International law and cyber ops: Q & A with Mike Schmitt about the status of Tallinn 3.0
Today’s post is about an extremely important topic for warfighters and their legal advisors: the development of the international law as it relates to cyber operations. One of the most influential contributions to this effort has been the Tallinn Manual project (named for the Estonian capital where it originated).
This ground-breaking series began in 2013 with the publication of the initial manual, and the most current version – Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations – was issued in 2017. Work is now underway for a new 3.0 edition, and in this post we’ll explore its status as well as some preliminaries about its direction.
The original Manual explained its purpose:
The Tallinn Manual examines the international law governing “cyber warfare.” As a general matter, it encompasses both the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt with in the context of these topics.
The Tallinn Manuals were intended to reflect the views of international experts with respect to lex lata, that is the law as it is, and not lex feranda, the law as one might wish it to be. The Tallinn 2.0 Manual made this clear:
Ultimately, Tallinn Manual 2.0 must be understood only as an expression of the opinions of the two International Groups of Experts as to the state of the law…. This Manual is meant to be a reflection of the law as it existed at the point of the Manual’s adoption by the two International Groups of Experts in June 2016. It is not a ‘best practices’ guide, does not represent ‘progressive development of the law’, and is policy and politics-neutral. In other words, Tallinn Manual 2.0 is intended as an objective restatement of the lex lata.
Additionally, it’s important to understand that while the NATO was involved in supporting the effort, the Manuals are not official NATO documents. Notably, the U.S. Department of Defense makes no mention of it in its 1,200+ page Law of War Manual.
The original Tallinn Manual was not without controversy as some commentators expressed concern about its scope and its application outside the law (see e.g., here). The criticisms of its successor, Tallinn 2.0, were – mostly – milder (see e.g., here). Among other things, Tallinn 2.0 expanded its coverage to better address the law as it relates to cyber incidents that occur in periods of putative “peace”.
The Tallinn process was always meant to be ongoing, and work on Tallinn 3.0 has begun. Its charter seems to have expanded beyond its original focus on “cyber warfare,” per se, to capture international legal issues associated with the “evolving nature” of contemporary cyber operations conducted by a range of actors with varied agendas The NATO Cooperative Cyber Defense Centre of Excellence, which hosts the project, describes the latest effort this way:
The envisioned five-year project will involve updating all chapters of the Tallinn Manual 2.0 to address the evolving nature of cyber operations and State responses, as well as adding new topics of importance to States. The revised Manual will reflect current State practice regarding cyber operations, including States’ official statements on international law. Activities and statements of international fora, such as the UN-level discussions on responsible State behavior in cyberspace, will also be considered, as will academic publications and multistakeholder initiatives involving governments, industry, and civil society players.
As with the earlier Tallinn Manuals, the 3.0 revision is headed by one of the world’s top experts: Professor Michael Schmitt of the University of Reading (UK) and the US Naval War College.
Lawfire caught up with Mike after he returned from a development session for the new manual, and he kindly agreed to answer a few questions. I think you will find his candid answers extremely interesting!
Lawfire: What is the current status of the project? Has COVID impeded it? Should we not expect to see it until circa 2025?
The NATO CCD COE launched the Tallinn Manual 3.0 project early this year, with a goal of completion in not more than five years. Unfortunately, COVID has slowed our progress somewhat by impeding in-person work among the three co-general editors, myself, Professor Marko Milanovic of Nottingham University, and Liis Vihul, CEO of Cyber Law International. Nevertheless, I still anticipate completion by 2025, with a Cambridge University Press release date in early 2026.
Lawfire: In what areas, if any, should we expect to see the most change in light of state practice and opinio juris since 2.0 was issued?
That will very much depend on a project we have underway in collaboration with NYU Law School and Just Security to compile official statements, documents, and speeches by states and international organizations on how international law applies in the cyber context. During the Tallinn Manual 2.0 process, very few states had made known their positions on that matter. However, since its release in 2017, many have begun to do so, often with impressive granularity.
Indeed, many such statements directly cite Tallinn Manual 2.0, which is extremely useful to the Tallinn Manual 3.0 team. Because our team is committed to the premise that states make and authoritatively interpret international law, we must consider this verbal state practice to ensure Tallinn Manual 3.0 accurately reflects the state of interpretive play in the international community.
Additionally, whereas scholarship on international cyber law was relatively sparse during the writing of Tallinn Manual 2.0, the academic community now turned its attention to the subject in a big way, with much of the work addressing issues the IGE had raised. Therefore, we have a second project underway at the CCD COE to gather all relevant scholarship.
And finally, there were very few experts on international cyber law we could draw on during the drafting of the two manuals. That has changed both within government and academia; therefore, we are engaged in an aggressive effort to crowdsource comments on needed revisions or additions to the manual. That can be done here.
This is a long-winded way of laying the foundation for an answer to your question. The three co-general editors will be sifting through all the material mentioned above to pinpoint where our efforts need to be directed. Until we have done so, we won’t know precisely how Tallinn Manual 3.0 will change.
That said, as someone active in the field, I would expect to see significant revisions of key sections of the manual. First, we have seen considerable use of proxies to conduct hostile cyber operations. This unfortunate practice, and the reaction of other states to it, will further inform our analysis of attribution under the law of state responsibility.
Second, a debate on the existence of a rule of sovereignty emerged in the aftermath of Tallinn Manual 2.0. The United Kingdom took the position that sovereignty is a principle of law, but not a binding rule of law the violation of which constitutes an internationally wrongful act. However, every other state and the vast majority of academics that have taken a firm position on the matter has rejected the UK view, including key allies and partners. Tallinn Manual 3.0 will have to address this division of opinion head-on, ensuring we capture the then-current state of the debate, assuming it survives.
Third, in the use of force area, there seems to be a trend towards adopting a “scale and effects” approach to assessing whether a cyber operation qualifies as a “use of force” under Article 2(4) of the UN Charter and customary international law. The IGE first adapted that approach from the ICJ’s Nicaragua judgment regarding the “armed attack” threshold for self-defense (UN Charter Article 51 and customary law).
Finally, I also anticipate significant revisions of the chapter on international human rights in cyberspace, particularly in light of jurisprudence coming out of the European Court of Human Rights and the work of UN Special Rapporteurs.
Of course, we need to consider their analysis cautiously because that court deals primarily with European Convention on Human Rights provisions, and the UN Special Rapporteurs generate only soft law. Nevertheless, their work will inform our analysis of customary international human rights law, including how to address issues like privacy and expression online and the ongoing debate over extraterritoriality of human rights obligations.
I want to emphasize that the Tallinn Manual 3.0 team is committed to including all reasonable views in the manual commentary, as we were in the past. We are not trying to convince government legal advisers (our target audience) of any particular interpretation of the law. Rather, the objective is to apprise them of all reasonable views so that they can make an informed decision as to how best to interpret international law for their nation and to afford them a foundation they can use in discussions with other states.
Lawfire: Given the tremendous capabilities of cyber to exfiltrate enormous amounts of information (often concerning private individuals), will the historical view of espionage as not being a violation of international law be reconsidered by the 3.0 experts?
Of course, under traditional international law, espionage is not a violation of international law unless the means by which that espionage is carried out amount to a breach. The Tallinn Manual 2.0 international group of experts took the same approach. To illustrate, an attempt to conceal a remote cyberespionage operation by causing damage to the targeted system would violate the sovereignty of the State into which it is conducted but would not be unlawful on the basis that the purpose of the operation was espionage.
Following the release of Tallinn Manual 2.0, a number of states have been sponsoring cyber law capacity building for government officials around the world. All three of the Tallinn Manual 3.0 co-general editors have participated regularly in that program, and I can tell you that the issue of the legality of remotely conducted cyber espionage always comes up.
It is clear from those discussions that some governments and many government officials are uneasy about the scale and scope of cyber espionage operations that range from tapping submarine telecommunications cables to classic exfiltration of data operations. Yet, despite that uneasiness, there seems to be little appetite for treating cyber operations conducted for the purpose of espionage as an international law violation per se.
That said, there are active discussions among States on related international law rules that could encompass some espionage operations. A lot of attention is being paid to where the threshold for sovereignty violations lies, with some implicating espionage. For example, in 2019, Guatemala labeled espionage a violation of the sovereignty of the target state. And remotely conducted espionage into another state often raises international human rights law issues, such as the right to privacy and its extraterritorial application.
Lawfire: Similarly, today cyber enables social media to create effects such as those discussed in War in 140 Characters: How Social Media is Reshaping Conflict in the Twenty-First Century that have the power, the author says, “akin to the most elite special forces unit.” This allows “hyperempowered, networked individuals…to affect the battlefield.” Given the enormous technical capabilities of cyber, to include the potential of ‘deep fakes”, will 3.0 attempt to deal with this phenomena by re-considering the assumption that propaganda is not an “attack” or even “force” within the meaning of international law?
We certainly will. I doubt whether classic propaganda will be considered an “attack” under the law of armed conflict. The cyber “attack” threshold is a critical LOAC issue because so many LOAC rules are framed in terms of attack: don’t attack civilian objects, comply with the rule of proportionality in its attack, take precautions in attack, etc.
We will certainly have to take on the issue of when does the weaponization of information trigger these attack rules. For instance, is the use of disinformation that could foreseeably result in illness, injury, or death (as in disinformation regarding the treatment of a prevalent disease) an attack?
And information operations raise other legal questions during armed conflict. When do social media activities rise to the level of inciting genocide? How should the “constant care” obligation be interpreted in the information context? When does cyber infrastructure used for purposes of transmitting information qualify as a military objective? Where does the “direct participation” line lie for civilians who are engaged in information operations activities during an armed conflict? A careful review of the LOAC rules will be central to Tallinn Manual 3.0.
Lawfire: One of the issues with which 2.0 seems to struggle was the meaning of “armed attack” in the sense of Article 51 of the UN Charter as applied to hostile cyber events. Can we expect to see more granularity in that regard in 3.0?
A bit more. States are hesitant to set forth the threshold at which they would characterize a hostile cyber operation an armed attack opening the door to a forcible response. Typically, they only indicate that there is a right to self-defense if the consequences of a hostile cyber operation (or cyber campaign) are comparable to those of a non-cyber operation that would qualify as an armed attack.
However, we are seeing a degree of movement. For instance, in 2019, France suggested that “A cyberattack could be categorized as an armed attack if it caused substantial loss of life or considerable physical or economic damage.” The economic harm comment cuts new ground. Yet, while other states have not gone as far as France, there seems to be a growing sense among government officials around the world that in some cases a hostile cyber operation could cause non-physical consequences severe enough to trigger the right of self-defense.
As with the use of force issue, they are zeroing in on the “scale and effects” of the cyber operation’s consequences. This will inevitably lead them away from a strict interpretation by which only significant injury or physical damage qualifies as an armed attack.
Lawfire: Another controversy revolves around whether or not sovereignty is a rule of international law whose violation amounts to an internationally wrongful act, even if the cyber operation does not constitute an armed attack. Tallinn indicates support for that position; however, some insist it is a principle of international law, but not an inviolate rule. Most recently, Jack Goldsmith and Alex Loomis authored a monograph which essentially takes the latter position and argues that the Tallinn 2.0 view of sovereignty does “not reflect customary international law.” Will 3.0 wrestle with this issue?
Most importantly, there is no single Tallinn Manual 2.0 view of sovereignty, despite counter-factual assertions to the contrary. The only consensus the IGE could achieve is that there is a rule of sovereignty that is violated when physical effects are caused on the territory of another state or inherently governmental functions are interfered with or usurped. Beyond that, the experts reached no consensus on the type of cyber operations that violate sovereignty.
This is precisely where most governments and scholars are in their analysis. As of today, states accepting sovereignty as a rule include, at least, Bolivia, Brazil, Chile, China, Czech Republic, Estonia, Finland, France, Germany, Guatemala, Guyana, Japan, Mali, Netherlands, New Zealand, Norway, Romania, Russia, South Korea, Switzerland, and Uruguay.
NATO doctrine also acknowledges the rule when it observes cyberspace operations “may nevertheless constitute a violation of international law as a breach of sovereignty or other internationally wrongful act.” (the UK, but no other NATO member, reserved on this point). Similarly, both the Tallinn Manual (Rule 1) and Tallinn Manual 2.0 (Rule 4) IGEs unanimously characterized sovereignty as a rule and the argument that there is no rule of sovereignty applicable to cyber operations is widely rejected by most international law scholars.
The UK is truly an island on this issue. In fairness, many states have yet to weigh in, and a few, like Israel, have noted that it is an open question,. Others, like the United States, have studiously avoided taking a position. For instance, in its submission on state positions for the 2021 GGE Compendium, the US observed:
The United States believes that State sovereignty, among other long-standing international legal principles, must be taken into account in the conduct of activities in cyberspace. Whenever a State contemplates conducting activities in cyberspace, the equal sovereignty of other States needs to be considered.…
In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimis effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions.
This is about as close to saying, “there is a rule of sovereignty, but it is unclear where the threshold for breach lies,” as you can get. In particular, one must ask if an operation is unlawful but does not reach the threshold of a use of force or non-intervention, what rule of law is likely to have been breached other than sovereignty?
The sovereignty debate is an unfortunate distraction from the critical discussion states need to be having – under what circumstances does a hostile cyber operation violate sovereignty. Fortunately, many states have moved on, and more are following suit. As Finland noted last year,
The argument has been raised recently that no legal consequences could be attached to sovereignty as a general principle, at least for the purposes of cyber activities. It is not only difficult to reconcile such an idea with the established status of the rule prohibiting violations of sovereignty in international law but it also gives rise to policy concerns. Agreeing that a hostile cyber operation below the threshold of prohibited intervention cannot amount to an internationally wrongful act would leave such operations unregulated and deprive the target State of an important opportunity to claim its rights.
Lawfire: Has the working group for Tallinn 3.0 been expanded to include more representation from around the globe? Is the working group weighted in favor of experts from what might be called “specially affected states” who have major cyber activities?
We have not formed the IGE for Tallinn Manual 3.0 yet. For the first two or so years, Marko Milanovich, Liis Vihul (both international cyber law doyens who are as comfortable discussing cyber sovereignty or due diligence as human rights and LOAC in cyberspace), and I will be working with the material described above to revise the manual.
When finished with our draft proposal, we will select an IGE that, as with the previous one, will be geographically diverse and include both practitioners and scholars. The CCDCOE will provide technical end policy advisers. We will not select the experts until we determine the areas of law that were subject to the most significant revision, for we must have that expertise on the team. The IGE is responsible for reviewing the draft, changing the rules and commentary as appropriate, and adopting the text as its own.
Representative of “specially affected states” is not a definitive criterion we will be using in the selection process, although we do want representations from certain key players in cyberspace. As with Tallinn Manual 2.0, we anticipate selecting dozens of peer reviewers to examine sections of the draft for which they have particular expertise.
And as with Tallinn Manual 2.0, there will be a state engagement process during which government delegations will discuss the drafts with the co-general editors and suggest further revisions. For Tallinn Manual 2.0, 50 States and international organizations sent delegations to three meetings convened by the Dutch Ministry of Foreign Affairs. States have already approached us about sponsoring these events, but no decision has been made yet as to which states will support them. Finally, the draft will be taken back to the IGE for approval before publication by Cambridge University Press.
Many thanks to Mike Schmitt for taking time to answer these questions to update Lawfire readers!
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!