In the last 10 years cyber attacks on states, non-state actors and civilians have shown to be a powerful weapon to create serious havoc and disruption. Cyberwarfare could be considered as a serious threat to peace and security, leaving states, non-state actors and individuals in a vulnerable position due to a lacking legal framework to regulate this type of warfare.
In order to tackle the problem of the missing framework applicable to cyberwarfare, in 2009 the CCDCOE, a NATO-accredited research and training facility in the field of cyber security, asked legal experts, practitioners and technical specialists to create a non-binding manual that would apply existing international law norms to cyberwarfare.
The Cyberwarfare Manual was intended to be used as a "reference tool for States in the planning and executing of cyber operations, as well as fashioning responses to harmful cyber operations" . Even though the Manual is considered as a non-binding document, it could be considered as legal doctrine, as customary international law, and therefore States are bound by the Rules contained in the Tallinn Manual .
This manual, which is also known as the Tallinn or Cyber Warfare Manual, is only concerned with the use of cyber operations in (international and non-international) armed conflict. In other words, the manual does not cover the scope of cyber security outside armed conflicts. The Tallinn Manual focuses both on jus ad bellum and jus in bello.
On 3 December 2014, the T.M.C. Asser Instituut, in cooperation with the Netherlands Ministry of Defence, the Gerda Henkel Stiftung and the University of Amsterdam, organised a conference on the Tallinn or Cyber Warfare Manual. At this conference legal researchers and practitioners critically discussed and assessed the Manual. The attendants could engage with the legal specialists who were involved in the drafting of the Manual. A few examples of legal experts who were present at the conference are prof. Terry Gill, Prof. Michael N. Schmitt and dr. Louise Arimatsu.
Prof. Terry Gill (University of Amsterdam and Netherlands Defence Academy) started the conference with an interesting outline about the coming into existence of the Tallinn Manual and several legal issues that had to be dealt with while drafting the Manual. He is one of the experts who was responsible for the creation of this Manual. He noted that the Manual is only concerned with a small part of cyber security; cyberwarfare and cyber threats are only the "tip of the iceberg". The Manual does not deal with other cyber security issues such as cyber espionage and cyber sabotage.
The conference was split up in three sessions. After each session there were lively discussions about the question how existing law can be applied to cyber threats. Also some comments were made about how to improve the Tallinn Manual.
The first session was concerned with jus ad bellum and the Tallinn cyber warfare manual. The panellists were Lianne Boer LL.M. (VU University Amsterdam) who spoke about the prohibition of the use of force, Prof. Nicholas Tsagourias (University of Sheffield) who discussed the Tallinn Manual in the light of self-defence and Remy Jorritsma LL.M. (Maastricht University) who considered the Manual from the perspective of actions of international governmental organisations.
During the second session the Tallinn cyber warfare manual was looked at in the context of jus in bello. Panellist Dr. Robert Heinsch (Leiden University) talked about the law of armed conflict and the Manual in general. The second panellist, col. ir. Hans Folmer MSS CISSP (Task Force Cyber, Netherlands Ministry of Defence) approached the Manual from a more practical perspective by lively discussing cyber operations from a military defence perspective. According to Col Folmer a cyber operation is no "golden bullet"; a cyber operation is only one means of warfare used during armed conflict. He does not consider warfare in cyberspace in itself to be enough to win a war. The third panellist, dr. Louise Arimatsu (Chatham House) discussed the Manual in relation to the conduct of hostilities (attacks).
The last session was concerned with the future of the Cyberwarfare Manual. Panellist col. dr. Paul Ducheine (University of Amsterdam, Netherlands Defence Academy and Netherlands Army Legal Service) discussed Tallinn 1.0 and its practical implications. Liis Vihul (NATO Cooperative Cyber Defence Centre of Excellence), project manager of the Tallinn Manual, spoke about the follow-up of the Cyberwarfare Manual, the Tallinn 2.0 process. Prof. Michael N. Schmitt (United States Naval War College and University of Exeter), expert concerned with the coming into existence of Tallinn Manual, ended this session with a lecture about the future of cyber warfare.
Overall it was an interesting and valuable conference. The law related to cyberwarfare and cyber threats is still in its infancy and a fitting applicable international legal framework is still in the making. International law constantly evolves. Even though the Tallinn Manual was intended as a non-binding legal reference manual, it has already had an important impact both on academia and on policy, stirring up the debate about cyber law. Further debate and research will help with further shaping the legal framework applicable to cyber security and cyberwarfare.
A selection of relevant publications from the Peace Palace Library collection
- Schmitt, M.N. (ed.), Tallinn Manual on the International Law applicable to Cyber Warfare: prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence, Cambridge, Cambridge University Press, 2013.
- D. Fleck, Searching for International Rules Applicable to Cyber Warfare : a Critical First Assessment of the New Tallinn Manual, Journal of Conflict & Security Law, 2013, Vol 18, issue 2, p. 331-351.