This is a guest post written by Emilio Iasiello.
In early February 2017, Tallinn Manual 2.0 was published by Cambridge University Press. Led by the NATO Cooperative Cyber Defence Centre of Excellence, publication of the initial Tallinn Manual occurred in 2013 and focused on the applicability of international law to conventional state-authorized and operated cyber warfare. Authored by a group of international law experts, the recent follow-up focuses on a full spectrum of international law as applicable to cyber operations conducted by and directed against nation states, ranging from peacetime legal regimes to the law of armed conflict.
Tallin Manual 2013
While an academic non-binding study, the 2013 Tallinn Manual has been rightfully celebrated as an important guide for nation states, as well as civilian and military scholars, in addressing the nature of cyber warfare and its applicability to the rules governing kinetic conflict. Indeed, the international collaborative effort reflected a strong consensus in several areas, most notably in acknowledging that the general principles of international law apply to cyber space. However, despite significantly advancing thought in this domain, there were still areas in which the experts could not reach consensus, particularly with regards to defining terminology and corresponding criteria. For example, while the Manual offered a definition of what constituted a “cyber attack,” it could not provide a similar definition for “cyber warfare,” noting that it was used in the Manual in a “purely descriptive, non-normative sense.” Similarly, the group of experts could not establish criteria in order to better define the threshold of “serious damage” that reached the level of significant financial loss or disruption of a state economy.
Enter Tallin 2.0
Tallinn Manual 2.0 lends its legal analysis to more common cyber incidents that nation states face every day that do not cross over the threshold into an act of war. In the context of cyber operations, numerous specialized regimes of international law are covered including but not limited to cyber space sovereignty; the law of state responsibility; air and space law; diplomatic and consular law; and human rights law, among others. This is important as the vast majority of cyber activity that organizations face and makes the news is more consistent with traditional and/or industrial espionage seeking the theft of sensitive data and intellectual property, and not in the destruction of information systems or the information resident on them.
From this perspective, 2.0 may be a more important resource than its predecessor. Being able to codify these below-war cyber acts of malfeasance is essential as governments struggle to identify – and agree upon – international “state norms of behavior” in cyber space.
Inclusion of Russia and China
Currently countries like China and Russia, an as well as the United States have been trying to build coalitions and gain consensus by promoting their versions of what a code of conduct might look like. Although there has been no global consensus reached as to what acceptable state behavior entails, there is evidence indicating that such an agreement could have positive impacts of state cyber activity. Once China and the United States agreed to not conduct cyber espionage for commercial gain, there was a noticeable reduction in the volume of suspected Chinese-based hacking activity, so much so that one prominent security vendor blamed its low stock value on it.
The inclusion of experts from countries such as China and Belarus during the Tallinn 2.0 process likely provided different, and perhaps opposing, viewpoints from the largely other Western participants. This is the type of representation that is needed to properly address the complexities inherent in cyberspace, particularly from those countries/governments that may not view certain cyber acts in the same light, or with the same gravity.
Hopefully, the next time around, the framers of this important document will include more non-Western participants into the group to better balance out this engagement. Taking into account different cultural and regional considerations can provide opportunities in finding common ground, a necessary precursor to establishing a more formalized international cyber norms of behavior. And this may ultimately be why Tallinn 2.0 may be the more successful of the two documents – because it not only addresses the non-destructive cyber activity that every country faces, but it also compels state thought as to how to respond to it.