When Would Russia's Cyber Warfare Morph Into Real Warfare? Refer To The Tallinn Manual
Like a hippo being nibbled to death by a thousand piranha, the United States is an old cyber behemoth bleeding from the savvy carnivores of the digital age. Our regulations are not current, our defenses are not adequate and our people’s understanding is not sufficient. We are wide open to attack.
It is no wonder that Russia has developed a suite of more and more effective cyber weapons that are being used against the United States and several other nations around the world. With impunity.
But what happens if those attacks succeed too well? What if a cyberattack causes a blackout for 100 million people in the United States and a thousand people die as a result of no electricity for life-support systems, critical care or just panic? Do we go to actual war? Do we just respond in cyber-kind? Are there rules for this kind of thing?
It turns out there are. They’re in the Tallinn Manual on the International Law Applicable to Cyber Warfare. Written between 2009 and 2012 by the International Group of Experts at the invitation of NATO, the Tallinn Manual is an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare. The manual was revised in 2017 and published by Cambridge University Press as a book titled Tallinn Manual 2.0.
Most people have heard of the Geneva Conventions for traditional, or kinetic, warfare. They resulted from a movement in the 1860’s for an international set of laws governing the treatment and care for the wounded and prisoners of war, and has been revised several times, most recently in 1949.
The Tallinn analysis states that ‘pre-cyber era international law applies to cyber operations, both conducted by, and directed against, states. This means that cyber events do not occur in a legal vacuum and thus states have both rights and bear obligations under international law.’
So the Tallinn Manual brings into the cyber era traditional Geneva Convention protections for many things, and states that, ‘The law of armed conflict applies to cyber operations as it would to any other operations undertaken in the context of an armed conflict.’
An example applies to prisoners of war, where the Manual prohibits publishing humiliating or degrading information on the Internet that has been gathered from prisoners or imagery taken of them in confinement – think Abu Ghraib. Rule 75 states:
‘Detaining parties must ensure their networks and computers are not employed to violate the honor or respect owed to prisoners of war and interned protected persons. Protection extends beyond the physical person. Prohibited cyber actions include posting defamatory information that reveals embarrassing or derogatory information or their emotional state. This would embrace, for example, posting information or images on the internet that could be demeaning or that could subject prisoners of war or interned protected persons to public ridicule or public curiosity.’
But what if the two parties are not in an armed conflict?
As Quinn Mockler, a cyber security researcher at Columbia Basin College near Hanford, Washington related the general view of researchers in the field, ‘The Internet is similar to the world’s ocean – no one owns it, but everyone uses it.’
The focus of the original Tallinn Manual was on severe cyber operations, those that violate the prohibition of the use of force in international relations, that entitle states to exercise the right of self-defense, or that occur during armed conflict.
Tallinn 2.0 added legal analyses of the common cyber incidents that occur on a day-to-day basis, and that supposedly fall below the thresholds of the use of force or armed conflict, as well as on issues of sovereignty and the various bases for the exercise of jurisdiction, human rights law, air and space law, the law of the sea, and diplomatic and consular law.
As Mockler breaks it down, Tallinn 2.0 has four main parts – General International Law and Cyberspace, Specialized Regimes of International Law and Cyberspace, International Peace and Security and Cyber Activities, and The Law of Cyber Armed Conflict.
‘The shortest part of the Manual is the third section, but it is the most important with subsections concerning Peaceful Settlement, Prohibition of Intervention, The Use of Force, and Collective Security.’ This part deals with having peaceful settlements emerge from conflict or potential conflict and considers when the use of force is allowed, and when an action is known as self-defense or how much of that action should be considered self-defense.’
So how does this apply to Russia’s relentless cyberattacks on America?
Michael Schmitt, editor of the Tallinn Manual and chairman of the U.S. Naval War College International Law Department opined that the Russian hacking of the DNC during the 2016 United States Presidential campaign was not an initiation of armed conflict. ‘It’s not a violation of the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow the U.S. to respond in self-defense militarily.’
Maybe not hacking the DNC, but what about hacking, or affecting, the election itself, something that has more recently come to light. That is an actual attack on the Constitution, on the sovereignty of America.
Does that rise to something that could be responded to with a kinetic attack? Isn’t preventing someone from becoming President akin to killing or incapacitating a head-of-state?
Expelling a few Russian diplomats and operatives, or putting on a few more sanctions, doesn’t seem to rise to the level of response warranted by such an attack on our sovereignty.
The Tallinn Manual’s opening section states that the accepted definition of sovereignty set forth in 1928 applies to cyber space as well. ‘It is the sovereignty that a State enjoys over territory that gives it the right to control cyber infrastructure and cyber activities within its territory.’ So a serious cyberattack is a sovereignty issue.
‘If such cyber operations are intended to coerce the government, the operation may constitute a prohibited ‘intervention’ or a prohibited ‘use of force’ (Rules 10 to 12). A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.’
So if a cyberattack effects a presidential election, that would certainly affect the ‘political independence of any State’ which might warrant a substantial response.
However, the manual then goes on to say that exceptions include the use of force pursuant to the right of self-defense (Rule 13).
In general, the Manual is vague on when it is lawful to respond to a cyberattack with the ‘use of force.’ In general, they are timid, reasonably wanting to de-escalate when possible, especially when it comes to nuclear powers like Russia and the United States.
Schmitt further argued that the Kremlin carries out operations that ‘fall short of breaching undisputed legal red lines that would invite robust responses,’ saying that Moscow did not conduct operations in the United States that caused deaths or significant, nationwide economic harm that would warrant the use of force in response.
Really? Causing trade wars with our allies, unilaterally pulling out of international treaties, slapping our farmers with tariffs, disrupting the NATO Alliance, and taking children from their mothers arms hasn’t had significant or economic nationwide effects? Boeing, in my home state, lost a $20 billion contract with Iran.
I’m not so sure these do not rise to the level warranting a more ‘robust response.’
It is important to note that Russia doesn’t follow the Tallinn Manual, and thinks it caters too much to western philosophy, which puts the West at another disadvantage.
Kalev Leetaru sums the Tallinn Manual in these words – ‘…in envisioning the future of cyber operations over the coming years, [the Tallinn Manual] paints a frightening nightmarish dystopia of how warfare is evolving from the tidy confines of the declared battlefield into an unbounded landscape in which anything and everything is likely to become fair game, from blowing up nuclear power plants to posting medical records online.’
It is fortunate that our nuclear plants are not hackable that way.
Leetaru goes on, ‘…by sketching out the frightening contours of the new cyber world, it should at the very least get governments thinking about how to better defend themselves in this brave and frightening new dystopia we live in, where war knows no borders.’
But does a nation have cyber borders as well as physical borders? If a country shot a missile at a bridge in San Francisco, but no one died, that would still constitute an act of war. If a country destroyed a power plant by hacking into its operational controls, but no one died, wouldn’t that still constitute an act of war?
Last year, officials from the Federal Bureau of Investigation and the Department of Homeland Security revealed that Russian hackers were behind cyber intrusions into the U.S. energy power grid. The intrusion illustrated the severe threat that Russian hackers pose to our most critical industries – energy, finance, healthcare, manufacturing and transportation. Harming ‘critical’ infrastructure sounds pretty serious.
In 2015, Russia tested these on the Ukrainian capital of Kiev. These tools were specifically developed to disrupt electric power grids and it blacked out 225,000 people in the Ukraine.
So do we just wait until a bunch of Americans die in a huge 100-million-person blackout that goes on for days? Maybe Russia would just say ‘Oops, that was not our intention, we were just trolling for passwords.’
If someone breaks into your house in the night, you are allowed to shoot them, even if they were only trying to steal your computer.