Following the NATO Tallinn Conference in Estonia in 2009, a call was made for a manual that outlined the position, with regard to international law, for the use of cyber warfare. The conference brought together, ‘some of the brightest minds in computer, network, and national security issues’, according to the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The resultant manual has now been published, by Cambridge University Press, and is designed to offer guidance as to how international law applies to online attacks carried out for the purposes of, or as a result of, armed conflicts. NATO CCDCOE is quick to point out that, ‘The Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity. It does not represent the views of the Centre, our sponsoring Nations, or NATO. It is also not meant to reflect NATO doctrine, nor does it reflect the position of any organisation or State represented by observers.’ Despite this, the booklet is promoted by NATO CCDCOE, and the relevant NATO website also includes a free-to-view draft of the document. Cyber warfare operations first started to appear in the 1990s, and the US Naval War College held a legal conference covering the issues in 1999. Other high profile incidents and conflicts pushed the topic down the agenda in the following years, but the increased use of cyber attacks as tools of warfare in Eastern Europe, along with incidents where the Iranian nuclear facilities were targeted with the Stuxnet worm” believed by many to have been created in a joint initiative by the United States and Israel” brought the issue back into focus. The UK’s National Security Strategy states that, ‘cyber attack, including by other States, and by organised crime and terrorists’ is a Tier One threat to national security. To put this into context, it is classed alongside international terrorism, military action between other States, and major accidents or natural hazards. Equally, the United States has stated that cyber threats represent a serious national security, public safety and economic challenge. In 2010, following the Tallinn Conference, NATO itself committed to develop an ability to ‘prevent, detect, defend against and recover from cyber attacks, including by using the NATO planning process to enhance and coordinate national cyber defence capabilities’. It was recognised that the implementation of international law in cyber operations, whether in offence or defence, would present a challenge, not least because most legal frameworks were created prior to cyber warfare becoming a reality. Additionally, it is recognised that cyber capabilities may develop and increase faster that the creation of relevant laws and treaties. There has been debate as to whether existing international law actually applies to cyber-based attacks, and if so, to what degree can law applying to armed conflict be used. Views vary from those that cyber warfare is covered by laws relating to the use of force, citing that laws are pertinent regardless of the weapons employed. Others argue that all actions not specifically forbidden in international law are generally permissible. However, the lack of a clear definition relating to which laws are applicable does not relieve any States participating in such attacks of their legal obligations. The aim of the manual is to address this level of ambiguity. The Tallinn Manual encompasses both international law governing the resort to force by States as an instrument of their national policy, and law regulating the conduct of armed conflict. Cyber activities which are not considered ‘use of force’, such as cyber criminality, are not addressed, nor are issues such as international human rights or telecommunications laws. The booklet is not intended to imply to suggest future law, or insinuate best practice or preferred policy. Instead it attempts to highlight the application of law to cyber activities. Examples of guidance including the prohibition of cyber attacks designed to affect hospitals, medical facilities or the sick, or designed to cause infrastructure or supply-chain disruption that could affect the delivery of food, water or other essential services to civilians. Also excluded are attacks on civilian populations or individual civilians, cultural or religious sites, dams, nuclear power stations, and objects indispensable to the survival of the civilian population. However, civilians that take part in cyber attacks could be viewed as legitimate targets for counter strikes using conventional armed conflict. Rules on the prohibited use of booby trap devices are also translated into the cyber world. For example, an email with an attachment containing malware could be sent to an employee of a water treatment plant, purportedly from his doctor, which – when opened – caused the puriﬁcation process to be ceased. This could then allow untreated water to enter the supply to both military and civilian users. The intended purpose of such an attack would be the creation of illness. The Manual considers that this would be an unlawful cyber booby trap because the recipient reasonably believes that opening an email from his doctor is safe to himself and others, because it appears to be related to medical activities.
NATO CCDCOE’s suggested Tallinn Manual for ‘Cyber Warfare’ published
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.