Yesterday marked the inaugural launch event for the release of the second version of the famous Tallinn Manual on the legal landscape of cyberwarfare. Appropriately named “Tallinn Manual 2.0: International Law Applicable to Cyber Operations,” the new book offers a fascinating look at how far the cyber threat landscape has evolved in the less than half decade since the first version’s release in 2013, shifting the focus from conventional state-authorized and operated cyber warfare to the small-bore deniable cyber activities that form the majority of day-to-day cyber attacks today.
It is notable that in just four years the book’s title has changed from referring to “cyber warfare” to “cyber operations,” reflecting that in today’s world cyber attacks most commonly fall beneath the threshold at which international law would typically declare them to be a formal act of war.
As the book’s authors put it “the focus of the original Manual was on the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self-defence, and/or occur during armed conflict,” while the new version “adds a legal analysis of the more common cyber incidents that states encounter on a day-to-day basis and that fall below the thresholds of the use of force or armed conflict.”
Indeed, Michael Schmitt, chairman of the U.S. Naval War College International Law Department noted that the alleged Russian hacking of the DNC during the 2016 US presidential campaign was “not an initiation of armed conflict. It’s not a violation of the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow the U.S. to respond in self-defense militarily.” In short, it is precisely the kind of “cyber operation” that will come to define the coming decade.
The manual itself is essentially a massive 642 page narrative on the legal landscape of cyber today as seen through a global (though decidedly Western) lens. It presents a myriad of legal questions that commonly arise in cyber operations and discusses the current state of international law and how it might apply to each given scenario. In many cases its panel of drafters were unable to reach a consensus, illustrating the complexities and vagaries that still plague the cyber world.
Given the public prominence of cyber espionage in the era of Edward Snowden and Wikileaks, the Manual explores the legality of the kinds of methods employed by the NSA and finds on page 170 that its panelists “were incapable of achieving consensus as to whether remote cyber espionage reaching a particular threshold of severity violates international law.”
The Manual also explores on the following page the legality of actions such as one nation hacking into a nuclear power plant in another nation and essentially holding it as a cyber hostage, threatening to cause the plant to go critical and kill large numbers of people unless the nation withdraws from an unrelated conflict, finding that that this would constitute a violation of international law. This is particularly noteworthy in that under the former administration, the US government announced precisely such plans, making special mention of holding hostage or triggering meltdowns in nuclear power plants to affect civilian populations.
In one intriguing discussion on page 521, the Manual theorizes about the future incorporation into military practice of the Internet’s ability to humiliate and harass. For example, could a POW camp strip prisoners naked, photograph them in humiliating poses and then publish those images publicly and share them far and wide? What about forcibly interrogating them for their social media, medical, financial and other login information and downloading and republishing that material? Or using their forcibly obtained social media logins to deceive their friends and contacts (who likely would not know they had been captured) into divulging sensitive and damaging information, such as requesting a nude photograph from a spouse, that is then republished online? The end result would be that even long after the war was concluded those soldiers and their families would be subject to eternal harm.
The authors interpret traditional Geneva Convention protections for prisoners of war in the cyber era and suggest that it is expressly prohibited to publish on the Internet humiliating or degrading information gathered from the prisoners or imagery taken of them in confinement. Specifically, “Prohibited cyber actions include posting defamatory information that reveals embarrassing or derogatory information or their emotional state. This would embrace, for example, posting information or images on the Internet that could be demeaning or that could subject prisoners of war or interned protected persons to public ridicule or public curiosity.” In addition, the detaining nation must also “guard against intrusion by public and private actors into the communications, financial assets, or electronic records of prisoners of war or interned protected persons.”
This situation most famously arose in 2004 with the publication of the Abu Ghraib photographs and again a year later when US military sources released to the international media partially nude photographs of Saddam Hussein taken while he was in US custody. In both cases the images spread virally and were widely republished by mainstream news outlets throughout the world, creating a permanent record of these individuals in their most intimate moments forever preserved on the Internet and profiting those outlets that published them by driving intense revenue-generating traffic to their sites. One can only imagine how far such images would spread in today’s social media saturated world.
Governments must also physically separate the data they collect on prisoners from the rest of their military plans in anticipation that their computer networks may themselves become legitimate military targets: “Feasible measures must be taken to protect personal data relating to prisoners of war and interned protected persons from the effects of cyber operations, for example by being stored separately from data or objects that constitute a military objective.”