The road ahead for norms in cyberspace: Moving forward from Tallinn 2.0

by Elizabeth Dominic

Digitalisation has become an integral part of our life. Our increasing reliance on digital infrastructures is linked to the use of cyberspace as a new domain for disrupting international peace and security, with cyber operations becoming an increasingly prominent threat. However, the laws governing such cyber operations remain unclear. There have been some attempts amongst the international community to transpose the existing international law framework to the cyber domain to regulate it. This post will briefly look into the processes that are ongoing for the development of cyberspace norms and will focus specifically on the Tallinn Manual 2.0 and its application of the principle of sovereignty in cyberspace.

The UN Group of Governmental Experts on Developments in the field of information and telecommunications in the context of international security (UN GGE)

The UN adopted digital security as part of its agenda in 1999, following which the UN GGE was formed in 2004. There have been five iterations of the UN GGE. The 2013 and 2015 reports of the UN GGE established that current international law applies to cyberspace and reached some agreement on principles applicable to the responsible behavior of states. A brief discussion of the contributions of the first four UN GGE can be found here. This group collapsed in mid 2017 due to the failure of the states to arrive at a consensus on the application of certain norms of international law (specifically, relating to self defence and countermeasures) in the cyber domain. Accordingly, the future of the group is now uncertain.

The Tallinn Manual Project

As increasing number of states are subjected to cyber operations from rival states and non-state actor groups, it is crucial to establish what laws regulate them to ensure stability, security and accountability. This has been the aim of the group working on the Tallinn Manual. The Tallinn Manual is an international academic initiative that examines the applicability of international law to cyber operations. The project consists of two manuals: Tallinn Manual 1.0 on the International Law Applicable to Cyber Warfare (hereinafter Tallinn Manual 1.0) and Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (hereinafter Tallinn Manual 2.0) published in 2013 and 2017 respectively. The Manuals were prepared by an International Group of Experts under the invitation of the NATO Cooperative Cyber Defense Centre of Excellence following the cyber operations directed against Estonia in 2007. A brief analysis of Tallinn Manual 1.0 can be found here.

Tallin Manual 2.0: Objective

The Tallinn Manual 2.0 is a four-year follow-on project on Tallinn Manual 1.0. It is a compendium of 154 ‘black letter rules’[1] accompanied by a commentary on each rule prepared by a (new) group of international law experts along with the unofficial input of many states. While the Tallinn Manual 1.0 examined how to apply existing international law norms to cyber warfare, the Tallinn Manual 2.0 expanded on this endeavor by extending the focus to cyber operations in general. The former focused on the most severe cyber operations – i.e. the ones that amount to use of force, armed attacks entitling the victim state to engage in self-defense, and/or take place during armed conflicts. The latter additionally examined the application of international law norms to cyber operations that do not satisfy the threshold of use of force or armed attack and take place during peacetime.[2]

Tallinn Manual 2.0 has analyzed a state’s rights and obligations under international law while engaging in cyber actions outside the context of an armed conflict to further national interests. Some of the principal grey areas of law addressed in the Tallinn Manual 2.0 are:[3]

  • The principle of state sovereignty in cyber space
  • How governments can respond within the framework of international law
  • Principle of attribution
  • State responsibility

Additionally, the Tallinn Manual 2.0 addresses various specialized regimes of international law – human rights, air and space law, law of the sea and diplomatic and consular law – in the context of cyber operations.

Tallinn Manual 2.0: Sovereignty in Cyberspace

One of the most politically delicate legal issues that was addressed in depth in Tallinn Manual 2.0 was the application of the concept of sovereignty in cyberspace. Sovereignty is the underlying principle of international law. It is defined as the “supreme authority of every state within its territory”.[4] It entitles a state to engage in the functions of a state within its territory, to the exclusion of other states.[5]

According to the Tallinn Manual 2.0, cyber space is also governed by the principle of sovereignty. Rule 4[6] of Tallinn Manual 2.0 states “A state must not conduct cyber operations that violate the sovereignty of another state”. Tallinn Manual 2.0 lays down two grounds for determining violations of sovereignty:[7] a) degree of infringement upon the target state’s territorial integrity; and b) whether there has been an interference with or usurpation of inherently governmental functions. Determination of the first ground is based on three factors-

1) Physical damage

2) Loss of functionality

3) Infringement falling below the threshold of loss of functionality

There was unanimous consent amongst the experts with respect to the application of first two factors as they have close resemblance to what would entail a violation of sovereignty in the non-cyber context. Regarding the third factor, the experts were divided.

Cyber espionage will be an issue that falls under this category. In the absence of sufficient state practice and opinio juris, customary international law does not prohibit espionage per se. However, the International Group of Experts concurred that the means employed to perform cyber espionage may at times be unlawful, thereby resulting in a violation of international law obligations of states, including respect for the principle of sovereignty.

With respect to cyber espionage[8] conducted by one state while physically present on the territory of the victim state, a majority of the experts felt that it would be in violation of sovereignty. On the other hand, remote cyber espionage despite its severity was concluded by the majority to not violate sovereignty.

This is problematic because some incidents of cyber espionage may result in severe consequences such as exfiltration of nuclear launch codes that can pose a serious threat. Therefore upholding the view that remote cyber espionage irrespective of the severity of its consequences does not violate sovereignty might not be ideal. Tallinn Manual 2.0 also fails to give a definite answer to whether cyber operations targeted against the online resources of terrorist organizations hosted on the infrastructure of a foreign state violates the territorial integrity of the state. This emphasizes the limitations of the adaptive process, and leads us to the value of independent norm-development processes such as the UN GGE.

The International Group of Experts unanimously agreed on the second ground for determination of violation of sovereignty even though they could not give a definite definition for “inherently governmental functions” which may again as a loophole for states engaging in cyber operations. Tallinn Manual 2.0 cited few examples that can be referred to, to understand what constitute inherently governmental functions- “delivery of social services, conduct of elections, collections of taxes, the effective conduct of diplomacy, and the performance of key national defense activities”.[9] Additionally the group also stated that an inherently governmental function could be performed either by the state or by a private party.

Tallinn Manual 2.0 has provided insights on the application of the principle of sovereignty in cyberspace. But it has not managed to give definitive answers on its application in various contexts. Therefore, sovereignty will definitely be up for future discussions.

Conclusion

The Tallinn Manual 2.0 affirms the application of existing framework of international law to cyberspace. It is strictly a compilation of the expression of opinions of the international group of experts and is therefore non-binding on the states. However, it can serve as a guide for international conversations on how international law applies to cyberspace. But there are still grey areas for which Tallinn Manual 2.0 cannot provide guidance, application of sovereignty in cyber space being one of them. States may choose to primarily focus on those areas and develop norms through state practice and opinio juris. In the absence of definite norms however, states will continue to play in this grey area without fear of rebuke.

 
[1] Restatements of international law in the context of cyberspace, which obtained unanimity amongst the International Group of Experts who drafted the Tallinn Manual.
[2] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 3 (Michael N. Schmitt gen. ed., 2017)
[3] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt gen. ed., 2017)
[4] Oppenheim’s International Law 564 (Robert Jennings et al. eds., 9th ed. 2008).
[5] Island of Palmas Case (U.S. v. Netherlands), 2 Reports of International Arbitral Awards 838 (1928).
[6] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 17–27 (Michael N. Schmitt gen. ed., 2017).
[7] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 20–27 (Michael N. Schmitt gen. ed., 2017).
[8] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 168–174 (Michael N. Schmitt gen. ed., 2017).
[9] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 22 (Michael N. Schmitt gen. ed., 2017).
 

This message is only visible to admins.

Problem displaying Facebook posts.
Click to show error

Error: Error validating access token: The user has not authorized application 1332798716823516.
Type: OAuthException
Subcode: 458
Solution: See here for how to solve this error