to avoid such a vacuum. The Manual hints at this concern, explaining that the minority view (cited below) developed out of concern that “even the deletion of extremely valuable and important civilian datasets would potentially escape the regulatory reach of the law of armed conflict.” (Tallinn Manual at 127.)
Consequently, the Group of Experts filled the void by reversing course and drawing a distinction between data existing in cyberspace and data that is targeted through cyber operations. “[A] cyber operation targeting data may, in the view of the majority of the Experts, sometimes qualify as an attack when the operation affects the functionality of computers or other systems. A minority of the Experts was of the opinion that, for the purposes of targeting, data per se should be regarded as an object.” (Tallinn Manual at 127.)
The Manual does not specify where this distinction between data existing in cyberspace and data targeted through cyber operations can be found in international law. Never mind that any number of cyber operations targeting data might not create any physical effects or otherwise produce results that jus in bello was designed to protect against. Instead, the Experts’ opinions are recorded, but those positions are not detailed in legal terms. Clearly the Experts sought to constrain activities directed at data and there are important reasons to want international law to constrain such conduct. But that is an argument for lex ferenda; it is not a description of lex lata.
In the interest of brevity, I will not go further into analyzing Rule 38 or any other rules in this post. However, I would commend to readers’ attention a forthcoming article by my colleague Peter Pascucci of the U.S. Navy JAG Corps and U.S. Cyber Command entitled “Distinction and Proportionality in Cyberwar: Virtual Problems with A Real Solution.” The article will be published by the Minnesota Journal of International Law in Spring of 2017 and it provides more detailed analysis of Rule 38, Rule 51 (Proportionality), and the broader terms of the Tallinn Manual.
The Tallinn Manual was imperfect. My understanding is that the Director of the Tallinn Manual project and his colleagues have worked hard to make Tallinn 2.0 a better product—by acknowledging more explicitly competing perspectives on the applicability of international law; by expanding the group of experts to include more diverse viewpoints, including some Chinese and Belarusian (but not Russian) participation; and by asking representatives of States to provide feedback (although not necessarily official government positions) on drafts of Tallinn 2.0. These are all commendable measures that reflect the diligence of Professor Schmitt and his colleagues.
Still, it remains to be seen how much better of a product Tallinn 2.0 will actually be. My hope is that the new Manual will make clear that it likely does not contain any final answers—that it will explain plainly, both within its introduction and throughout its rules and explanations, that international law is still developing in this arena and that the new Manual represents incremental progress in a long-term conversation.
Of course that is not how manuals are normally framed. They are tools to be applied to facts and circumstances at-hand. And in the heat of battle or the urgency of the moment the practitioner is likely to apply in haste the best resource at his or her disposal.
And so my fear remains that Tallinn 2.0—whatever it says—may, like its predecessor, be misunderstood and misapplied by those who use it and may overstate the certainty with which international law can be understood currently to apply to cyber operations.
The views expressed herein are those of the author and do not necessarily represent the views of the Department of the Navy, the Department of Defense, or the United States.