Tallinn Manual 2.0: Defending Cyberspace
It is the international community’s responsibility to maintain peace and security in the face of growing cyber threats to a society that is increasingly vulnerable because of its dependence on connected technology, Henne Schuwer, the Netherlands’ ambassador to the United States, said at the Atlantic Council on February 8.
“We have to all band together to make sure that this Internet, this cyberspace… will be a peaceful movement around the world from which we all benefit,” he said.
In light of the Russia’s meddling in the 2016 US presidential elections, and concern looking ahead to upcoming elections in Europe in 2017—in France, Germany, the Netherlands, and possibly Italy—it has become necessary to establish a legal framework for the international community to understand a common set of rules of the road in cyberspace.
There must be negotiations “to try for long-term, structural solutions by building a normative framework to regulate cyber operations between states,” said Rutger van Marissing, senior policy officer in the Security Policy Department of the Netherlands’ Ministry of Foreign Affairs, adding, “international law should be the main component of that normative framework.”
To respond to this need for stability and security, the Netherlands commissioned the Tallinn Manual 2.0, which provides essential guidelines for the application of international law to cyber operations.
According to Liis Vihul, project manager and managing editor of the Tallinn Manual process and a legal analyst at the NATO Cooperative Cyber Defense Center of Excellence, Russia’s cyberattack on Estonia in 2007 marked the emergence of a new kind of national security threat, and caused legal advisers and policy-makers to reassess how to respond to this type of security breach. She described how Tallinn 2.0’s treatment of peacetime operations, a topic not treated in the first version of the manual, published in 2013, is helpful in considering the lawfulness of cyberattacks during peacetime, or “below-the-threshold” attacks.
Vihul said Tallinn 2.0, written by a group of legal experts from around the world, is “a reflection of international law as it applies globally.” Tallinn 2.0 is an academic product, not reflective of NATO policy or doctrine, nor meant for negotiations. “It’s meant primarily for state legal advisers to assist them in thinking through the legal issues that arise” either from considering the undertaking of a cyber operation or when a particular state is on the receiving end of an attack.
“The Tallinn Manual is our guide to the next frontier,” said Schuwer.
Schuwer and Vihul delivered introductory remarks at the official launch of Tallinn 2.0 at the Atlantic Council, which was followed by a panel discussion in which Van Marissing joined Michael Schmitt, director of the Tallinn Manual process, chairman of the Stockton Center for the Study of International Naval War College, and professor of public international law and Exeter Law School; and Megan Stifel, a senior fellow with the Atlantic Council’s Cyber Statecraft Initiative and the founder of Silicon Harbor Consultants, to analyze the broader implications and application of the manual. Jason Healey, a nonresident senior fellow with the Cyber Statecraft Initiative, moderated the discussion.
According to Healey, the question regarding state cyber activity has changed from “is a cyberattack an act of war,” to “under what circumstances is a cyberattack an act of war,” due to the evolving nature of the cybersecurity environment. Growing dependence on connected technologies from states and societies has increased the risks and repercussions of disruptions.
“We are concerned that [cyberspace] is beginning to display tendencies of a classic security dilemma,” said Van Marissing.
He said that the potential for an arms race in cyberspace calls into question the creation and maintenance of stability. “It’s really international law that provides the measure of predictability and accountability to help maintain stability, but that only works when everyone is on the same page,” said Van Marissing. He said: “that requires that we really make international law more accessible, more understandable, and more practically applicable… That is where the manual can really play a more useful role.”
“We were not writing for academics. We were writing for countries,” said Schmitt. Aimed at rewriting the normative landscape, Tallinn 2.0 “is a manual that is informed by international organizations and informed by states, and so we hope it will be of use to them.”
According to Schmitt, Tallinn 2.0 offers a series of factors for states to consider when deciding whether to deem a cyber operation worthy of response with use of force. The severity of the consequences is a factor.
However, “this manual, for the first time, said we don’t have all the answers,” said Schmitt. “Cyberspace is new, and there’s a lot of gray out there,” therefore, “the interpretation and application of those rules [in the manual] can be contentious.”
The International Group of Experts (IGE)—the working group which composed the manual—captured all reasonable views among its members and included them in the manual, thereby allowing for dissenting opinions. “The most important piece of the book is not where we agreed, but where we disagreed,” said Schmitt, adding “that is where states need to roll into the game and start firming up the norms.”
According to Stifel, the method of collaborative consultation with both academics and practitioners augments the utility of the manual, thereby making it more difficult for an individual state or actor to disagree. She said that the focus on the application of Tallinn 2.0 “is a step in the process that is not surprisingly consistent with US policy.”
“The idea of norms development… will hopefully evolve to a place where I hope we’re getting to answer some of those gray questions,” said Stifel.
Ultimately, said Healey, “this is about the dynamics of cyber conflict.” He called for policy-makers to focus on how to manage a fundamentally different conflict space, claiming that the best way to avoid escalation is to move away from an offense-dominant situation and build up defensive capabilities. Overall, according to Healey, cyberspace should become a more defense-advantage-driven domain.
Rachel Ansley is an editorial assistant at the Atlantic Council.