This past week, the NATO Cooperative Cyber Defense Center of Excellence put on its annual Cyber Conflict conference in Tallinn, Estonia. The conference boasted a number of experienced cyber-hands, including Adm. Mike Rodgers, DefCon founder Jeff Moss, and law of armed conflict expert Mike Schmitt. One of the most interesting sessions, which included a presentation by Mike, focused on aspects of the Tallinn Manual versions 1.0 and 2.0. Version 1.0, produced by an independent group of experts, came out in 2013. It proffered what the experts saw as current black letter law on jus ad bellum and jus in bello rules relevant to cyber operations. The Manual includes both crisp articulations of the rules and more extensive commentary setting out the legal basis for the rule and any differences that arose among the experts. Version 2.0 picks up where Version 1.0 left off, and will set forth the experts’ views on what international law applies to cyber activity that falls below the level of armed conflict or the use of force. Mike previewed some of the topics that 2.0’s group of experts will discuss, including customary rules related to sovereignty. As Mike notes, sovereignty is not simply a factor restricting a state’s activities in other states’ territory. It also is the basis for states to regulate and exercise jurisdiction within their territory over people, hardware, and cyber operations. One challenge for the experts will be to achieve consensus on what types of activities by one state violate another state’s sovereignty: what level of damage, intrusion, or alteration of data suffices? Other norms up for discussion relate to due diligence obligations by states to stop actions that produce adverse consequences for other states, and the applicability of state responsibility (including counter-measures and the use of “necessity” arguments). Tallinn 2.0 has the potential to be even more influential than Tallinn 1.0, because it systematically will address activities that are far more prevalent in the cyber realm than uses of force or armed attacks. Bill Boothby, a former Deputy Director of Legal Services for the UK Royal Air Force, then provided a retrospective look at Tallinn 1.0. Mike Schmitt had asked Bill to review all of the literature that offered reviews or critiques of Tallinn 1.0, to assess whether to consider certain modest amendments to the Manual’s commentary (though not to its black letter rules) or to take up certain issues that Tallinn 1.0 did not cover. Bill assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected “all reasonable positions” on the issues it took up and that there were only a few amendments worth pondering. In particular, Bill wondered whether the definition of what constitutes a “cyber attack” might need to expand to include “major disruptions” that nevertheless do not produce physical harm to the affected state. He also asked whether the jus in bello rule on precautions was ill-suited to cyber, given that states utterly have failed to segregate their military cyber infrastructure from civilian cyber infrastructure.
Finally, Prof. Huang ZhiXiong, a professor at Wuhan University, provided comments on the jus ad bellum section of Tallinn 1.0. Some readers may be familiar with Chinese views on cyber and international law (and of course Prof. Huang’s view does not represent an official Chinese position). Nevertheless, Huang’s presentation was edifying, both about the Chinese perspective on cyber jus ad bellum and on jus ad bellum rules more generally. First, he sought to raise the bar on what activities in cyberspace constitute a use of force. Huang thought that Tallinn 1.0 artificially suggested a consensus about what activities would constitute a use of force. In his view, the Tallinn factors relevant to evaluating when a cyber activity rises to a use of force (which include severity, directness, and invasiveness) are too malleable and the bar for what activities are uses of force should be higher. Second, he sought a higher bar than Tallinn 1.0 sets for when a state may invoke the right of self-defense. In his view, a state does not have a right of self-defense against attacks by non-state actors, nor does a state have the right of self-defense against an imminent attack. These assertions made me wonder whether some of the difference in position between Huang and Tallinn (and states such as the United States) is due to linguistic nuance. (Surely China does not believe that it must suffer a blow before having a right to respond. And surely China would at least contemplate the use of military force to defend itself against an attack by a well-organized group such as ETIM launched from neighboring Kazakhstan.) In his view, cyber operations that will trigger a right of self-defense will be exceptional. Third, Huang sought to push the discussion about cyber and international law out of the military realm more generally. He expressed a concern about the militarization of cyber security policies, citing the 2011 U.S. International Strategy for Cyberspace and the Tallinn Manual itself as furthering that paradigm. Of course, Tallinn 2.0 will focus on sub-uses of force, which presumably will be to Huang’s liking. He also worried about the ready translation of existing international law to the cyber arena, arguing that much about cyber is unique. Finally, he bemoaned the purely Western perspective brought to the drafting of Tallinn 1.0, which failed to include non-Western states such as China or Russia. This, I think, reflects an understanding that the Tallinn Manuals will be very influential in the long term in shaping the direction of international law in the cyber area. A few takeaways: Huang’s perspective clearly was consistent with a Chinese interest in actively engaging in robust cyber operations without wanting to trigger a military conflict. His comments also suggested the possibility of narrowing certain (though by no means all) differences through more extensive dialogue, whether in a track 1 or track 2 format. The intense interest in developing clearer international norms to regulate different facets of cyber activity is running up against two hard facts. The first is that some states, especially those with sophisticated cyber capacities such as the United States, are content to state at a general level that they will apply existing, general international rules to cyber. But these states have limited incentives to reveal in any detail HOW they apply those norms. The second is that the major cyber players (Russia, China, and the United States) remain on different conceptual pages on how to proceed. As a result, states are surrendering pride of place in the dialogue about new norms. (Mike Schmitt and Sean Watts have made a similar observation in a recent piece, which bemoans the extent to which the input of non-state actors such as NGOs and scholars on the development and interpretation of IHL outpaces that of states.) This means that products such as the Tallinn Manuals – and the ICRC Customary International Humanitarian Law Study that came before it – garner extensive (and possibly over-weighted) attention because they do what states lack the time, energy, and will to do themselves.