Introduction
The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations has served as the leading guide for interpreting how international law applies in the cyberspace. However, the technological and geopolitical developments of the past two years have exposed its limitations. Nation-state conflicts involving large-scale cyber operations, such as the UK facing coordinated sabotage efforts and the India–Pakistan cyber escalation, highlight a new level of complexity in attribution, sovereignty, and the use of force.
These recent developments raise pressing questions about whether a third edition of the Tallinn Manual is necessary. This article explores the evolving legal challenges associated with cyber attribution, sovereignty, and hybrid warfare, and argues that international law must evolve to account for the realities of 2025.
Attribution in the AI Era
Attribution remains one of the most contested areas of cyber law. Under current doctrine, such as effective and overall control, a state must be linked to a non-state actor to be held responsible. These principles were serviceable in traditional cyber conflicts but struggle under the weight of AI-driven operations.
Today’s cyber operations increasingly involve autonomous agents powered by machine learning. These agents can adapt and execute tasks without direct human input. If such an AI system initiates a disruptive action that was not explicitly directed, determining liability becomes highly uncertain.
The growing use of autonomous malware by state-sponsored actors, particularly from China and Russia, pushes existing attribution doctrines beyond their limits. There is a need to reconsider the evidentiary standards for state responsibility in scenarios where AI agents operate with limited or no human oversight.
Digital Sovereignty in a Fragmented Internet
The Tallinn Manual acknowledges the principle of sovereignty but leaves significant ambiguity about its boundaries in cyberspace. In recent years, digital sovereignty has taken on expanded meaning, encompassing control over data, infrastructure, and algorithmic systems.
Countries are now asserting sovereignty through national data policies, sovereign internet zones, and restrictions on foreign tech. Operations targeting a state’s financial or electoral systems, without physical harm, can still have strategic consequences that challenge traditional legal thresholds.
As cyber operations increasingly target the integrity of information rather than physical systems, the legal community must refine its understanding of sovereignty violations in this new context.
Hybrid Warfare and Legal Thresholds
Cyber operations are now often part of broader hybrid strategies that combine disinformation, economic pressure, and military action. The India–Pakistan conflict demonstrated this convergence, with cyberattacks launched alongside kinetic strikes and propaganda campaigns.
Under the United Nations Charter, the use of force and the right to self-defense hinge on specific thresholds. The Tallinn Manual outlines factors for evaluating whether a cyber operation constitutes a use of force, including scope, intensity, and directness. However, hybrid operations obscure these distinctions. When cyber activity is embedded within broader hostilities, determining legal triggers for state response becomes more complex.
Toward a Tallinn Manual 3.0
While the Tallinn Manual 2.0 remains a foundational text, it lacks guidance in critical areas. A third edition should address three emerging legal challenges.
First, the manual should develop clearer standards for attributing responsibility when AI systems initiate harmful conduct. A rebuttable presumption of state responsibility may be appropriate for AI systems launched from government infrastructure or developed by national intelligence entities.
Second, the concept of digital sovereignty must evolve to include algorithmic control, data governance, and cross-border digital infrastructure. Sovereignty violations should be defined not only by physical intrusion but also by manipulation of digital systems that support state functions.
Third, the manual should provide a framework for analyzing hybrid cyber operations. A new model must recognize that cyber actions cannot be evaluated in isolation when they are deployed as part of an integrated state strategy.
Legal and Policy Recommendations
The international legal community should convene a multilateral effort to draft updated guidance reflecting current capabilities and threats. This process should include legal scholars, cybersecurity experts, AI technologists, and state representatives.
Additionally, states should consider mechanisms for improving transparency and cooperation in attribution. Proposals for an international cyber attribution agency merit exploration.
Finally, national legal systems should integrate cyber legal frameworks into broader security and diplomatic strategies to ensure alignment between doctrine and operational realities.
Conclusion
Cyber warfare has entered a new era defined by autonomy, complexity, and strategic ambiguity. The legal doctrines that shaped early cyber norms now struggle to address the challenges posed by AI-driven agents, hybrid conflict, and redefined notions of sovereignty. The Tallinn Manual 2.0 was a landmark achievement, but it must be revisited. A new edition that reflects the legal, technical, and strategic developments of the present is essential to promote stability and accountability in the digital domain.
