A response to some of the issues raised in the January 30, 2014 post The Ethics of Cyberweapons:
Between 2009 and 2013 a group of 20 international law experts labored to produce the Tallinn Manual on the International Law Applicable to Cyber Warfare. The manual was a response to claims that cyberspace was a legal void during armed conflict. The experts, consisting of both practitioners and distinguished international law scholars, unanimously concluded that the existing norms of international law applied fully in cyberspace, although in certain circumstances the nature of cyberspace might require a degree of interpretation to fit the cyber context. Although States were initially hesitant to embrace the project, the Tallinn Manual has been widely accepted as a generally accurate restatement of the international law governing cyber operations during an armed conflict or a hostile exchange between States.
A number of issues that were addressed in the Manual continue to be characterized as unsettled in non-legal communities. This tendency is skewing the debate over cyber operations. Prominent among these is confusion regarding law surrounding governing responses to cyber attacks. All of the experts involved in the project agreed that it was legally permissible to respond to cyber attacks by kinetic means, and vice versa. The question is not so much the nature of an attack, but its intensity. Forceful responses, whether kinetic or cyber in nature, are only lawful in response to a cyber attack rising to the level of an “armed attack”, as that term appears in Article 51 of the UN Charter. Forceful cyber or kinetic responses to cyber attacks falling below that threshold are only permissible with UN Security Council authorization. Absent that authorization, States may only respond consistent with the law of “countermeasures”, which does not permit the use of cyber or kinetic actions.
Another common misconception is that it is unlawful for civilians to engage in cyber operations during an armed conflict. In fact, international law contains no such prohibition. However, civilians who “directly participate in the hostilities” lose their protection from attack for such time as they are so participating. Thus, the enemy may attack civilians (such as individual hacktivists, government contractors, or member of the intelligence services) if they engage in hostile cyber operations. Additionally, unlike members of the Armed Forces, civilians who directly participate in hostile cyber operations may be prosecuted by another State for violations of its domestic law. In other words, they do not enjoy the “belligerent immunity” for combat activities that are lawful for soldiers. As an example, if a civilian conducts a cyber operation that results in the death of a member of the enemy’s armed forces, the enemy State could later prosecute for murder under its domestic law. But the point remains that civilians are not prohibited from conducting cyber operations by international law and there is no international law prohibition on States turning to them for such operations.
Finally, misunderstanding exists with respect to directing cyber operations against the civilian population during an armed conflict. In fact, international law only prohibits “attacking” civilians. There is an ongoing debate in the international law community over the meaning of “attack” in the cyber context. However, general consensus has been achieved that not every operation in cyberspace intended to affect or influence a civilian population is unlawful. In particular, cyber operations that merely inconvenience or irritate the civilian population, as in interfering temporarily with the connectivity of nonessential systems or conducting psychological campaigns employing the Internet, are lawful. There is, on the other hand, also complete agreement that any operation against civilians or civilian property that causes injury or physical damage qualifies as an “attack” and would therefore be unlawful.
The Tallinn Manual only addresses hostile cyber operations that implicate the UN Charter’s provisions on the use of force or that occur during an ongoing armed conflict. The NATO Cooperative Cyber Defence Centre of Excellence, sponsor of the Tallinn Manual project, has launched a follow-on three-year project (Tallinn 2.0) to examine malicious cyber operations at lower levels of intensity.
Michael N. Schmitt is Stockton Professor of Law at the Naval War College, Professor of Law at Exeter University, and Senior Fellow at the NATO CCD COE. He directed the Tallinn Manual project. The comments are in his personal capacity.