The Tallin Manual: The Head, Shoulders, Knees and Toes of International Law and Cyber Warfare

By Matsiko Samuel[1]

The greatest challenge for states and international relations today is the manner and scope of international law’s applicability to cyber warfare and cyber operations. The legal regime regulating cyber operations remains unsettled. International law whether in the form of treaty regimes or customary international law was developed at a time when cyber technology and cyber operations was not a dominant feature of international relations. A group of experts have conducted an ambitious project that comprehensively analyses existing international law and its application to cyber operations. This analysis is published in a non binding document known as the Tallin Manual . This manual  is what I term as the head, shoulders, knees and toes of international law and cyber operations.

What is the Tallin Manual?

The NATO Cooperative Cyber Defence Centre of Excellence, The Embassy of the Kingdom of the Netherlands to the United States and the Atlantic Council on the 8th February 2017 co-organized the launch of the “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations” This was followed by another launch in the Hague co-organized by the T.M.C.Asser Institute and the Netherlands Ministry of Foreign Affairs on 13th February 2017.

Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is a predecessor of the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare. It is important to note the nomenclature of the current manual is a shift from cyber warfare to cyber operations. The 2013 Tallinn Manual is a massive 215 paged document that addresses the current  international cyber security law landscape and architecture. The manual is divided into sections of black letter rules with accompanying commentaries. The first chapter attempts to address issues of state sovereignty, jurisdiction and use of force. The latter chapters raise myriad legal questions from individual criminal responsibility, characterisation of international armed conflict, conduct of hostilities to improper use, perfidity and espionage.

With regard to espionage and the debates on cyber espionage, the second Tallinn Manual raises important legal questions. For example, whether cyber espionage reaching a particular threshold of severity violates international law? Whether one state hacking into a facility of a another state and  holding it as a cyber hostage violates international law?

What would constitute a cyber attack or cyber use of force?

The drafters of Tallin manual were faced with a challenge on the definition of what constitutes a cyber attack or cyber use of force? In rule 11 it is without a doubt they applied the approach articulated in the armed attack context in the Nicaragua Decission by the International Court of Justice (ICJ) . This approach mainly dealt with States but did not address issues of non-state private actors.

The issue of the attribution of international responsibility to States for conduct of a group of individuals within the territory of another State has become a question of control. Therefore if a cyber operation by  Uganda aided and abetted another cyber operation  in Estonia would thatconstitute a cyber attack? .However we need to be cautious and draw a line between attribution, effective control and overall control, the current  international jurisprudence is more reflective to state relations than private non -state actors.

The voyage on the unchartered waters of the applicability of international law and cyber operations was not only necessary it was timely. The Tallin manual is indeed the ABC guide or head, shoulders, knees and toes of international law and cyber operations. The 2017 version does a commendable job on addressing the law on state responsibility, which includes thelegal standards for attribution. Though more work needs to be done in adressing the interaction between international cyber norms and domestic cyber norms.

In sum the Tallin manual is not necessarily  a source international law it is merely an academic, non-binding manual on how international law applies to cyber conflicts. The practice of producing a non-binding manuals is not novel. Similar manuals have been published before such as the San Remo manual on International Law Applicable to Armed Conflicts at Sea.

[1] Matsiko Samuel (LLM) is Uganda lawyer and academic with a keen interest in international law. He is a lecturer at the faculty of law Uganda Christian University and Vice president of the International Law Association Uganda Branch http://www.ila-hq.org/en/branches/index.cfm/bid/1026.