The era of cyber conflicts could perhaps compared to the days when America had just been discovered and warships, pirates and buccaneers from various countries sailed into the Caribbean Sea. One of the differences with the 16th century is that one of the vessels trying to bring about order in the ‘cyber-sea’ of today is sailing under the Estonian tricolour flag – blue, black and white.
Michael N. Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013. 300 p.
As long as the opportunities for the small states to gain the attention of the rest of the world with something constructive and memorable remain relatively limited, the small states have to pick wisely on which internationally relevant endeavours they spend their limited resources. As is well know, Estonia has chosen the Internet and cyberspace as one of the main issues of its politics and is one of the proponents of openness on cyber issues. However, cyberspace also conceals in itself dangers, some of the most serious of which are cyber wars and cyber-attacks. What are they and what kind of law with which limitations should apply to this modern phenomenon?
In March 2013 the Cambridge University Press published the Tallinn Manual on the International Law Applicable to Cyber Warfare, henceforth referred to as the Tallinn Manual.1 This was a result of the collective work of a group of experts led by professor Michael Schmitt from the United States Naval War College. Institutionally, however, the project was backed and commissioned by the NATO Cooperative Defence Centre of Excellence (NATO CCD COE), established in 2008 and located in Tallinn, which has made the book electronically accessible to all the interested parties.2 This is a praiseworthy decision and reflects the policy of open access to research funded by tax money, which is becoming more and more common across Europe. However, the authors of the project stress their independence as experts during the completion of the work and they do not want the views presented in the Manual to be attributed to the Cooperative Defence Centre, its sponsoring nations, or NATO (p. 11).
In many ways, that project is no ordinary research paper on international law rather than a remarkable international event. The aim of this article is to shed some light upon the background and topic matter of the Tallinn Manual, and to consider how the authors have succeeded in their goal of working out all the main points of international law applicable to cyber warfare. This is a particularly intriguing endeavour with Edward Snowden’s revelations regarding the United States’ PRISM programme unfurling before our eyes over this summer. Likewise, South Korea recently announced that it blames North Korea for the cyber-attack perpetrated in June 2013 and directed against the websites of the South Korean government and media. Therefore there is no reason to doubt the continuing relevance of the issue of cyber conflicts.
The Tallinn Manual, Estonia and ‘Eastern Europe’
The publication of the manual is important for Estonia in the sense that possibly for the first time during the existence of the Republic of Estonia, the name of its capital was brought to the mental world map of international law with a purposefully accomplished project. Vienna, The Hague, Geneva, New York, even Helsinki – we must admit that until now, Tallinn has been largely missing from this list of places important to international law. In order to fully comprehend the importance of the event, historical perspective must be considered. It has been almost a century since in 1919 the delegation of the newly founded Republic of Estonia travelled in the leading countries of Europe to demand their recognition of Estonia, with Ants Piip for example arguing in London in front of the members of the Grotius Society as to why Estonia as a country, based on international law, deserves a membership in the international community.3 I should like to think that the publication of the Tallinn Manual in 2013 is one piece of evidence that proves that Estonia as a state has really arrived in the international community. At the same time, this manual is a sign for Estonia of a certain maturity as a state. Mature states do not focus egotistically on their own affairs, instead trying to contribute to solving the problems of the international community as a whole. One of the expressions of such maturity is readiness to help ponder over the type of challenges such as cyber wars and cyber conflicts which international law is facing.
It is true that the critical reader may perceive that in the scientific project at hand Tallinn is not so much an independent actor as a base camp for our larger allies. The legal experts that wrote the Tallinn Manual have distinctly American and Old European backgrounds. One gets the feeling that within the context of this project, the Estonians have more or less been reduced to the role of compères. Some circles have already expressed criticism: why did the project not involve legal experts for example from China or the Russian Federation?4 At this point, one must consider the genesis and the background of the NATO Cooperative Defence Centre. Since Estonia suffered from cyber-attacks arguably orchestrated from the Russian Federation during the riots of April 2007, the manual serves as an analytical reply from Tallinn (and not only Tallinn, but also the other NATO partners who support the CCD) to those and other cyber-attacks that have occurred in the world after that and which may have been sanctioned on government level.
Let the Chinese and the Russians themselves worry about being represented in the legal debate concerning cyber warfare. The author of this article noticed that there was a complete lack of scientists from the former Warsaw Pact countries among the legal experts partaking in the project. It seems that despite there being a NATO competence centre in Tallinn, the leaders of the project seem to think that there is not much competence in international law in the area. Even if we excluded the Baltic states – was it really impossible to find top-level legal experts from Poland, Hungary, the Czech Republic or Slovakia who could have had a say on the topics of the legality of the use of armed force, international humanitarian law, and the responsibility of the state?
I think that some fault lies with the diplomatic corps of the post-communist states that support the CCD – they should have been more help to the American experts in forging contacts and they should have found somebody like Pavel Šturma, Władysław Czapłiński or perhaps from the younger generation Marko Milanovič, Rain Liivoja or Dainius Žalimas to participate in the drafting of the cyber manual. Regardless of the moniker of universality, the practice and the analysis of international law have often been criticised for still being controlled by the West5, to the core of which the Baltic states and possibly the entire so-called Central and Eastern Europe still cannot help but remain peripheral. Even this very project can thus acquire a certain neo-imperialist aftertaste, because both the centre and the periphery have been cast in their traditional roles. Decisions regarding personnel cannot help but influence the content of the outcome in some details – for example, during the drafting of the project only four countries’ military manuals were regularly referenced – those from Canada, Germany, the United Kingdom and the United States of America (p. 8). There is a clear problem of representativeness here and this pattern follows the arrogant practice criticised by Onuma Yasuaki where the ‘rule of international law’ has been derived from the practice of some leading Western countries.6 Professor Michael Schmitt has expressed astonishment that the main conclusions of the Tallinn Manual are largely congruous with those of the United States government7, a fact that Harold Koh from the United States State Department revealed in his programmatic speech. Given the context above, however, is it really so ‘astonishing’?
We must, however, have good faith and understand that the Tallinn project was completed in three years, which in the case of a large-scaled collective scientific project is a short time rather than long, and therefore there was certainly not enough time to consider all the existent information and to present all the viewpoints. Nobody is forbidding other countries from starting their own science projects or telling the scientists who were not invited to Tallinn not to write and express their opinions.
Regardless of the criticism as presented above, the publication of the Tallinn Manual is still a very positive event for Estonia. The fact that the ‘sprat-can silhouette’ and its forward-looking topic found its way into the body of literature on international law – among the San Remo and Harvard manuals and other well-known manuals in the humanitarian law – will without a doubt create new opportunities for our scholars of law and social sciences in the future.
The main ideology of the Tallinn Manual
The main tenet of the Tallinn Manual is as follows: cyber warfare is governed by international law already in force, particularly the rules that regulate the commencement of an armed attack (jus ad bellum, UN charter, mostly effective since 1945) and the rules that regulate the conduct of armed conflict (jus in bello, including for example The Hague Convention of 1899 and the Geneva Convention of 1949, the latter with the 1977 amendment protocols).8 Cyber warfare does not therefore exist in a legal void where until now ‘anything goes’ and which has yet to be filled with international law. The general stance of that tenet reminds of the Martens Clause, formulated within the context of the 1899 international military law.9 As such, the expert group who worked for the Cooperative Defence Centre reflects and develops the United States 2011 strategy on international cyberspace: ‘The development of norms for State conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Long-standing international norms guiding State behaviour – in times of peace and conflict – also apply in cyberspace.’ (p. 3)
The main point of the manual is that customary and well-known rules of international law have been applied to and interpreted in the context of cyber conflicts between states. This resulted in 95 rules of international law with commentaries, which according to the expert group should apply to cyber-attacks that cross the threshold of using armed force.
For example, states that consider cyber operations must take into account that a cyber-attack may constitute a violation of the clauses of the UN Charter regarding the use of force and an act of aggression against another state, which may be retaliated against with armed self-defence or after which the UN Security Council may authorise the use of force in the name of the international community. While planning and executing a cyber-attack the state will also have to consider the requirements of international humanitarian law such as the obligation to differentiate between civilian and military objects and people while carrying out the operations. In other words – essentially the same limitations of international law apply to both cyber-attacks and attacks conducted with kinetic weapons.
In order to understand what the Tallinn Manual constitutes one must understand what it explicitly is not. The Tallinn Manual examines the international law governing ‘cyber warfare’, thus not addressing in detail such cyber activities that occur below the level of a ‘use of force’ as stipulated in the UN Charter, such as cyber criminality (p. 4). For example, the project only examined the legality of cyber intelligence activities only as they relate to the jus ad bellum notions of ‘use of force’ and ‘armed attack’, or as relevant in the context of an armed conflict governed by the jus in bello (p. 4). The Manual admits that cyber espionage, theft of intellectual property, and a wide variety in cyberspace pose real and serious threats to all states, as well as corporations and private individuals, but it is not the aim of this Manual to address such matters (p. 4). A news article on the website of the NATO CCD COE states however that the expert group will undertake a follow-up study in order to carry out a more detailed analysis of such cyber-attacks that stay below the armed attack threshold in the sense of the UN Charter.10 For instance, it will be interesting to see how the expert group will characterise the recently revealed information that the United States has extensively spied on the diplomats of the European Union among others. Can it be that the activity will be classified as an act of cyber criminality illegal under international law, regardless of it remaining below the threshold of the Article 2 section 4 of the UN Charter?
Application by analogy of the current international law in the context of cyber-attacks and conflicts is the only possible way at the moment, because there are no other fundamental treaties of international law on the horizon to regulate that realm. The expert group’s aspiration to avoid legal anarchy in cyberspace is laudable in every respect. There are, however, some aspects that make me worry over the legal characterisation of cyber-attacks.
One of those is the problem of attribution – at least until now the organiser of cyber-attacks has been more difficult to determine than the perpetrator of kinetic attacks. The schemes that exist in international law – such as the state’s responsibility for its unlawful acts – can only be applied when the act is unequivocally attributable to a certain state.
Another tricky aspect is the blurring of the lines between state and non-state actors –representatives of the state can delegate the perpetration of an attack to non-state actors and the latter have obtained the independent ability to commit cyber-attacks.
Third, technological development and the specialisation of public bodies means that states no longer necessarily speak in a ‘single voice’. This means that for example the messages from the foreign ministry, the armed forces and the intelligence may not be exactly congruous in a conflict situation, which points to a certain fragmentation of state practice. In this case, what constitutes a ‘state’ or its behaviour?
Fourth, states are beginning to sense that international law applies even in the world of cyber-attacks only when powers emerge who are ready to enforce international law in cyberspace – using armed force if necessary. So far it is unclear whether such powers exist, because even those nations who have traditionally undertake such work (for example the United States during the 20th century) themselves test the boundaries of the acceptable and the unacceptable.
The fifth and probably the most important point is that cyber operations have the potential to further blur the disputable boundary between using armed force and a situation that does not qualify as using armed force.
In Russia, some have reasoned that the fact of the publication of the Tallinn Manual could be potentially dangerous.11 According to the Russian media, the official position of the Russian Federation is that the use of cyber weapons in international relations should be outright banned. Within that context, Moscow states that the Tallinn Manual may help further legitimise cyber warfare as such.12 In order to understand Moscow’s position one needs to begin with the fact that a cyber weapon is surely more ‘democratic’ and easily obtainable than nuclear weapons (which Russia legally has, but the majority of the states do not). Therefore, cyber wars are strategically dangerous to Russia, since they can diminish the differences between military capacities of Russia and other states, while Russia can only control its vast territory thanks to a functional deterrent.
It is actually unclear whether Russia has in fact anything material to say against the rules of international law as stipulated in the Tallinn Manual, the more so that the Tallinn Manual has really been written in the spirit of the Russian scholar of international Law (and an ethnic Estonian) Friedrich Martens (1845–1909) and his famous Clause. It may well be that Russia is jacking up its price by ostensibly presenting ideological reservations and is insinuating to the USA – as it often tends to do – that there must be no considering of the reinterpretation old/new rules of international law without Russia’s involvement in the matter.
Echoes of the 2007 cyber-attacks
If one were to read between the lines in the Tallinn Manual, one would find that the state or its agents that ordered the cyber-attacks perpetrated against Estonia in 2007 may have committed an unlawful act under international law regardless of the fact that it was not an armed attack in the sense of the UN Charter. The Charter, ratified in 1945, includes the concepts of ‘armed attack’ (Article 51) and ‘use of force’ (Article 2 Section 4) and the authors of the manual are of the opinion that the web attack against Estonia cannot be characterised as either (p. 58). Caution must thus be advised if one were to talk about ‘cyber warfare’ – an event may not be classified as such in the technical sense of international law. The authors of the manual opine that no such cyber-attack that could unequivocally be classified as ‘armed attack’ in the sense of the UN charter has actually taken place in the world (pp. 83–84). Only the Stuxnet worm that wreaked physical havoc in Iran in 2010 was viewed by some members of the expert group to be potentially an armed attack in the sense of the UN Charter (p. 58).
What about the legal characterisation of those cyber operations that do not cross the armed attack threshold of the UN Charter, such as happened to Estonia in 2007? That will be the issue that the expert group will tackle next, but that will presumably be an even tougher nut to crack than the discussion about those cyber-attacks that can be characterised as armed attack.
In this regard, the manual gives some insights into the way of thinking of the expert group. Even though such operations may not be classified as armed attack in the sense of the UN charter, they may still be unlawful. For example, let us take the fifth rule as formulated by the authors: ‘A State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States.’ (p. 26) The experts add that this rule covers all acts that are unlawful and that have detrimental effects on another state. The term ‘unlawful’ was chosen deliberately as the expert group did not want to limit the prohibition to narrower concepts, such as the use of force or armed attack (p. 27).
The tenth rule is also relevant: ‘A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.‘ (p. 43) For example, the expert group thinks that a cyber operation may constitute a violation of the prohibition on intervention (p. 44). In regards to Edward Snowden’s revelations it is interesting to note that the Tallinn Manual reasons that cyber espionage lacking a coercive element do not per se violate the non-intervention principle. The experts are also of the opinion that mere intrusion into another state’s computer systems does not violate the non-intervention principle, even where such intrusion requires the breaching of firewalls of the cracking of passwords (p. 45). Cases of coercion (as an element of unlawful intervention) include the manipulation of elections, manipulation of online news, paralysation of one political party, but according to the experts, not every form of political or economic interference violates the non-intervention principle (p. 45). Such conclusions reflect the interests of the states that are technologically most developed and most capable and one may presume that they may encounter quite sharp opposition outside the Western world. In this sense, even the authors of the Tallinn Manual are unable to escape the interpretational differences regarding the UN Charter that arose between the authors from the West and the rest of the world already during the Cold War – the Western countries have been somewhat more lenient towards use of force and intervention than the others.13
The Tallinn Manual should be thought of as a normative opening shot in the legal characterisation of cyber operations and attacks, not as the definitive final note on the issue. It is understandable that this opening shot should come from the scholars of international law from the United States and its close allies. Wilhelm Grewe (1911–2000), the German diplomat and historian of international law, has dubbed the era that began with the end of World War I and has probably continued until today the United States epoch of international law.14 As a leading formulator of contemporary international law, the United States has a natural interest towards normative establishment of its will and way of thinking in the realm of cyber conflicts as a realm of the future.
However, the realm of cyber wars – both in the sense of the UN charter and in the wider, metaphorical sense – illustrates well how the limits of the laws of the justifiability of the use of force (jus ad bellum) and the classical laws of war (jus in bello) have been put to the test again. Both the non-violence clause and the limits of engagement of the UN Charter may be subjected to further pressure by all kinds of cyber-attackers. At the same time, the line between an armed attack and activities that cannot be qualified as such may also be blurred even more. Why even start a cyber war when privileged cyber intelligence data already tells you what your enemy is thinking, planning or pining for? Even Snowden’s revelations about the American PRISM programme are bound to make one arrive at the conclusion already articulated by Sun Tzu in his ‘Art of War’: war itself is the last and least preferred way to impose your will. If you can be victorious by other means, you should. This probably applies to cyber wars as well.
The rules of international law that have been adapted to cyber warfare in the Tallinn Manual serve as a warning and an admonishment to the states, but they will only ever be obeyed if the Great Powers themselves set a positive example. The way the states behave today, however, is not very reassuring. Has anybody taken responsibility for the 2010 worm Stuxnet? Based on Grewe, we are witnessing the birth of a new era and vast bets are placed on the international law of tomorrow – in the cyber world, but not exclusively. Decks of cards are being reshuffled and the rules that were formulated today may not apply tomorrow. If we were to go back in time, then the era of cyber conflicts could perhaps compared to the days when America had just been discovered and warships, pirates and buccaneers from various countries sailed into the Caribbean Sea and it was not always easy to tell them apart. One of the differences with the 16th century is that one of the vessels trying to bring about order in the ‘cyber-sea’ of today is sailing under the Estonian tricolour flag – blue, black and white.
Translation from Estonian to English by Raivo Hool.
1 Michael Schmitt (general editor), Tallinn Manual on the International Law Applicable to Cyber Warfare. Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence, Cambridge University Press, 2013.
2 http://www.ccdcoe.org/249.html 3 Ants Piip, Esthonia and the League of Nations – Transactions of the Grotius Society, Vol VI, Problems of War and Peace, London, 1921, pp 35–44.
4 For example see Elena Chernenko, Virtual’nyi front, Kommersant Vlast’ 27.05.2013, http://www.kommersant.ru/doc/2193838, p14
5 For example see the critique from a leading Japanese scholar of international law: Onuma Yasuaki, A Transcivilizational Perspective on International Law, Leiden/Boston: Martinus Nijhoff Publishers, 2010, p74 ff.
6 Onuma, p228 ff.
7 Michael N. Schmitt, International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 Harvard Journal of International Law 2012, pp 13–37 (citation from p15), http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf 8 Read more from: Kalshoven, Frits and Liesbeth Zegveld, ‘Constraints on the Waging of War. An Introduction to International Humanitarian Law’, Cambridge University Press; 4 edition (August 29, 2011)
9 Read more from Kerli Valk, The Martens Clause in International Law – A Compromise of Natural Law and Positivism, master’s thesis, Faculty of Law, University of Tartu, 2009, http://dspace.utlib.ee/dspace/bitstream/handle/10062/9529/valkkerli.pdf;jsessionid=7A51F76E6E79406C452292CFD64B4B92?sequence=1 10 https://www.ccdcoe.org/422.html 11 Elena Chernenko, Virtual’nyi front, Kommersant Vlast’ 27.05.2013, http://www.kommersant.ru/doc/2193838, p14
13 Read more about non-intervention and subversive leveraging: Sinisalu, Arnold, ‘Limits to Subversive Leveraging in International Law’, doctoral dissertation, Faculty of Law, University of Tartu, 2012, http://dspace.utlib.ee/dspace/bitstream/handle/10062/22744/sinisalu_arnold.pdf?sequence=1 14 Grewe, Wilhelm G., ‘The Epochs of International Law’, translated from German by Michael Byers, Berlin: de Gruyter, 2000.
This article was published in ICDS Diplomaatia magazine.