Cyber101x Cyberwar, Surveillance and Security - Week 5 - Cyber Security and Cyber Warfare

TALLINN MANUAL ON CYBER OPERATIONS

 DR DALE STEPHENS: The conduct of military operations has traditionally occurred in the land, sea, and air environments. To these theatres may also be added the cyber sphere. In recent years, it is becoming clearer that cyber offers an ideal means to address asymmetric disadvantage and renders marginal the traditional geographic boundaries that countries like Australia and the US, among others, have relied on in their ocean-bounded and relatively physically remote positions. Cyber operations have been defined as, "the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace." This definition comes from the Tallinn Manual on cyber operations. This manual, which is not a treaty or an official state-sponsored restatement of international law, nonetheless represents the views of a number of legal experts on the state of cyber operations and the applicable law that applies to the conduct or such operations. It is fast becoming an authoritative source of clarification about the application of law in this area. By way of background, in 2009, the NATO Cooperative Cyber Defence Centre of Excellence, an international military organisation based in Tallinn, Estonia, invited an independent international group of experts to produce a manual on the law governing cyber warfare. The manual drafting team was headed by Professor Michael Schmitt of the US Naval War College and was completed in 2013. It represents a statement of the law applicable up to that point relevant to the conduct of armed conflict, and also deals with issues concerning the Jus ad Bellum, the law relating to resort to the use of force in the cyber field. The increase of publicly acknowledged cyber operations relating to incidents occurring in Estonia in 2007, Georgia in 2008 during its war with Russia, the Stuxnet worm that infiltrated Iranian nuclear programs in 2010, and the Sony attacks in 2014, all demonstrate the growing capacities of cyber to impact state and private activities. They also reveal the potential vulnerabilities of states and their infrastructure, and speak to the need for clarification of rules that apply in such contexts. By way of background to the attacks in Estonia in 2007, and the initiation of work associated with the Tallinn Manual, let's turn to Professor Michael Schmitt who provides the relevant background to the material. MIKE SCHMITT: In 2008, I received a phone call from the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, asking me to lead a project to look at the applicability of international law to cyber affairs. The reason they wanted to look at this was because the previous year in 2007, there had been what was, without a doubt, the major watershed event in cyber history. The story's actually a very fascinating one. Let me give it to you in a very short, overly concise rendition. What happened was during World War II, Estonia was an independent state. But it was conquered first by the Germans, then by the Soviets. Eventually, the Soviet Union took over Estonia, incorporated it into the Soviet Union. And like every major city, in every Soviet city, every major city in the Soviet Union, there was a statue commemorating the great patriotic war -- socialist realism statue, the soldier looking skyward fighting for the cause. There was one in Tallinn. And it was right in the centre of the city. In fact, it was in front of the major library there. So everyone could see this statue. Well, it was the great patriotic war to the Soviets, but it wasn't the great patriotic war to the Estonians. To the Estonians, it was the occupation of their countries for a period measured in decades. So when they got their independence, when they see this statue called the bronze statue in the middle of the city, this reminds them that their country had been occupied for over half a century. So they decide to move the statue. It actually created problems. Because by this time, 23% of the population is now ethnic Russian. They all came to Estonia because the cost of living was low, the standard of living was high. It's a very beautiful country. So they had come there and it had become a problem after independence because pro-Soviet/anti-Estonian independence folks would go there and bring flowers and disrupt the orderliness. So the city decides, let's move that statue. And they moved it to a Soviet war cemetery outside the city. But when they did, this caused rioting, physical rioting in the streets with the ethnic Russian minority. And contemporaneously with the rioting, there were massive cyber attacks against the country. And really, they were devastating cyber attacks because Tallinn, and the country more broadly, had, with the assistance of the Swedes, become very wired. They were starting from scratch. So the Swedes, who have a historical tie to Estonia, came in, wired the entire country. They do everything from vote to pay their parking online. It shut the country down and drew attention to the possibility of massive countrywide cyber operations. And so NATO set up this centre. So the centre asked me to convene a group. And I convened a group of 20 scholars from around the world, some working for government, some in their private capacity. And we spent three years looking at the international law that applied to two areas, the Jus ad Bellum, which is the law governing the use of force between states or between non-state groups and states; and war, armed conflict, international humanitarian law. And so after three years, we produced this manual that governs that. DR DALE STEPHENS: Interestingly, a Tallinn Manual 2 has also been commissioned. And it will look at cyber operations that do not meet the armed attack model and the international legal framework that applies in that context, which the Tallinn Manual 1 did not address. Work is progressing on this manual and it is expected to be completed in 2016. Let's again hear from Professor Schmitt, who describes the Tallinn 2 Manual process and contrasts that with the work done in Tallinn 1. MIKE SCHMITT: That process, that part of the Tallinn process, dealt with the problem that was most severe. It's where you have a cyber attack that shuts countries down, that kills people, that affects your critical national infrastructure. But on a day-to-day basis, if you're in Canberra, Washington, Paris, or Tallinn, that's not what you're dealing with. You're dealing with the lower intensity, more frequent cases of attacks against your companies, attacks against the Naval War College network, attacks against government facilities, and so forth. Some malicious, some by terrorists, some by other states. So once we finished the Tallinn Manual, the centre wanted to keep going. And now we are involved in a process called Tallinn 2.0 that looks at the less severe but more frequent operations that occur on a day-to-day basis. So we're looking at sovereignty, jurisdiction, state responsibility, countermeasures, law of the sea, law of the air, space law, and human rights among other areas, all below the threshold operations. We will do that through 2016. And sometime in 2016, publish Tallinn 2.0, which will be an expanded version of Tallinn 1. DR DALE STEPHENS: Throughout the modules of this topic, we will discover aspects of both cyber operations that do amount to an armed attack and those that fall short of that, but nonetheless, implicate international law that guides actions and responses. We will be anticipating to some extent what will appear in the Tallinn 2.0 Manual process. But we'll do so on the basis of accepted principle and reasonable inferences that can be drawn from those principles. Finally, a word about the role of the Tallinn Manual. It represents the latest iteration of a process that is becoming frequent nowadays in respect of groups of experts coming together to articulate what the law is in relation to a particular contentious topic. We have seen this with previous manuals, such as the 1995 San Remo Manual on the Law of Naval Warfare, the 2009 Harvard Manual on International Law Applicable to Air and Missile Warfare. And now, the Tallinn Manual on International Law Applicable to Cyber Warfare. Such manuals do carry intellectual weight and do influence decision-making processes within states. They do this not because of their inherent authority. They have no formal authority. But rather as a representation of the persuasiveness and accuracy of their views. Such a phenomena may be a reflection of the vibrancy of international law, but is also an indictment on the capacity of states to undertake this heavy lifting process themselves. It does remain the case that it is still states and only states that make international law. And hence, progress of law in this field does still require active involvement and collaboration in articulating agreed positions between such central players. Understanding this, it is insightful to hear Professor Schmitt make reference to the goals and also to the nature of the Tallinn Manual drafting process. To a large extent, unlike its predeccesors, the Tallinn Manual does largely arrive at a consensus view on a number of key principles, but also is written for state legal advisors in disclosing competing views on a topic and allowing for the mature considerations by such advisors on the merits of majority and minority positions on these matters. Let's turn now to a consideration of the law applicable to intrusive cyber operations that occur in the context of peacetime and which can and do violate international law and registers of lawful response open to states subject to such activities.