The international community is still grappling with how to create a framework for normative behaviors, or norms, for how states should act and use cyber.
The current track has been to apply the rules of war, conflict and international law to a domain that by its very nature enables a great deal of confusion and obfuscation.
One of the key efforts in crafting internationally recognized norms in cyberspace has been the Tallinn Manual project, which recently celebrated the release of "Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations." Tallinn 2.0 follows the first Tallinn Manual, released in 2013, which focused on cyber operations that violate the prohibition of the use of force in international relations, where one state must not coerce another state with regard to things reserved to that state.
The genesis for the Tallinn project was in part due to what happened in Estonia in 2007 and the cyber operations as part of the armed conflict in between Russia and Georgia in 2008, Liis Vihul, project manger and managing editor of the Tallinn Manual Process, said at the Tallinn 2.0 rollout event at the Atlantic Council Feb. 8 in Washington. Those cyber operations made legal analysts and policy folks ask whether those operations were acceptable as a matter of international law or if they should be regarded as unlawful, she said.
The Tallinn 1.0 effort was successful in a lot of ways as a first real crack at the issue, but it’s not in itself law, it’s just the opinion of academics, Duncan Hollis, Associate Dean for Academic Affairs at Temple Law School, said during a panel discussion at the Carnegie Endowment for International Peace Feb. 6 in Washington. The Tallinn Manual is a treaty, it’s not custom, it’s not some general principles that states have to pay attention to, he added, noting that it did advance the conversation.
Additional criticism Tallinn 1.0 was subjected to was that it only focused on warfare, not peacetime or general relations between states and how cyber intersects that. Tallinn 2.0, however, expanded its scope to cover international law governing cyber operations to peacetime legal regimes and more common cyber incidents that a state might encounter day to day.
To that end, when discussing norms and state behavior use of cyber in warfare, Michele Markoff, deputy Coordinator for Cyber Issues at the State Department, described that Russian and Chinese counterparts were saying this is all well and good to talk about warfare, but they’re not seeing a lot of warfare. What they are seeing is a lot of malicious activity that’s very destabilizing, she said at Carnegie, adding that the goal should rather hone in on international cyber stability.
Three peacetime norms that were accepted among many in the international community Markoff said, being careful to clarify they only applied to peacetime and not conflict, they were nonbinding and voluntary, were don’t attack critical infrastructure, don’t attack computer emergency response teams unless it is engaged in offensive activity on behalf of the state and if a state is victimized by malicious activity emanating from your territory, you should help the victim state.
Markoff also addressed rhetorical criticism regarding what good these norms are doing if states continue to act maliciously. Norms are for the good guys, she asserted, adding they are for responsible state behavior for responsible states who then understand how states ought to behave. This base is for "good states" to understand when they might want to do something about the bad state behavior.
Waiving a norm agreement in front of Russia or China is not a deterrent, she explained, rather, it provides the ability to decide at what point other states think the transgressions have been of significant national implication that they and other responsible states may want to get together and do something.
Incidents such as the reported influence operation against the U.S. during the election, allegedly perpetrated by Russia, while provocative might bode well for developing international norms in this space as it forces states to take a position.
Discussions like crafting international norms can move slowly because states approach the subject cautiously, not wanting to restrict their own capabilities, saidMichael Schmitt, a law professor at the U.S.
Naval War College
and director of the Tallinn Manual project. Incidents such as the most recent election hacking allegations could force states to become more aggressive in pursuing laws and norms they otherwise would not have endorsed, he added.
DNC hack in 'legal gray zone'
During the Tallinn 2.0 rollout in Washington, Schmitt expounded on the DNC hacking incident and Russia’s behavior more broadly noting how this incident is a perfect example of what he calls the gray zone of international law.
In the manual, which was written before the DNC hack, Schmitt said elections was the example to illustrate domaine reserve – the principle in international law that prohibits one state from intervening in the internal affairs of another. Elections are the cleanest example of domaine reserve, he said as states have a right to choose their own representatives and government.
These gray areas are areas where many states will intentionally operate in Schmitt continued providing the example that a "spectacular Estonian attorney," who is no fried of the Russians, has objectively come to the conclusion that the DNC hack was not a violation of international law.
"So in this case, the Russians have selected an area of law in which to operate in which it will be hard for states to come to a consensus that they have violated international law," Schmitt said. "If states don’t move forward with a little more dispatch and a little more focus, our opponents are going to play in this gray area. The Russians are masters. It’s not that they’re bad lawyers…they’re spectacular lawyers."
He cited the example of Ukraine and the "masterful" way in which the conducted their destabilization of the country with the little green men and the election in Crimea. These are fuzzy from an intentional law perspective, he said.
Now that the Tallinn project has concluded, it will be up to states to use it to craft treaties and common operating procedures in cyberspace, even if it is just a reference.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
