The Tallinn Manual as an international event

Lauri Mälksoo
The era of cyber conflicts could perhaps compared to the days when America had just been
discovered and warships, pirates and buccaneers from various countries sailed into the Caribbean
Sea. One of the differences with the 16th century is that one of the vessels trying to bring about
order in the ‘cyber-sea’ of today is sailing under the Estonian tricolour flag – blue, black and white.

Michael N. Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare.
Cambridge University Press, 2013. 300 p.
As long as the opportunities for the small states to gain the attention of the rest of the world
with something constructive and memorable remain relatively limited, the small states have to
pick wisely on which internationally relevant endeavours they spend their limited resources. As is
well know, Estonia has chosen the Internet and cyberspace as one of the main issues of its
politics and is one of the proponents of openness on cyber issues. However, cyberspace also
conceals in itself dangers, some of the most serious of which are cyber wars and cyber-attacks.
What are they and what kind of law with which limitations should apply to this modern
phenomenon?
In March 2013 the Cambridge University Press published the Tallinn Manual on the International
Law Applicable to Cyber Warfare, henceforth referred to as the Tallinn Manual.1 This was a result
of the collective work of a group of experts led by professor Michael Schmitt from the United
States Naval War College. Institutionally, however, the project was backed and commissioned by
the NATO Cooperative Defence Centre of Excellence (NATO CCD COE), established in 2008 and
located in Tallinn, which has made the book electronically accessible to all the interested
parties.2 This is a praiseworthy decision and reflects the policy of open access to research funded
by tax money, which is becoming more and more common across Europe. However, the authors
of the project stress their independence as experts during the completion of the work and they
do not want the views presented in the Manual to be attributed to the Cooperative Defence
Centre, its sponsoring nations, or NATO (p. 11).
In many ways, that project is no ordinary research paper on international law rather than a
remarkable international event. The aim of this article is to shed some light upon the background
and topic matter of the Tallinn Manual, and to consider how the authors have succeeded in their
goal of working out all the main points of international law applicable to cyber warfare. This is a
particularly intriguing endeavour with Edward Snowden’s revelations regarding the United
States’ PRISM programme unfurling before our eyes over this summer. Likewise, South Korea
recently announced that it blames North Korea for the cyber-attack perpetrated in June 2013
and directed against the websites of the South Korean government and media. Therefore there
is no reason to doubt the continuing relevance of the issue of cyber conflicts.
The Tallinn Manual, Estonia and ‘Eastern Europe’
The publication of the manual is important for Estonia in the sense that possibly for the first time
during the existence of the Republic of Estonia, the name of its capital was brought to the
mental world map of international law with a purposefully accomplished project. Vienna, The
Hague, Geneva, New York, even Helsinki – we must admit that until now, Tallinn has been largely
missing from this list of places important to international law. In order to fully comprehend the
importance of the event, historical perspective must be considered. It has been almost a century
since in 1919 the delegation of the newly founded Republic of Estonia travelled in the leading
countries of Europe to demand their recognition of Estonia, with Ants Piip for example arguing in
London in front of the members of the Grotius Society as to why Estonia as a country, based on
international law, deserves a membership in the international community.3 I should like to think
that the publication of the Tallinn Manual in 2013 is one piece of evidence that proves that
Estonia as a state has really arrived in the international community. At the same time, this
manual is a sign for Estonia of a certain maturity as a state. Mature states do not focus
egotistically on their own affairs, instead trying to contribute to solving the problems of the
international community as a whole. One of the expressions of such maturity is readiness to help
ponder over the type of challenges such as cyber wars and cyber conflicts which international
law is facing.
It is true that the critical reader may perceive that in the scientific project at hand Tallinn is not
so much an independent actor as a base camp for our larger allies. The legal experts that wrote
the Tallinn Manual have distinctly American and Old European backgrounds. One gets the feeling
that within the context of this project, the Estonians have more or less been reduced to the role
of compères. Some circles have already expressed criticism: why did the project not involve legal
experts for example from China or the Russian Federation?4 At this point, one must consider the
genesis and the background of the NATO Cooperative Defence Centre. Since Estonia suffered
from cyber-attacks arguably orchestrated from the Russian Federation during the riots of April
2007, the manual serves as an analytical reply from Tallinn (and not only Tallinn, but also the
other NATO partners who support the CCD) to those and other cyber-attacks that have occurred
in the world after that and which may have been sanctioned on government level.
Let the Chinese and the Russians themselves worry about being represented in the legal debate
concerning cyber warfare. The author of this article noticed that there was a complete lack of
scientists from the former Warsaw Pact countries among the legal experts partaking in the
project. It seems that despite there being a NATO competence centre in Tallinn, the leaders of
the project seem to think that there is not much competence in international law in the area.
Even if we excluded the Baltic states – was it really impossible to find top-level legal experts from
Poland, Hungary, the Czech Republic or Slovakia who could have had a say on the topics of the
legality of the use of armed force, international humanitarian law, and the responsibility of the
state?

I think that some fault lies with the diplomatic corps of the post-communist states that support
the CCD – they should have been more help to the American experts in forging contacts and they
should have found somebody like Pavel Šturma, Władysław Czapłiński or perhaps from the
younger generation Marko Milanovič, Rain Liivoja or Dainius Žalimas to participate in the drafting
of the cyber manual. Regardless of the moniker of universality, the practice and the analysis of
international law have often been criticised for still being controlled by the West5, to the core of
which the Baltic states and possibly the entire so-called Central and Eastern Europe still cannot
help but remain peripheral. Even this very project can thus acquire a certain neo-imperialist
aftertaste, because both the centre and the periphery have been cast in their traditional roles.
Decisions regarding personnel cannot help but influence the content of the outcome in some
details – for example, during the drafting of the project only four countries’ military manuals
were regularly referenced – those from Canada, Germany, the United Kingdom and the United
States of America (p. 8). There is a clear problem of representativeness here and this pattern
follows the arrogant practice criticised by Onuma Yasuaki where the ‘rule of international law’
has been derived from the practice of some leading Western countries.6 Professor Michael
Schmitt has expressed astonishment that the main conclusions of the Tallinn Manual are largely
congruous with those of the United States government7, a fact that Harold Koh from the United
States State Department revealed in his programmatic speech. Given the context above,
however, is it really so ‘astonishing’?
We must, however, have good faith and understand that the Tallinn project was completed in
three years, which in the case of a large-scaled collective scientific project is a short time rather
than long, and therefore there was certainly not enough time to consider all the existent
information and to present all the viewpoints. Nobody is forbidding other countries from starting
their own science projects or telling the scientists who were not invited to Tallinn not to write
and express their opinions.
Regardless of the criticism as presented above, the publication of the Tallinn Manual is still a very
positive event for Estonia. The fact that the ‘sprat-can silhouette’ and its forward-looking topic
found its way into the body of literature on international law – among the San Remo and
Harvard manuals and other well-known manuals in the humanitarian law – will without a doubt
create new opportunities for our scholars of law and social sciences in the future.
The main ideology of the Tallinn Manual
The main tenet of the Tallinn Manual is as follows: cyber warfare is governed by international
law already in force, particularly the rules that regulate the commencement of an armed attack
(jus ad bellum, UN charter, mostly effective since 1945) and the rules that regulate the conduct
of armed conflict (jus in bello, including for example The Hague Convention of 1899 and the
Geneva Convention of 1949, the latter with the 1977 amendment protocols).8 Cyber warfare
does not therefore exist in a legal void where until now ‘anything goes’ and which has yet to be
filled with international law. The general stance of that tenet reminds of the Martens Clause,
formulated within the context of the 1899 international military law.9 As such, the expert group
who worked for the Cooperative Defence Centre reflects and develops the United States 2011
strategy on international cyberspace: ‘The development of norms for State conduct in
cyberspace does not require a reinvention of customary international law, nor does it render
existing international norms obsolete. Long-standing international norms guiding State
behaviour – in times of peace and conflict – also apply in cyberspace.’ (p. 3)
The main point of the manual is that customary and well-known rules of international law have
been applied to and interpreted in the context of cyber conflicts between states. This resulted in
95 rules of international law with commentaries, which according to the expert group should
apply to cyber-attacks that cross the threshold of using armed force.
For example, states that consider cyber operations must take into account that a cyber-attack
may constitute a violation of the clauses of the UN Charter regarding the use of force and an act
of aggression against another state, which may be retaliated against with armed self-defence or
after which the UN Security Council may authorise the use of force in the name of the
international community. While planning and executing a cyber-attack the state will also have to
consider the requirements of international humanitarian law such as the obligation to
differentiate between civilian and military objects and people while carrying out the operations.
In other words – essentially the same limitations of international law apply to both cyber-attacks
and attacks conducted with kinetic weapons.
In order to understand what the Tallinn Manual constitutes one must understand what it
explicitly is not. The Tallinn Manual examines the international law governing ‘cyber warfare’,
thus not addressing in detail such cyber activities that occur below the level of a ‘use of force’ as
stipulated in the UN Charter, such as cyber criminality (p. 4). For example, the project only
examined the legality of cyber intelligence activities only as they relate to the jus ad bellum
notions of ‘use of force’ and ‘armed attack’, or as relevant in the context of an armed conflict
governed by the jus in bello (p. 4). The Manual admits that cyber espionage, theft of intellectual
property, and a wide variety in cyberspace pose real and serious threats to all states, as well as
corporations and private individuals, but it is not the aim of this Manual to address such matters
(p. 4). A news article on the website of the NATO CCD COE states however that the expert group
will undertake a follow-up study in order to carry out a more detailed analysis of such cyber-
attacks that stay below the armed attack threshold in the sense of the UN Charter.10 For
instance, it will be interesting to see how the expert group will characterise the recently revealed
information that the United States has extensively spied on the diplomats of the European Union
among others. Can it be that the activity will be classified as an act of cyber criminality illegal
under international law, regardless of it remaining below the threshold of the Article 2 section 4
of the UN Charter?
Application by analogy of the current international law in the context of cyber-attacks and
conflicts is the only possible way at the moment, because there are no other fundamental
treaties of international law on the horizon to regulate that realm. The expert group’s aspiration
to avoid legal anarchy in cyberspace is laudable in every respect. There are, however, some
aspects that make me worry over the legal characterisation of cyber-attacks.
One of those is the problem of attribution – at least until now the organiser of cyber-attacks has
been more difficult to determine than the perpetrator of kinetic attacks. The schemes that exist
in international law – such as the state’s responsibility for its unlawful acts – can only be applied
when the act is unequivocally attributable to a certain state.
Another tricky aspect is the blurring of the lines between state and non-state actors –
representatives of the state can delegate the perpetration of an attack to non-state actors and
the latter have obtained the independent ability to commit cyber-attacks.
Third, technological development and the specialisation of public bodies means that states no
longer necessarily speak in a ‘single voice’. This means that for example the messages from the
foreign ministry, the armed forces and the intelligence may not be exactly congruous in a conflict
situation, which points to a certain fragmentation of state practice. In this case, what constitutes
a ‘state’ or its behaviour?
Fourth, states are beginning to sense that international law applies even in the world of cyber-
attacks only when powers emerge who are ready to enforce international law in cyberspace –
using armed force if necessary. So far it is unclear whether such powers exist, because even
those nations who have traditionally undertake such work (for example the United States during
the 20th century) themselves test the boundaries of the acceptable and the unacceptable.
The fifth and probably the most important point is that cyber operations have the potential to
further blur the disputable boundary between using armed force and a situation that does not
qualify as using armed force.
In Russia, some have reasoned that the fact of the publication of the Tallinn Manual could be
potentially dangerous.11 According to the Russian media, the official position of the Russian
Federation is that the use of cyber weapons in international relations should be outright banned.
Within that context, Moscow states that the Tallinn Manual may help further legitimise cyber
warfare as such.12 In order to understand Moscow’s position one needs to begin with the fact
that a cyber weapon is surely more ‘democratic’ and easily obtainable than nuclear weapons
(which Russia legally has, but the majority of the states do not). Therefore, cyber wars are
strategically dangerous to Russia, since they can diminish the differences between military
capacities of Russia and other states, while Russia can only control its vast territory thanks to a
functional deterrent.
It is actually unclear whether Russia has in fact anything material to say against the rules of
international law as stipulated in the Tallinn Manual, the more so that the Tallinn Manual has
really been written in the spirit of the Russian scholar of international Law (and an ethnic
Estonian) Friedrich Martens (1845–1909) and his famous Clause. It may well be that Russia is
jacking up its price by ostensibly presenting ideological reservations and is insinuating to the USA
– as it often tends to do – that there must be no considering of the reinterpretation old/new
rules of international law without Russia’s involvement in the matter.
Echoes of the 2007 cyber-attacks
If one were to read between the lines in the Tallinn Manual, one would find that the state or its
agents that ordered the cyber-attacks perpetrated against Estonia in 2007 may have committed
an unlawful act under international law regardless of the fact that it was not an armed attack in
the sense of the UN Charter. The Charter, ratified in 1945, includes the concepts of ‘armed
attack’ (Article 51) and ‘use of force’ (Article 2 Section 4) and the authors of the manual are of
the opinion that the web attack against Estonia cannot be characterised as either (p. 58). Caution
must thus be advised if one were to talk about ‘cyber warfare’ – an event may not be classified
as such in the technical sense of international law. The authors of the manual opine that no such
cyber-attack that could unequivocally be classified as ‘armed attack’ in the sense of the UN
charter has actually taken place in the world (pp. 83–84). Only the Stuxnet worm that wreaked
physical havoc in Iran in 2010 was viewed by some members of the expert group to be
potentially an armed attack in the sense of the UN Charter (p. 58).
What about the legal characterisation of those cyber operations that do not cross the armed
attack threshold of the UN Charter, such as happened to Estonia in 2007? That will be the issue
that the expert group will tackle next, but that will presumably be an even tougher nut to crack
than the discussion about those cyber-attacks that can be characterised as armed attack.
In this regard, the manual gives some insights into the way of thinking of the expert group. Even
though such operations may not be classified as armed attack in the sense of the UN charter,
they may still be unlawful. For example, let us take the fifth rule as formulated by the authors: ‘A
State shall not knowingly allow the cyber infrastructure located in its territory or under its
exclusive governmental control to be used for acts that adversely and unlawfully affect other
States.’ (p. 26) The experts add that this rule covers all acts that are unlawful and that have
detrimental effects on another state. The term ‘unlawful’ was chosen deliberately as the expert
group did not want to limit the prohibition to narrower concepts, such as the use of force or
armed attack (p. 27).
The tenth rule is also relevant: ‘A cyber operation that constitutes a threat or use of force against
the territorial integrity or political independence of any State, or that is in any other manner
inconsistent with the purposes of the United Nations, is unlawful.‘ (p. 43) For example, the
expert group thinks that a cyber operation may constitute a violation of the prohibition on
intervention (p. 44). In regards to Edward Snowden’s revelations it is interesting to note that the
Tallinn Manual reasons that cyber espionage lacking a coercive element do not per se violate the
non-intervention principle. The experts are also of the opinion that mere intrusion into another
state’s computer systems does not violate the non-intervention principle, even where such
intrusion requires the breaching of firewalls of the cracking of passwords (p. 45). Cases of
coercion (as an element of unlawful intervention) include the manipulation of elections,
manipulation of online news, paralysation of one political party, but according to the experts, not
every form of political or economic interference violates the non-intervention principle (p. 45).
Such conclusions reflect the interests of the states that are technologically most developed and
most capable and one may presume that they may encounter quite sharp opposition outside the
Western world. In this sense, even the authors of the Tallinn Manual are unable to escape the
interpretational differences regarding the UN Charter that arose between the authors from the
West and the rest of the world already during the Cold War – the Western countries have been
somewhat more lenient towards use of force and intervention than the others.13
Final assessment
The Tallinn Manual should be thought of as a normative opening shot in the legal
characterisation of cyber operations and attacks, not as the definitive final note on the issue. It is
understandable that this opening shot should come from the scholars of international law from
the United States and its close allies. Wilhelm Grewe (1911–2000), the German diplomat and
historian of international law, has dubbed the era that began with the end of World War I and
has probably continued until today the United States epoch of international law.14 As a leading
formulator of contemporary international law, the United States has a natural interest towards
normative establishment of its will and way of thinking in the realm of cyber conflicts as a realm
of the future.
However, the realm of cyber wars – both in the sense of the UN charter and in the wider,
metaphorical sense – illustrates well how the limits of the laws of the justifiability of the use of
force (jus ad bellum) and the classical laws of war (jus in bello) have been put to the test again.
Both the non-violence clause and the limits of engagement of the UN Charter may be subjected
to further pressure by all kinds of cyber-attackers. At the same time, the line between an armed
attack and activities that cannot be qualified as such may also be blurred even more. Why even
start a cyber war when privileged cyber intelligence data already tells you what your enemy is
thinking, planning or pining for? Even Snowden’s revelations about the American PRISM
programme are bound to make one arrive at the conclusion already articulated by Sun Tzu in his
‘Art of War’: war itself is the last and least preferred way to impose your will. If you can be
victorious by other means, you should. This probably applies to cyber wars as well.
The rules of international law that have been adapted to cyber warfare in the Tallinn Manual
serve as a warning and an admonishment to the states, but they will only ever be obeyed if the
Great Powers themselves set a positive example. The way the states behave today, however, is
not very reassuring. Has anybody taken responsibility for the 2010 worm Stuxnet? Based on
Grewe, we are witnessing the birth of a new era and vast bets are placed on the international
law of tomorrow – in the cyber world, but not exclusively. Decks of cards are being reshuffled
and the rules that were formulated today may not apply tomorrow. If we were to go back in
time, then the era of cyber conflicts could perhaps compared to the days when America had just
been discovered and warships, pirates and buccaneers from various countries sailed into the
Caribbean Sea and it was not always easy to tell them apart. One of the differences with the 16th
century is that one of the vessels trying to bring about order in the ‘cyber-sea’ of today is sailing
under the Estonian tricolour flag – blue, black and white.
What Tallinn Manual 2.0 Teaches Us About
The New Cyber Order

Front cover of the Tallinn Manual 2.0 (Image provided by and used with the
permission of Cambridge... [+]

Yesterday marked the inaugural launch event for the release of the second version of
the famous Tallinn Manual on the legal landscape of cyberwarfare. Appropriately
named “Tallinn Manual 2.0: International Law Applicable to Cyber Operations,” the
new book offers a fascinating look at how far the cyber threat landscape has evolved
in the less than half decade since the first version’s release in 2013, shifting the focus
from conventional state-authorized and operated cyber warfare to the small-bore
deniable cyber activities that form the majority of day-to-day cyber attacks today.
It is notable that in just four years the book’s title has changed from referring to
“cyber warfare” to “cyber operations,” reflecting that in today’s world cyber attacks
most commonly fall beneath the threshold at which international law would typically
declare them to be a formal act of war.

As the book’s authors put it “the focus of the original Manual was on the most severe
cyber operations, those that violate the prohibition of the use of force in international
relations, entitle states to exercise the right of self-defence, and/or occur during
armed conflict,” while the new version “adds a legal analysis of the more common
cyber incidents that states encounter on a day-to-day basis and that fall below the
thresholds of the use of force or armed conflict.”

Today In: Tech

Indeed, Michael Schmitt, chairman of the U.S. Naval War College International Law
Department noted that the alleged Russian hacking of the DNC during the 2016 US
presidential campaign was “not an initiation of armed conflict. It’s not a violation of
the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow
the U.S. to respond in self-defense militarily.” In short, it is precisely the kind of “cyber
operation” that will come to define the coming decade.

The manual itself is essentially a massive 642 page narrative on the legal landscape of
cyber today as seen through a global (though decidedly Western) lens. It presents a
myriad of legal questions that commonly arise in cyber operations and discusses the
current state of international law and how it might apply to each given scenario. In
many cases its panel of drafters were unable to reach a consensus, illustrating the
complexities and vagaries that still plague the cyber world.

PROMOTED
Given the public prominence of cyber espionage in the era of Edward Snowden and
Wikileaks, the Manual explores the legality of the kinds of methods employed by the
NSA and finds on page 170 that its panelists “were incapable of achieving consensus
as to whether remote cyber espionage reaching a particular threshold of severity
violates international law.”

The Manual also explores on the following page the legality of actions such as one
nation hacking into a nuclear power plant in another nation and essentially holding it
as a cyber hostage, threatening to cause the plant to go critical and kill large numbers
of people unless the nation withdraws from an unrelated conflict, finding that that
this would constitute a violation of international law. This is particularly noteworthy in
that under the former administration, the US government announced precisely such
plans, making special mention of holding hostage or triggering meltdowns in nuclear
power plants to affect civilian populations.

In one intriguing discussion on page 521, the Manual theorizes about the future
incorporation into military practice of the Internet’s ability to humiliate and harass.
For example, could a POW camp strip prisoners naked, photograph them in
humiliating poses and then publish those images publicly and share them far and
wide? What about forcibly interrogating them for their social media, medical, financial
and other login information and downloading and republishing that material? Or using
their forcibly obtained social media logins to deceive their friends and contacts (who
likely would not know they had been captured) into divulging sensitive and damaging
information, such as requesting a nude photograph from a spouse, that is then
republished online? The end result would be that even long after the war was
concluded those soldiers and their families would be subject to eternal harm.
The authors interpret traditional Geneva Convention protections for prisoners of war
in the cyber era and suggest that it is expressly prohibited to publish on the Internet
humiliating or degrading information gathered from the prisoners or imagery taken of
them in confinement. Specifically, “Prohibited cyber actions include posting
defamatory information that reveals embarrassing or derogatory information or their
emotional state. This would embrace, for example, posting information or images on
the Internet that could be demeaning or that could subject prisoners of war or
interned protected persons to public ridicule or public curiosity.” In addition, the
detaining nation must also “guard against intrusion by public and private actors into
the communications, financial assets, or electronic records of prisoners of war or
interned protected persons.”

This situation most famously arose in 2004 with the publication of the Abu
Ghraib photographs and again a year later when US military sources released to the
international media partially nude photographs of Saddam Hussein taken while he
was in US custody. In both cases the images spread virally and were widely
republished by mainstream news outlets throughout the world, creating a permanent
record of these individuals in their most intimate moments forever preserved on the
Internet and profiting those outlets that published them by driving intense revenue-
generating traffic to their sites. One can only imagine how far such images would
spread in today's social media saturated world.

Governments must also physically separate the data they collect on prisoners from
the rest of their military plans in anticipation that their computer networks may
themselves become legitimate military targets: “Feasible measures must be taken to
protect personal data relating to prisoners of war and interned protected persons
from the effects of cyber operations, for example by being stored separately from
data or objects that constitute a military objective.”

The concept of “cultural property” and the digitization of physical artifacts receives
attention as well. In the past, destroying the cultural heritage of a nation or peoples
could deny them a critical connection to their past. In today’s digital world, that
heritage is increasingly being digitized meaning that even if the original photograph,
statue, building or other work is destroyed by occupying military forces, the item will
live on as a digital memory. What happens then when militaries begin specifically
targeting that digital heritage, launching purposeful attacks designed with the primary
intent to locate and delete all digital replicas of an important cultural artifact?

The Manual also touches on the frightening emerging world in which our most
intimate details from our medical conditions to our sexual preferences to our very
genetic makeup are digitized and available in vast searchable databases. Towards this
end, the authors state “the use of digitised historical archives regarding a population
to determine the ethnic origin of individuals with a view to facilitating genocide,
crimes against humanity, or war crimes is clearly unlawful.” This further raises the
question of a future in which governments or private organizations could hack into
such databases to compile lists of “undesirables” and then humiliate and harass them
from afar while remaining anonymous and beyond the reach of law enforcement.

Strangely, in spite of the rapidly evolving world of deep learning and autonomous
warfare, the manual focuses primarily on a cyber environment populated by human
actors and spends little time on the legal questions of fully autonomous cyber
weapons that can make decisions entirely on their own and how those might fit into
the concept of international law.
Putting this all together, this latest edition of the Tallinn Manual offers a fascinating
glimpse at how far the cyber world has come in the half decade since its last iteration.
Yet in envisioning the future of cyber operations over the coming years, it also paints
a frightening nightmarish dystopia of how warfare is evolving from the tidy confines of
the declared battlefield into an unbounded landscape in which anything and
everything is likely to become fair game, from blowing up nuclear power plants to
posting medical records online. Of course, in the real world, only the losing side of a
war is subject to the penalties of international law and so a book like the Tallinn
Manual will always have limited deterrence effect. However, by sketching out the
frightening contours of the new cyber world, it should at the very least get
governments thinking about how to better defend themselves in this brave and
frightening new dystopia we live in, where war knows no borders.