But what if Nation A uses a cyberattack to cause an explosion at a military base in Nation B? Can Nation B still exercise its inherent right to self-defense by firing missiles at a military target in Nation A?
Or what if, in the midst of an armed conflict, a cyberattack from Nation A knocks out power at a hospital in Nation B? Was that target off limits under international law?
Both answers are yes, according to a 20-member panel of international law experts that has spent the last few years grappling with such questions and searching for answers in legal texts like the Geneva and Hague conventions and the United Nations Charter.
The result of their conclusions has just been published as “The Tallinn Manual,” a nearly 300-page legal guide on how existing law should apply to cyberwarfare.
Michael Schmitt, a professor at the U.S. Naval War College, led the panel. He spent more than 25 years as a legal adviser in the U.S. Air Force and Army and suggests that the "Tallinn Manual" is aimed at military lawyers -- people who advise defense officials who are facing a cyberattack or who want to employ cybercapabilities of their own.
“This manual is for me, so that I can open it up and say, ‘This is the law that applies,’ or, 'There are three or four gray areas here; I need to tell the policymakers or the commander that this is going to be a little sketchy in terms of international law,’” he says. “So what we’re trying to do is give a tool to those people who are providing legal advice that they can improve the quality of their legal advice.”
What Rules Apply?
The manual was commissioned by NATO’s Cooperative Cyber Defense Center of Excellence but is not a NATO policy document and has no official standing.
According to Schmitt, it tries to answer two big questions, the first being, what law governs cyberoperations by a state or against which a state needs to respond, in peacetime?
“…[W]e were looking at the prohibitions found in the UN Charter on the use of force and the right of a state to respond in self-defense against cyberoperations,” he says. “Part two of the book is, now you’re at war, now you’re in an armed conflict, and the question there is: what rules apply? Who can you direct your cyberoperations against, what protections are there for civilians, civilian objects, and other protected persons and objects? For example -- what are the rules with regard to cyberoperations against a hospital? What if a hospital and a military facility are relying on the same server? So [we’re looking to apply] the rules that apply on the battlefield,”
A key passage in the manual reads: “To date, no international armed conflict has been publicly characterized as having been solely triggered in cyberspace. But the panel concluded that it could be. They agreed unanimously that cyberoperations alone might have the potential to cross the threshold and become an international armed conflict."
The panel began its work shortly after Estonia suffered a massive cyberattack in 2007. The websites of parliament, government ministries, banks, and media outlets went down in an attack that Estonia accused Russia of masterminding.
At the time, Schmitt was the dean of a security center in Germany and he remembers the reaction among his fellow lawyers.
“Literally, the international lawyers were caught not having a clue what the answers should be when their bosses said, ‘Is it an attack such that under Article 5 of the North Atlantic Treaty we can come to the defense of Estonia?’” he says. “There were no answers at all [to these questions]. So that’s what motivated our work.”
The manual’s central premise is that war doesn’t stop being war just because it happens online. Legally speaking, a computer program that disables a nation’s air-traffic control system and sends planes falling out of a sky produces the same destruction that missiles would.
In a case like that, according to Jason Healey, who directs the Atlantic Council’s Cyber Statecraft Initiative, the manual does conclude that a cyberattack could result in a lethal military counterstrike. But it makes it just as clear that this would only be justified for a cyberattack that was itself lethal or destructive.
The manual’s authors agreed that humanitarian protections afforded things like hospitals and prisoners of war also apply to cyberattacks.
They were also careful to say that cyberacts that cause “inconvenience or irritation” do not qualify as use of force. So the manual ignores the kind of acts that make headlines these days -- cybercrime -- and limits itself to guidelines on cyberwarfare.
It does, however, touch on hackers -- although Schmitt maintains that there has been some misreporting in the media about this section and whether such people can be targeted.
“We never said that you can attack hackers,” he says. “What we said is that, if you have an armed conflict and someone chooses to participate in the conflict in a significant way that affects your military capability, then from longstanding humanitarian law that person loses the protection that they’re entitled to and becomes a target. It has nothing to do with hackers during peacetime and it has nothing to do with a hacker during an armed conflict that is defacing a website -- nothing.”
The panel didn’t always agree. Members struggled, for example, with how to define what constitutes “self-defense” during a cyberattack. Details of their debates are in the manual’s extensive “commentary” section.
So what will the “The Tallinn Manual” change?
Schmitt says maybe little except “improved adherence to the rule of law in cyberspace,” not if, but when, that’s needed.