Publications

Hot Topics

Lastest Documents

RAUSI Dispatches

2024-11-07 RAUSI Dispatches
7 November 2024 (4 KB)

RUSI Nova Scotia

RUSI Nova Scotia Dispatches 2024-11-01
1 November 2024 (1013.54 KB)

RAUSI Dispatches

2024-10-09 RAUSI Dispatches
10 October 2024 (4 KB)

RAUSI Dispatches

2024-09-06 RAUSI Dispatches
6 September 2024 (4 KB)

RAUSI Dispatches

2024-08-08 RAUSI Dispatches
9 August 2024 (4 KB)

November   2024
S M T W T F S
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Show your support for RAUSI programs. Buy a 2025 Membership for only $50.00, and receive full membership benefits.

Join Now >

Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations

International Law

By International Group of Experts at the Invitation of the NATO Cooperative Defence Centre of Excellence (Cambridge 2nd ed 2017)

Reviewed By LJ Howard, 31 May, 2021

As noted in the 01 June 2021 edition of RAUSI Dispatches, The University of Calgary’s Professor John Ferris will host a Q&A on The Politics of Cyber Security and Surveillance. Those interested in this field may find it equally interesting and useful to also gain a better understanding of the international law concerning hostile cyber operations that amount to a threat of use of force. Whereas Ferris’ presentation concerns the politics of such operations; the Tallinn Manual sets out a highly readable balance of both descriptive and prescriptive analysis of the accompanying international law of cyber warfare.

The Tallinn Manual 2.0 is not an academic treatise. Instead, following its much shorter first edition (2013), it offers the pragmatic results of at least five years of research undertaken by approximately forty civilian jurists, military operators, and scholars, all emanating from twenty states, international organizations, and international nongovernmental organizations. These include Member States of NATO, other states such as the People’s Republic of China, Israel, Japan, India, Republic of Korea, as well as the International Law Commission of the UN, Human Rights Watch, and Chatham House. As such, the outputs of the Manual reflect a balance of different modalities of interpretation of international law.

The contributors concluded in general that the international law applicable to cyber operations was to be found in the interpretation of extant bodies of law rather than there being a need for new law. Cyber operations engage the weaponization of a technology, not unlike other weapons systems. As such, the contributors concluded that nuanced interpretations of primary sources of international law settled questions concerning the lawful use of that technology, particularly treaty law: the UN Charter Articles 2(4) and 51, the four Geneva Conventions (1949) and their two Protocols Additional (1977) and one AP (2005), and to a lesser extent, the later of the two Hague Conventions (1907). The contributors considered related aspects of customary international law and the argument that elements of these treaties were also declaratory of custom. Due weight was given to academic research and the decisions of various tribunals.

Concerning the jus ad bellum, i.e., law concerning the initial use of force in dispute settlement, the great number of states from which the contributors originated fostered a wide range of interpretation as to what circumstances concerning the initial use of cyber force does and does not constitute a threat to peace (Charter 51) which then entitles the victim state to respond with a lawful threat or use of force of any description, not necessarily cyber force. As to the subsequent jus in bello governing the use of force once hostilities have commenced, and drawing on the body of Geneva law, its four principles remain determinative of lawful use, e.g., military necessity in target selection and proportionality of use of force. What amounts to a cyber attack under international law is determined by lethal effect and/or material property destruction.

One of the unsettled issues was that of attribution of unlawful acts to an offending state. Anonymity of the source of cyber operations is one of that weapon system’s major advantages, leveraging stealth, surprise in timing and magnitude. After centuries of debate, attribution of unlawful acts was finally reduced to writing by the UN based International Law Commission in its Articles on Responsibility of States for Internationally Wrongful Acts (2001). It is an expression of customary law. However, the lack of probative evidence to be found in cyber attacks frustrates the successful application of ARSIWA. Circumstantial evidence alone is insufficient, e.g., the speculation that only two states could have been responsible for launching the Stuxnet cyber attack that destroyed Iran’s Nantaz nuclear centrifuges in 2007 or for similar incidents in 2017 and 2021. Neither the US nor Israel would admit to same for reasons of wishing to (i) avoid legal responsibility; (ii) not disclose its capabilities in cyber warfare. Some have argued (i) a lower standard of proof; (ii) a reversal of the burden of proof would settle the issue of attribution, but the contributors to Tallinn did not spend much time considering this line of thought.

Others have researched and published on this topic. One of the best is a great book of readings, Peacetime Regime for State Activities in Cyberspace; International Law, International Relations and Diplomacy, Katharina Ziolkowski, ed (NATO Cooperative Cyber Defense Centre of Excellence, 2013, 746 pp).

The Tallin Manual 2.0 is available on Amazon.ca.

© 2024 Royal Alberta United Services Institute / rausi.ca