A new manual is available online, the result of a three year effort by a panel of experts to “examine how extant international law norms apply” to cyber-warfare.
The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics.
The Associated Press report adds:
“Everyone was seeing the Internet as the `Wild, Wild, West,’” U.S. Naval War College Professor Michael Schmitt, the manual’s editor, said in an interview before its official release. “What they had forgotten is that international law applies to cyberweapons like it applies to any other weapons.”
The Tallinn Manual – named for the Estonian capital where it was compiled – was created at the behest of the NATO Cooperative Cyber Defense Center of Excellence, a NATO think tank. It takes existing rules on battlefield behavior, such as the 1868 St. Petersburg Declaration and the 1949 Geneva Convention, to the Internet, occasionally in unexpected ways.
The 282-page handbook has no official standing, but Roscini predicted that it would be an important reference as military lawyers across the world increasingly grapple with what to do about electronic attacks.
The new manual sets out ninety-five “black letter” rules governing cyberwars, some no-doubt controversial. Among them:
– State sovereignty gives states the right to exert control over cyber-infrastructure and cyber activity within their territories, whether it belongs to the government, corporations or private entities.
– Cyberattacks that cause damage are covered by the laws of warfare that prohibit aggressive and pre-meditated use of force.
– A cyber-attack is a “use of force” under international law if it does damage comparable to non-cyber operations which would also be considered a use of force.
– It would be illegal under international law for any State to knowingly allow cyber-infrastructure within its territory to be used to mount an attack on another state and the affected state would be within its rights to mount defensive countermeasures – not necessarily cyber-based – against the first state.
– For the purposes of international law, purely cyber-based conflicts between states and other states, or with non-state actors, can be classified as “armed conflict”, triggering all relevant international and humanitarian laws.
These rules have obvious ramifications, including that:
– Commanders and other superiors are criminally responsible for ordering cyber-attacks that constitute war crimes.
(StuxNet would fall under this rule – it was a pre-meditated and pre-emptive – i.e. illegal – attack that caused appreciable physical damage of the kind that could have been produced by a bomb)
– Cyber-combatants who are members of a state’s armed forces are entitled to P.O.W. status if captured.
– Civilians who participate in cyber-attacks that rise to the status of armed conflict lose their protection against retaliatory attack (by any means) while they are directly participating in cyber-activities.
(So yes, Obama can probably justify sending a drone at Anonymous members if he wants to.)
– Attacking civilian computers, data and networks during a cyber-conflict would be a war crime just like attacking civilian targets in a “real” war.Only military targets are lawful.
– Cyber-attacks that are “indiscriminate by nature” are just as unlawful as any other indiscriminate attack. Attacking food and water supplies, places of worship, medical facilities or nuclear electric generating stations would all be definite war crimes. (Uh, on the last, StuxNet again.)
There’s more, far more, at the link. Obviously this manual has been compiled by a panel which was heavy on participants with military or war college backgrounds, but it is intended to be a beginning of codification of the laws of cyber war and cyber war-crimes and it will no doubt be cited by states in the future. Everyone interested in the subject should be reading it.