On Wednesday last week I had the privilege of attending the Washington, D.C. launch of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations at the Atlantic Council. The standing-room-only event serves as a testament to the fundamental importance of cybersecurity generally, and specifically to the growing appetite for advancing our understanding of the critical role international law must play in regulating the new domain of cyberspace.  It was plain from the diverse makeup of the large audience in attendance that the question of how international law applies to cyberspace and cyber operations is of tremendous interest and importance to groups well beyond National Security Law practitioners like myself.  Having worked now for several years advising senior military commanders and policy makers on cyber operations, I offer my initial thoughts on the event and the significant and admirable work of the International Group of Experts (IGE) in taking the first Tallinn Manual to the next level.  I caveat all that follows with the admission, however, that although I have followed the Manual’s development closely and assisted in my private capacity as a peer reviewer of portions of the Manual, and am thus familiar with the general content of several of the IGE’s key conclusions, I have not yet read and digested all 562 pages and 154 rules of the Manual.  And of course, my observations are my own and do not necessarily reflect the official views of US Cyber Command, the Department of Defense, or the U.S. Government.

Consistent with his post at Just Security, Mike Schmitt, the Director of the Tallinn process and General Editor of the Manual, was very clear in his remarks about what the Manual is—the IGE’s analysis of how international law applies to cyber operations—and what it is not—either NATO doctrine or representative of the views of any State or group of States.  As such, it goes without saying that like the first Tallinn Manual, Tallinn 2.0 does not establish any new international law or represent the opinio juris of any States regarding the actions they take or might take in cyberspace. However, the advisory nature of Tallinn 2.0 should not detract from its immense value to legal practitioners and their clients in both the public and private sector as a quality compendium of the general framework of international rules and principles most pertinent to cyber operations.  As with the first Tallinn Manual, which focused primarily on the aspects of cyber operations involving the laws of armed conflict, Tallinn 2.0 will no doubt serve as a primary reference source for analyzing States’ international legal rights and responsibilities when operating in cyberspace outside of armed conflict to achieve national objectives and confront the growing threats posed by both state and non-state actor cyber operations below the use-of-force threshold.  The IGE should be commended for this valuable contribution to the field and the advancement of the rule of law in this domain.

But as Mr. Rutger van Marrising, Senior Policy Officer, Security Policy Department of the Ministry of Foreign Affairs of the Kingdom of the Netherlands noted in his closing remarks on Wednesday, the Manual is the starting point of a conversation.  Applying existing legal regimes to new technologies is never simple, and that is certainly the case with the advent and evolution of information technology and the internet.  And while the Tallinn 2.0 process undoubtedly benefited from the unofficial views of a number of state representatives through the Hague Process consultations, there remains a dearth of evidence of state practice or official legal views in this challenging area.  The UN Group of Governmental Experts’ inability over several rounds to reach consensus on the difficult question of how, as opposed to the now well-settled issue of whether, international law applies to state activities in cyberspace is illustrative.

There is no doubt that greater transparency into States’ views of how and to what extent the extant rules of international law apply to cyberspace is needed if, as then Department of State Legal Adviser Brian Egan noted in his remarks at Berkeley Law, international law is to play an effective role in contributing to predictability and international stability.  At this juncture, however, several factors present challenges to the goal of greater transparency, among them the relatively nascent, hyper-dynamic and evolving nature of cyberspace, the inherent need for stealth in the execution of most cyber operations, and the incongruity of the basic structure, design and operating protocols of the internet with traditional notions of Westphalian geography. This is by no means an argument against transparency, but rather a recognition, from the perspective of expectation management, that we are not at a moment of straightforward application of existing international legal frameworks to this new technology and domain, but instead engaged in the hard process of adapting and perhaps evolving those frameworks to align with the particularities and realities of cyberspace while remaining true to the core interests and objectives those frameworks seek to protect and achieve.

Consider Mike Schmitt’s response of “sovereignty” to the important question posed during the event, “What rule or aspect of the Manual is most likely to change or evolve over the next five years?”  The IGE have adopted the position that sovereignty is itself a binding rule of international law that regulates the conduct of non-consensual cyber operations of one State against cyber infrastructure located in another State.  An opposing view holds that sovereignty is a baseline principle of the Westphalian international order undergirding binding norms such as the prohibition against the use of force in Article 2(4) of the UN Charter, or the customary international law rule of non-intervention, which States have assented to as an exercise of their sovereign equality.  Without stepping through the contours and relative merits of this foundational question, as Professor Schmitt acknowledges (see here), this is a matter of significant debate.  I confess that I count myself in the sovereignty-as-a-principle camp, and owing to the near sui generis nature of cyberspace and the growing national security threats cyber capabilities present, I agree with Professor Schmitt’s assessment that pressure will only grow to clarify this issue and evolve our understanding of the role sovereignty will play in this space.  I would take that assessment a step further and state my belief that the uniqueness and rapidly evolving nature of cyberspace will place adaptive pressure on most of the existing international legal framework.

Why do I believe sovereignty is the proverbial fulcrum upon which the evolution of the legal order related to cyberspace rests? Because in many ways the coherence and efficacy of the larger international law structure identified by Tallinn 2.0 governing state cyber operations and the options available to States to respond to cyber threats rest on achieving greater clarity of the normative character and applicability of traditional notions of sovereignty to cyberspace.  Consider, for example, the case of a non-state, transnational terrorist organization like ISIL deploying a DDOS botnet, or procuring IT infrastructure to support its command and control, recruitment or propaganda operations, across cyberspace infrastructure located in multiple countries.  In many cases, cyber operations directed at disrupting these botnets, dismantling or disabling this infrastructure, or disrupting terrorist cyber operations could involve elegantly simple and precisely targeted technical cyber operations which will nonetheless take place, remotely or otherwise, on the physical and virtual infrastructure located in multiple states and may involve some degree of manipulation or deletion of data.  In its strictest form, the sovereignty-as-a-rule approach creates unworkable hurdles to States conducting such limited but potentially important operations.

Under the sovereignty-as-a-rule approach that Tallinn 2.0 adopts, launching a responsive operation (at least one that involves more than the elusive “de minimis”  effects) would be in violation of international law absent the consent of the State in whose territory the infrastructure resides, or some other international legal justification allowing for non-consensual action.  In practice, this will often leave States with the sole option of invoking self-help remedies because the simple reality is that the nature of cyberspace being what it is, seeking consent or Security Council authorization to take effective responsive actions is impractical.  Unfortunately, the recognized self-help remedies in international law identified in Tallinn 2.0 do not offer an easy answer either.

The doctrine of countermeasures set out in Tallinn 2.0 is illustrative.  There are several aspects of the traditional rule of countermeasures (the successor to the non-forceful component of what used to be known as the law of reprisals) that do not accord easily with the dynamic environment of cyberspace.  Among these are the strict notice requirement, the absence of anticipatory countermeasures, and the absence of a collective remedy as in the case of collective self-defense.  For purposes of the present example, a key limitation on the availability of this self-help remedy is that, also unlike self-defense, countermeasures cannot be invoked as a justification for actions taken against non-state actors.  As such, if sovereignty is itself a rule of international law, the State seeking to conduct the cyber operations above can do so only with the consent of each State in whose territory the cyber action will occur, or based on a reasonable determination that those States are themselves in breach of an international obligation.

In this regard, according to Tallinn 2.0, the international obligation is that of due diligence, which the IGE assert requires States to ensure that harmful or hostile cyber operations, including those by non-state actors, are not conducted from or through their territory.  Like sovereignty, the applicability and scope of the due diligence rule to cyberspace is hardly a settled issue.  Even if one accepts that it applies, according to the IGE the obligation is only one of feasibility. This means that if it is infeasible for a particular State to identify the source of and take effective action to stop harmful non-state actor cyber activity emanating from within its borders, it has not breached its international obligation.  Therefore those States needing to disrupt those hostile cyber operations cannot invoke the doctrine of countermeasures to act.  In other words, under the Tallinn view, States cannot violate another State’s sovereignty to prevent trans-boundary harm, and the territorial State has no duty to monitor or prevent such action, and is required to act only when the State has knowledge of the harm and can feasibly put an end to it.  This is obviously an untenable gap in the law.

If, on the other hand, the principle of sovereignty does not bar cyber operations below the threshold of a prohibited intervention, States can more effectively confront this non-state actor threat and perhaps other future threats.  By now, even in the realm of cyber, there is considerable evidence of State practice and opinio juris that States do not consider sovereignty a bar to trans-border operations, at least with respect to espionage.  It has become increasingly apparent that cyberspace is an offense-dominant environment like no other, marked by a state of persistent confrontation.  The debate over the normative character of sovereignty and the need to adapt existing legal frameworks to the particularities of the cyber domain will have to take these and other difficult facts into account, mindful of the important divide between lex lata and lex ferenda.

While much work remains, to paraphrase Brian Egan, Tallinn Manual 2.0 makes a valuable contribution to the cornerstone premise that international law applies to cyberspace and to framing and advancing the knottier discussion of how it applies, even if States do not necessarily agree with every aspect of the Manual.

 

Image: Set of futuristic user interface elements for dashboard or control – ClusterX/Getty