{"id":9647,"date":"2015-07-09T13:00:44","date_gmt":"2015-07-09T20:00:44","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=9647"},"modified":"2020-04-21T14:30:47","modified_gmt":"2020-04-21T21:30:47","slug":"the-cybersecurity-canon-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2015\/07\/the-cybersecurity-canon-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare\/","title":{"rendered":"The Cybersecurity Canon: Tallinn Manual on the International Law Applicable to Cyber Warfare"},"content":{"rendered":"

\"cybersec<\/span><\/div><\/a><\/p>\n

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite<\/a>.\u00a0<\/em><\/p>\n

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!<\/em><\/p>\n

Book Review by Canon Committee Member, Robert Clark<\/a>:\u00a0<\/strong>Tallinn Manual on the International Law Applicable to Cyber Warfare<\/em><\/p>\n

Executive Summary<\/h3>\n

The director of this project states it best:<\/p>\n

[T]he product of a three-year project by twenty renowned international law scholars and practitioners, the Tallinn Manual identifies the international law applicable to cyber warfare and sets out ninety-five <\/em>\u2018<\/em>black-letter rules<\/em>\u2019<\/em> (95 rules) governing such conflicts.\u00a0 It addresses topics including sovereignty, State responsibility, the jus ad bellum, international humanitarian law, and the law of neutrality.\u00a0 An extensive commentary accompanies each rule, which sets forth each rule's basis in treaty and customary law, explains how the Group of Experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rule's application.\u00a0<\/em>[1]<\/p>\n

Key to understanding this application of international law to cyberspace operations is \u00a0understanding what the Tallinn Manual<\/em> is not.\u00a0 It is not a commentary on cyber activities that occur below the level of a \u2018use of force' as set forth in the UN Charter, such as cyber criminality; moreover, it only comments on the legality of cyber intelligence activities as they relate to the issues of \u2018use of force' or \u2018armed attack.' [2]\u00a0 Also, the Tallinn Manual<\/em> recognizes that cyber espionage and theft of intellectual property pose real and serious threats to all states, as well as corporations and private individuals, but it is not the aim of the authors to address such matters. [3]<\/p>\n

Cybersecurity Canon candidate books are supposed to be essential to the cybersecurity practitioner.\u00a0 As a practicing computer network operational attorney, this book is not only required reading: it is malpractice if you don't read it.\u00a0 Similarly, for technologists and cybersecurity practitioners, it is a must read, particularly after the redefining of computer network defense roles due to the Sony cyberattack. [4]\u00a0 To understand the various authorities of the multiple disciplines involved in computer network defense requires, first and foremost, an understanding of the incidents, intrusions, use of force, and yes, attacks that occur in cyberspace.\u00a0 The Tallinn Manual<\/em> provides an essential education into these legal differences.<\/p>\n

About the People<\/h3>\n

The Tallinn Manual<\/em> was drafted by an \"International Group of Experts,\u201d including distinguished legal academics and practitioners, supported by a team of technical experts. [5]\u00a0 A select group of peer reviewers offered comments on the various drafts, as did a number of states that were willing to informally and unofficially do so. [6]<\/p>\n

The initial criticism of the Tallinn Manual<\/em> focuses on the fact that [T]he legal experts that wrote it have distinctly American and Old European backgrounds.[7]\u00a0 Similarly, others noted the absence and criticism of China or the Russian Federation. [8]\u00a0 The Russian authorities have taken a very guarded view of the Manual<\/em>.\u00a0 Moscow thinks its publication is a step toward legitimizing the concept of cyberwars. [9]<\/p>\n

Moreover, it is hard to overlook\u00a0that there was a complete lack of scientists from the former Warsaw Pact countries among the legal experts partaking in the project.\u00a0 It seems that despite there being a NATO competence centre in Tallinn, the leaders of the project seem to think that there is not much competence in international law in the area.\u00a0 Even if we excluded the Baltic states \u2013 was it really impossible to find top-level legal experts from Poland, Hungary, the Czech Republic or Slovakia who could have had a say on the topics of the legality of the use of armed force, international humanitarian law, and the responsibility of the state? [10]<\/p>\n

This criticism did note:<\/p>\n

[N]obody is forbidding other countries from starting their own science projects or telling the scientists who were not invited to Tallinn not to write and express their opinions. [11]\u00a0 A point emphasized by the \"Experts\" as they \"assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected <\/em>\u201c<\/em>all reasonable positions<\/em>\u201d<\/em> on the issues it took up and that there were only a few amendments worth pondering.\u00a0<\/em>[12]<\/p>\n

The Story<\/h3>\n

The main tenet of the Tallinn Manual<\/em> is that cyber warfare is governed by international law already in force, particularly the rules that regulate the commencement of an armed attack (jus ad bellum, UN charter, mostly effective since 1945) and the rules that regulate the conduct of armed conflict (jus in bello, including, for example, The Hague Convention of 1899 and the Geneva Convention of 1949, the latter with the 1977 amendment protocols). [13]\u00a0 (The Manual<\/em> has a great compendium of international law of armed conflict or international humanitarian law.) [14]<\/p>\n

The Manual<\/em> consists of 95 rules and accompanying commentary.\u00a0 The rules set forth the International Group of Experts' conclusions (black-letter rules) as to the broad principles and specific norms that apply in cyberspace.\u00a0 The accompanying commentary indicates the rules' legal basis, applicability in international and non-international armed conflicts, and normative content.\u00a0 Also included are differing or opposing positions among the Experts.\u00a0 This is important because several complex issues produced debates amongst the Experts.\u00a0 The Manual's<\/em> editors attempted to capture all of the views expressed in the deliberations, as well as other reasonable positions that they were aware of from outside the group. [15]<\/p>\n

While covering all of the salient portions of the Manual<\/em> is far beyond the scope of this review, I will concur with other reviewers who noted:<\/p>\n

Particular attention was paid to terminology.\u00a0 An array of terms has been employed in, and beyond the legal literature: computer network attack, computer network exploitation, cyber attack, cyber operation, cyberspace operation, cyber incident, cyber terrorism, cyber conflict etc.\u00a0 To circumvent this semantic inconsistency, the Tallinn Manual operates with four key notions.\u00a0 First, a <\/em>\u201c<\/em>cyber operation<\/em>\u201d<\/em> connotes the employment of cyber capabilities for achieving a particular objective, and is one of the few terms that is not derived from a legal term with a concrete meaning.\u00a0 Next, a <\/em>\u201c<\/em>cyber use of force<\/em>\u201d<\/em> and <\/em>\u201c<\/em>cyber armed attack<\/em>\u201d<\/em> are cyber operations that rise to the levels of a use of force, and armed attack, in the way those terms are used in Articles 2(4) and 51 of the UN Charter, respectively. Lastly, a <\/em>\u201c<\/em>cyber attack<\/em>\u201d<\/em> carries the meaning of an attack, as defined in Article 49(1) of Additional Protocol I to the Geneva Conventions; its usage is restricted to the law of armed conflict analysis.\u00a0 This consolidation of legal terminology allows for a reduced number of terms to be used consistently throughout the book, contributing to the clarity of the positions expressed therein.\u00a0<\/em>[16]<\/p>\n

Conclusion<\/h3>\n

The Tallinn<\/em> Manual<\/em> is not just a worthy book for the Canon candidate list; it is a must for induction into the Canon proper, both for lawyers and policymakers (non-techies) and for techies in the community. As pointed out:<\/p>\n

[T]he Manual is designed as a reference tool for State legal advisors, policymakers, and operational planners, although scholars and students will hopefully find it useful as well.\u00a0 NATO CCD COE has launched a three-year follow-on project, <\/em>\u2018<\/em>Tallinn 2.0,<\/em>\u2019<\/em> that will expand the scope of the Tallinn Manual. \u00a0The Tallinn Manual is strictly an expression of opinions of the International Group of Experts, and, as such, does not represent the official positions of the Centre or NATO.\u00a0 This will also be the status of Tallinn 2.0<\/em>.\u00a0<\/em>[17]<\/p>\n

Still, others observe:<\/p>\n

[T]he intense interest in developing clearer international norms to regulate different facets of cyber activity is running up against two hard facts. The first is that some states, especially those with sophisticated cyber capacities, such as the United States, are content to state at a general level that they will apply existing, general international rules to cyber.\u00a0 But these states have limited incentives to reveal in any detail HOW they apply those norms.\u00a0 The second is that the major cyber players (Russia, China, and the United States) remain on different conceptual pages as to how to proceed.\u00a0<\/em>[18]<\/p>\n

Whatever the focus and direction Tallinn 2.0 takes, this version is a must read, and when 2.0 is released, at least I'll have more material to include in the Canon process!<\/p>\n

Sources<\/h3>\n

<\/p>\n

    \n
  1. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, loc 3 of 7915, Kindle Ed.<\/li>\n
  2. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, p. 3 of 282, Kindle Ed.<\/li>\n
  3. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, p. 4 of 282, Kindle Ed.<\/li>\n
  4. DHS Chief to Companies: Prepare Yourselves for Cyber Attacks, http:\/\/www.weeklystandard.com\/blogs\/dhs-chief-companies-prepare-yourselves-cyber-attacks_821904.html<\/a><\/li>\n
  5. Michael N. Schmitt, International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 Harvard Journal of International Law 13, 2012, p. 14\u201315, http:\/\/www.harvardilj.org\/wp-content\/uploads\/2012\/12\/HILJ-Online_54_Schmitt.pdf<\/a>.<\/li>\n
  6. Michael N. Schmitt, International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 Harvard Journal of International Law 13, 2012, p 15, http:\/\/www.harvardilj.org\/wp-content\/uploads\/2012\/12\/HILJ-Online_54_Schmitt.pdf<\/a>.<\/li>\n
  7. Lauri M\u00e4lksoo, The Tallinn Manual as an international event found at http:\/\/www.diplomaatia.ee\/en\/article\/the-tallinn-manual-as-an-international-event\/<\/a>.<\/li>\n
  8. See Lauri M\u00e4lksoo, The Tallinn Manual as an international event found at http:\/\/www.diplomaatia.ee\/en\/article\/the-tallinn-manual-as-an-international-event\/<\/a> citing For example see Elena Chernenko, Virtual'nyi front, Kommersant Vlast' 27.05.2013, http:\/\/www.kommersant.ru\/doc\/2193838<\/a>, p14; Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, May 31, 2015 found at http:\/\/www.lawfareblog.com\/2015\/05\/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process\/<\/a>.<\/li>\n
  9. Elena Chernenko, Russia warns against NATO document legitimizing cyberwars May 29, 2013, Kommersant-\u2010Vlast found at http:\/\/rbth.com\/international\/2013\/05\/29\/russia_warns_against_nato_document_ legitimizing_cyberwars_26483.html<\/a>.<\/li>\n
  10. Lauri M\u00e4lksoo, The Tallinn Manual as an international event found at http:\/\/www.diplomaatia.ee\/en\/article\/the-tallinn-manual-as-an-international-event\/<\/a>.<\/li>\n
  11. Id.<\/li>\n
  12. Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, May 31, 2015 found at http:\/\/www.lawfareblog.com\/2015\/05\/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process\/<\/a>.<\/li>\n
  13. Lauri M\u00e4lksoo, The Tallinn Manual as an international event found at http:\/\/www.diplomaatia.ee\/en\/article\/the-tallinn-manual-as-an-international-event\/<\/a>.<\/li>\n
  14. See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, loc 209 - 351 of 7915, Kindle Ed.<\/li>\n
  15. Liis Vihul, The Tallinn Manual on the International Law applicable to Cyber Warfare Published on April 15, 2013 found at http:\/\/www.ejiltalk.org\/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare\/<\/a>.<\/li>\n
  16. Id.<\/li>\n
  17. Id.<\/li>\n
  18. Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, May 31, 2015 found at http:\/\/www.lawfareblog.com\/2015\/05\/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process\/<\/a>.<\/li>\n<\/ol>\n

    References<\/h3>\n

    Michael N. Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013. 300 p.<\/p>\n","protected":false},"excerpt":{"rendered":"

    We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting …<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,4521],"tags":[271,251,1285,1284],"coauthors":[1286],"class_list":["post-9647","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-2","category-canon","tag-cyber-warfare","tag-cybersecurity-canon","tag-robert-clark","tag-tallinn-manual"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/9647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=9647"}],"version-history":[{"count":9,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/9647\/revisions"}],"predecessor-version":[{"id":109930,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/9647\/revisions\/109930"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=9647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=9647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=9647"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=9647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}