This week marked the release of Tallinn Manual 2.0 on the International Law of Cyber Operations, the result of the follow-on project that led to the publication of the Tallinn Manual on the Law of Cyber Warfare in 2013. The culmination of the project will be marked by events in Austin, Washington, The Hague, Tallinn, and Canberra. If the experience of publishing the first manual is any indication, confusion over its purpose and substance is soon to follow. For instance, the original manual was labeled “NATO doctrine,” which it was not, and inaccurate headlines like, “NATO-Commissioned Report Says Killing Hackers Is Basically OK” (the manual said no such thing), proliferated.
With that lesson learned, this post is intended to get out ahead of the story as to what Tallinn 2.0 is, and what it is not, as well as a guide for how it should be used. First, some basics as to the process behind creating the manual are necessary. The NATO Cooperative Cyber Defence Centre of Excellence, which is not a NATO organization despite its name, commissioned the project. The Centre is simply accredited by NATO, meaning it provides training, education, and research in support of the NATO mission. Rather than being doctrine, the manual is an analysis of how international law applies to cyber operations in the view of 19 members of the so-called “International Group of Experts” (IGE). These are experts from around the world, all acting in their personal capacity.
In this regard Tallinn 2.0 does not reflect the views of any State or group of States. The IGE worked assiduously to be objective. This is not to say that State views were not considered. On the contrary, the Dutch Ministry of Foreign Affairs sponsored “The Hague Process,” by which 50 countries (including all of the UN Security Council’s five permanent members) and international organizations convened in the Hague during three meetings to consider draft manual chapters, receive briefings from key members of the IGE, and offer verbal and written input to the team.
The IGE was not bound by the input, but to the extent it represented reasonable interpretations of the law, Tallinn Manual 2.0 acknowledges it in the manual without attribution to the State(s) concerned. At times, the arguments of States did sway the views of some members of the group. Indeed, the U.S. State Department representative identified a basic error the IGE had made, thereby motivating an important rewrite of one of the chapters. In addition to these sessions, representatives of the group had an opportunity to brief the UN Group of Governmental Experts (GGE) (one expert was on a national delegation to the GGE) and the North Atlantic Council. Therefore, while the manual does not necessarily reflect the views of any State, any claim that the work was authored in the isolation of an ivory tower would fall far from the mark.
It would be equally inaccurate to suggest that Tallinn Manual 2.0 is the product of only the IGE’s members. In addition to State engagement, sections of the manual were sent out to over 50 expert peer reviewers from every continent for comment. Further, the analysis of the IGE was vetted at numerous conferences, included ones in which the private sector was well represented.
The Manual consists of two types of text. “Black letter rules” required unanimity and are meant to reflect lex lata (the law as it exists), not lex ferenda (what the law should be). They constitute restatements of the law and, given the requisite unanimity, are broadly drafted. Rule 2 on internal sovereignty is illustrative: “A State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.” This is hardly a normative epiphany.
The heart of the Manual is instead in its commentary. It is here that a rule, its terminology, and the legal rationale for finding that it represents lex lata is set forth. Just as important in the commentary is the discussion of the various opinions among the IGE as to the application of the rule and its interpretation. Although all members concurred in the text of a Rule, they sometimes differed over its meaning in particular circumstances. This was indicated in the commentary as follows: 1) split opinion (roughly equal division); 2) a majority/minority division (clear division); 3) a “few” held the view (one or two members); 4), the experts “acknowledge” a reasonable position (usually a State position supported by none of the experts); or 5) the law is clearly unsettled. As an example, consider the text on violations of sovereignty by extraterritorial usurpation of inherently governmental functions (Rule 4)
19. Although the International Group of Experts agreed that a violation of sovereignty generally requires that the cyber operation in question occur or otherwise manifest on cyber infrastructure in the sovereign territory of the affected State, it was divided over whether a cyber operation purportedly violating sovereignty through interference with or usurpation of an inherently governmental function need do so. The majority of the Experts adopted the position that in this particular case sovereignty is violated irrespective of where the cyber operation occurs or manifests. For them the determinative factor is whether the activities interfered with qualify as inherently governmental functions. For example, Estonia has announced the establishment of so-called ‘digital embassies’ that allow the State to back up critical governmental data in other States (see also discussion in Rule 39). Interference with such data in a way that affects the performance by Estonia of its inherently governmental functions would, by the majority view, amount to a violation of this Rule. They acknowledged that the cyber operation in question might also violate the sovereignty of the State where the infrastructure is located on the basis that it occurs on the sovereign territory of the latter.
20. A few of the Experts, by contrast, were of the view that such operations must occur or manifest on a State’s territory or sovereign platform (Rule 5) to constitute a violation. They reasoned that otherwise, the sovereignty, which is by definition exclusive, of at least two States would be implicated by the act, that of the State exercising the inherently governmental function and that of the State where the cyber infrastructure is located.
The insistence on capturing all reasonable positions is important in two regards. First, any claims that Tallinn Manual 2.0 takes this or that position should viewed with a degree of skepticism. Yes, the Rules represent the Tallinn Manual 2.0 assessment of the state of the law. So too do aspects of the commentary that reflect no difference of opinion. But in every other case, the position described is not a Tallinn 2.0 one, but rather a position of one of more of the participants, and in the case of acknowledgement, none of them.
Second, the delineation of views should be particularly useful for States. It will allow them to focus their legal policy efforts. To the extent the IGE achieved unanimity on a matter, particularly considering the extensive State input, States should conclude that either asserting the same position is likely to be an easy sell, or challenging it is going to be an uphill battle. Having a sense of the normative operating environment, whether benign or hostile, is always beneficial to States when fashioning legal policy.
Moreover, understanding the points about which application and interpretation are subject to disparate views allows States to focus their efforts where clarification of the law is needed and in their national interest. Such clarification will help deter other States from exploiting these grey zones in the law of cyberspace. For instance, Russia has very adroitly operated within this grey zone, as in the case of its operations in the Ukraine and, more recently, in respect of interference in the U.S. elections by means of the DNC hacks and the subsequent release of emails via Wikileaks and other outlets. In the latter case, an active debate surrounds whether the Russian operations satisfy the “coercion” element that is necessary to establish an act of prohibited intervention under international law. Such grey zones allow for maneuver space in the sense that the cyber operations in question cannot be definitively styled as unlawful, thereby weakening any international blowback that might result.
Some argue that clarity in the law is counterproductive, as ambiguity allows for tactical, operational, and strategic-level leeway. The flaw in this argument is that it ignores the principle of sovereign equality. When States operate in the grey zone, they open the door for other States to do likewise, including when conducting operations against the former States.
My view is that normative clarity lends stability to international relations by laying out “the rules of the game” by which every State must play. It contributes to deterrence because internationally wrongful acts may be responded to by means of countermeasures (acts that would be unlawful but for the fact that they respond to another State’s internationally wrongful act). This being the case, States will know that their actions risk costs rising above the level of retorsion (e.g., sanctions and the expulsion of diplomats). Additionally, clear rules may prevent escalation because the “game” becomes more understandable to the participants. They lower the chance that the States involved in a cyber exchange will misinterpret the actions of their opponents.
Finally, it must be understood that Tallinn Manual 2.0 is not meant to be the end of the story. Those who participated in the seven-year Tallinn Manuals’ journey hoped only that it would enhance the process of norm identification and elucidation by States and, while the process is underway, assist State legal advisers in providing informed advice to their clients.