Revisiting Tallinn Manual 2.0 and Cyber Governance

The Cooperative Cyber Defence Centre of Excellence (CCDCOE) of the North Atlantic Treaty Organisation (NATO) assembled a group of experts to consider the issue in light of the importance of State activity in cyberspace and the lack of public positions by States regarding the application of international law to cyberspace.^[1] It was the first initiative by academicians to produce a manual on cyber governance jointly. Therefore, it was widely discussed by states and other scholars. The Tallinn Manual, version 1.0, comprises 95 principles that, according to the experts, represent current conventional or customary international law and explain how such legal systems relate to State acts in cyber warfare.^[2]

Tallinn Manual 1.0 did not cover civil cyber activities and primarily focused on cyber state-armed conflict issues. To "bring clarity to the complex legal issues surrounding cyber operations," "Tallinn 1.0" addressed questions of sovereignty, state accountability, jus ad bellum, international humanitarian law, and neutrality law.^[3] Subsequently, Tallinn Manual 2.0 was also prepared by the academicians, and it addressed the issues which needed to be covered by Tallinn Manual 1.0. This article will address how Tallinn Manual has played a role in addressing cyber global governance.

WHAT IS TALLINN MANUAL 2.0, AND HOW IS IT DIFFERENT FROM TALLINN MANUAL 1.0:

The Tallinn Manual 2.0 was published in February 2017. It lists 154 "black letter" laws that apply to these cyber activities and gives in-depth comments on each. It covers issues like human rights and the law of the air, space, and sea, in addition to sovereignty and state accountability.^[4] The Tallinn manual is not associated with NATO or any other state organization; more importantly, it is a set of commentaries using case laws and treaties to extend international law principles towards cyberspace. There are two different text kinds in the Manual. "Black letter rules" needed unanimity and are intended to represent lex lata (the law as it is), not lex ferenda (what the law ought to be). They are reaffirmations of the law and are extensively formulated in light of the necessary consensus.^[5]

As cyberspace was being misused daily by non-state actors and the state, the Tallinn manual 1.0 seemed irrelevant. Therefore, the Tallinn Manual 2.0 has shifted away from traditional state-authorized and operated cyberwarfare and towards small-bore deniable cyber operations, which comprise the majority of current day-to-day cyberattacks.^[6] It is noteworthy that, in just four years, the title of the book has changed from "Cyber warfare" to "Cyber operations," reflecting the fact that, in today's reality, cyber strikes most frequently fall below the threshold at which international law would generally proclaim them to be a legal act of war.^[7] As a result, the Tallinn manual 2.0 addressed more complex situations in cyberspace as the cyber strikes were falling into a "grey zone" wherein it was neither legal nor illegal under international law.

Although the input did not obligate the IGE, Tallinn Manual 2.0 mentions it without naming the state (s) in question to the degree that it represented acceptable legal judgments.^[8] The IGE also accepted the advice from states who commented on specific chapters of the Manual and corrected the Manual. Furthermore, aside from State participation, portions of the handbook were forwarded to more than 50 professional peer reviewers from every continent for feedback.^[9] Hence, the Manual is not solely a product of IGE.

The Tallinn manual 2.0 is not international law. However, it is an assessment of the state of the law. The Manual assists the state, as the Manual provides a general understanding of the global consensus regarding cyberspace to the states while drafting their legal policies.

ISSUES ADDRESSED UNDER  TALLINN MANUAL 2.0:

Tallinn manual 2.0 examines the current status of international law and how it may be applied to various scenarios, and it covers a variety of legal issues that frequently come up in cyber operations. Its panel of drafters struggled to agree on several issues, highlighting the difficulties and ambiguities in cyberspace.^[10] The Tallinn Manual 2.0 have acted neutral and specified that it has no force of law; it just reflects the existing international law to the cyberspace challenges.

The Manual has addressed sovereignty as its first general law. According to Rule 4's expert finding, sovereignty is a principle of international law, and its breach constitutes an international crime.^[11] Under this, the Manual has also addressed the trending issue of espionage; the states committing espionage will not be a violation of sovereignty. According to it, as a matter of domestic law, states commonly forbid espionage techniques, yet, this is not seen as a breach of their sovereign rights.^[12] In this section, the experts had disagreements, and due to a lack of legal consistency across the cyberspace domain, it would be not easy to have a similar understanding of sovereignty. At the Tallinn Manual 2.0's U.S. debut, Mike Schmitt repeated this. He said that he believed nations will need to clarify their stances on sovereignty if asked what aspect of the Manual is most likely to alter in the following five years.^[13]

The second general law addressed by the Manual is due diligence. The Manual recognized that it is a state obligation under international law to apply due diligence. However, the experts discussed the degree to which the standard must be applied to a state. According to the Manual, States must only address transboundary harm with substantial adverse effects. Not all transboundary harm is believed to fall below the cutoff point at which the due diligence concept would apply.^[14]

The third general law addressed by the Manual is jurisdiction. "Subject to limitations outlined in international law, a State may exercise territorial and extraterritorial jurisdiction over cyber activities," states the first rule on jurisdiction.^[15] The Manual has covered all three traditional jurisdiction types: prescriptive, enforcement, and adjudicative. According to the Manual, the state can exercise jurisdiction over its territory. Nevertheless, the state can exercise jurisdiction extraterritorially when a state national is involved and the state gets consent from the host nation where their national resides. Territorial jurisdiction is covered in Rule 9, confirming that both subjective and objective territorial jurisdiction applies to cyber activities.^[16] The manual states that a few treaties, like Convention on Cybercrime, would assist in invoking the extraterritorial enforcement privilege. A rule on immunity and international cooperation round out the jurisdiction chapter.^[17]

The fourth general law addressed is the Law of International Responsibility. In this section, the Manual has discussed state responsibility for cyber-related acts, laid guidance on counter-measures, and discussed cyber-terrorism. Rules 15 through 17 deal with attribution problems, which are crucial for locating the perpetrators of cyber events. Accurate responses and guaranteeing responsibility are essential components of efficient cyber governance, and both depend on proper attribution.^[18] This part of the Manual lays a foundation for cyber governance as it includes counter-measures, principles of state responsibility, and attribution; these factors will be crucial to shaping the legal framework. Lastly, the Manual has signaled that it is crucial for developing cyber governance standards that governments adopt international legislation to improve the efficacy of cyber counter-measures. This demonstrates how dynamic cyber governance is and how it is necessary to change to keep up with developing cyber threats and technology.^[19]

Apart from these general laws, more detailed specific laws are discussed in the Manual among the experts.

In this manual few standouts topics are also discussed. Firstly, when it came to whether distant cyber espionage that reached a certain threshold of severity violated international law, the panelists "were unable to come to a consensus."^[20] Secondly, the Manual addressed an interesting case in which the military uses the internet ability to harass. In this case, the Manual used Geneva Convention protections for prisoners of war in the cyber era to interpret the cyber era. In conclusion, the Manual condemned the harassment of prisoners of war. It advised the country holding the detainees must "take precautions against public and private actors' access to the communications, financial resources, or electronic records of prisoners of war or interned protected persons."^[21] Thirdly, the Manual also discussed the concept of "cultural property" and digital physical artifacts. Lastly, the Manual addressed the issue of sensitive information like a medical condition and genes being digitized. The authors claim that it is "clearly unlawful" to utilize digitalized historical records on a population to identify people's ethnic backgrounds to facilitate genocide, crimes against humanity, or war crimes.^[22]

HOW THE TALLINN MANUAL 2.0 WILL ASSIST IN THE CYBER GOVERNANCE?

The Tallinn Manual 2.0 provides direction, clarifies legal concepts, and offers a shared understanding of how international law relates to cyber activities, serving as a vital resource and framework to aid in cyber governance. It offers precise explanations and applications of current concepts of international law to the setting of cyberspace. Because of this clarity, states, organizations, and people can better comprehend their duties and rights in the digital sphere. The Manual has also got appreciation from the nations, which shows the nations are willing to have lawful cyber governance. For example, a representative of the Dutch Ministry of Foreign Affairs said, "This is a complex challenge, but it is relevant for a growing number of States and therefore requires broad and inclusive engagement," adding that he said "The Netherlands is a strong supporter of clarifying the application of existing international law in cyberspace... A good source of scholarly interpretation in this area is the Tallinn Manual.^[23]

The manual aids in creating a shared understanding among cyber actors by providing a consensus-based interpretation of international law. This uniformity helps make behavior in cyberspace more predictable and comprehensible. It presents policies and procedures that encourage responsible conduct and obstruct malevolent activity online. This lowers the likelihood of conflict and promotes conformity to international rules, which improves cybersecurity. The Manual made the "game" more straightforward for the participants to comprehend, and clear rules may reduce escalation. They reduce the possibility that the States taking part in a cyber exchange may erroneously perceive the behavior of their adversaries.^[24]

However, interestingly, the Manual spends little time discussing the legal issues surrounding autonomous cyber weapons that can make decisions entirely on their own and how those might fit into the concept of international law, even though deep learning and autonomous warfare are rapidly evolving fields.^[25] Therefore, cyber governance must include this subject as it is vital in an age of AI technology.

The guideline strongly emphasizes state accountability and responsibility for their online behavior. It makes it more difficult for nations to undertake cyber operations secretly or with impunity by creating a framework for assigning blame for cyber mishaps. States might concentrate their efforts where legal clarification is required and in their national interest by knowing the areas where application and interpretation are vulnerable to divergent viewpoints. By providing such clarification by the manual, other States will be discouraged from abusing these murky areas of cyber regulation.^[26] The manual discusses how current legal systems can be used to resolve cyber issues. This awareness might help avoid confrontations existing-exi by identifying alternatives to using forecasting ones. More importantly, in this bold and terrifying new dystopia we live in, where conflict knows no boundaries, the Manual has sparked a discussion that it should, at the very least, start governments thinking about how to better defend themselves by outlining the terrifying outlines of the new cyber world.^[27]

CONCLUSION:

In conclusion, Tallinn 2.0 is a significant contribution to cyber governance, providing comprehensive insights and guidelines on how international law applies to cyberspace. The rapid evolution of cyber technologies has outpaced the development of adequate legal frameworks, leaving a vacuum in global cyber governance. However, the Tallinn Manual 2.0, an initiative led by the Cooperative Cyber Defence Centre of Excellence (CCDCOE) of NATO, addresses this gap by offering a detailed and well-reasoned approach to the complex legal challenges posed by cyberspace.

The Manual has evolved from its predecessor, Tallinn Manual 1.0, which primarily focused on state-authorized and -operated cyber warfare. Recognizing the increasing prevalence of non-state actors and small-scale deniable cyber operations, Tallinn Manual 2.0 emphasizes encompassing a broader range of cyber activities. Its 154 "black letter" laws, accompanied by comprehensive commentary, provide a robust framework for interpreting international law in the context of cyberspace.

The manual covers various issues, including sovereignty, due diligence, jurisdiction, and the law of international responsibility. These topics, which have significant implications for state behavior in cyberspace, are addressed through extensive discussions and expert consensus. By clarifying these concepts, the manual offers states and other stakeholders a shared understanding crucial for fostering responsible behavior and preventing conflicts in the digital realm.

The Tallinn Manual 2.0 does not have the status of international law but instead assesses the existing legal landscape. Nonetheless, its impact on cyber governance is substantial. The Manual assists states in formulating legal policies and strategies by providing a reference point for interpreting international norms in cyberspace. It also underscores the importance of state accountability and responsibility for cyber actions, discouraging malicious activities and promoting stability.

The Manual is pivotal in guiding states and other actors toward a more regulated and secure cyber environment in a world where cyber threats transcend geographical boundaries. While it does not address all emerging challenges, such as fully autonomous cyber weapons powered by artificial intelligence, its existence prompts discussions and considerations for the future evolution of cyber governance.

The Tallinn Manual 2.0's influence goes beyond nations and organizations recognizing and appreciating it. Its ability to provide clarity, establish common understanding, and guide responsible conduct significantly enhances global cybersecurity and stability. By shedding light on the intricate intersection of international law and cyberspace, the Manual is a beacon of guidance in an era where the digital domain plays an increasingly critical role in international affairs.

Notes  

^[1] Schmitt, M. N. (2013, March 1). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge Core. https://doi.org/10.1017/CBO9781139169288

^[2] International Law in Cyberspace. (2023, January 27). International Law in Cyberspace. https://www.americanbar.org/groups/law_national_security/publications/aba-standing-committee-on-law-and-national-security-60-th-anniversary-an-anthology/international-law-in-cyberspace/

^[3] CCDCOE. n.d. CCDCOE. https://ccdcoe.org/news/2020/ccdcoe-to-host-the-tallinn-manual-3-0-process/

^[4] Guides: International and Foreign Cyberspace Law Research Guide: Tallinn Manual & Primary Law Applicable to Cyber Conflicts. (2023, July 11). Tallinn Manual & Primary Law Applicable to Cyber Conflicts - International and Foreign Cyberspace Law Research Guide - Guides at Georgetown Law Library. https://guides.ll.georgetown.edu/cyberspace/cyber-conflicts

^[5] Schmitt, M., Goodman, R., Eisen, N. L., Watt, S., Rice, A., Barrilleaux, F., Markman, B., Nevett, M., Kolb, J., Stanton, J., Warren, A., Finucane, B., Hashimoto, E. J., Rosenblat, M. O., Mejia, S. C., Owiso, O., Nakandha, S., Tribe, L. H., Sikorsky, E., . . . Jones, A. E. (2017, February 9). Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Is not - Just Security. Just Security. https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/

^[6] Leetaru, K. (2017, February 9). What Tallinn Manual 2.0 Teaches Us About The New Cyber Order. Forbes. https://www.forbes.com/sites/kalevleetaru/2017/02/09/what-tallinn-manual-2-0-teaches-us-about-the-new-cyber-order/

^[7] Ibid

^[8] Schmitt, M., Goodman, R., Eisen, N. L., Watt, S., Rice, A., Barrilleaux, F., Markman, B., Nevett, M., Kolb, J., Stanton, J., Warren, A., Finucane, B., Hashimoto, E. J., Rosenblat, M. O., Mejia, S. C., Owiso, O., Nakandha, S., Tribe, L. H., Sikorsky, E., . . . Jones, A. E. (2017, February 9). Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn’t - Just Security. Just Security. https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/

^[9] Ibid

^[10] Leetaru, K. (2017, February 9). What Tallinn Manual 2.0 Teaches Us About The New Cyber Order. Forbes. https://www.forbes.com/sites/kalevleetaru/2017/02/09/what-tallinn-manual-2-0-teaches-us-about-the-new-cyber-order/

^[11] (2018, May). THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS . https://www.law.georgetown.edu/international-law-journal/wp-content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf

^[12] Ibid

^[13] Ansley, R. (2017, February 15). Tallinn Manual 2.0: Defending Cyberspace. Atlantic Council. https://www.atlanticcouncil.org/blogs/new-atlanticist/tallinn-manual-2-0-defending-cyberspace/

^[14] (2018, May). THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS . https://www.law.georgetown.edu/international-law-journal/wp-content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf

^[15] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations | Humanitarian law. (n.d.). Cambridge University Press. https://www.cambridge.org/in/universitypress/subjects/law/humanitarian-law/tallinn-manual-20-international-law-applicable-cyber-operations-2nd-edition?format=HB&isbn=9781107177222

^[16] (2018, May). THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS . https://www.law.georgetown.edu/international-law-journal/wp-content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf

^[17] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations | Humanitarian law. (n.d.). Cambridge University Press. https://www.cambridge.org/in/universitypress/subjects/law/humanitarian-law/tallinn-manual-20-international-law-applicable-cyber-operations-2nd-edition?format=HB&isbn=9781107177222

^[18] (2018, May). THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS . https://www.law.georgetown.edu/international-law-journal/wp-content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf

^[19] Ibid

^[20] Leetaru, K. (2017, February 9). What Tallinn Manual 2.0 Teaches Us About The New Cyber Order. Forbes. https://www.forbes.com/sites/kalevleetaru/2017/02/09/what-tallinn-manual-2-0-teaches-us-about-the-new-cyber-order/

^[21] Ibid

^[22] Ibid

^[23] CCDCOE. (n.d.). CCDCOE. https://ccdcoe.org/news/2020/ccdcoe-to-host-the-tallinn-manual-3-0-process/

^[24] Schmitt, M., Goodman, R., Eisen, N. L., Watt, S., Rice, A., Barrilleaux, F., Markman, B., Nevett, M., Kolb, J., Stanton, J., Warren, A., Finucane, B., Hashimoto, E. J., Rosenblat, M. O., Mejia, S. C., Owiso, O., Nakandha, S., Tribe, L. H., Sikorsky, E., . . . Jones, A. E. (2017, February 9). Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn’t - Just Security. Just Security. https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/

^[25] Leetaru, K. (2017, February 9). What Tallinn Manual 2.0 Teaches Us About The New Cyber Order. Forbes. https://www.forbes.com/sites/kalevleetaru/2017/02/09/what-tallinn-manual-2-0-teaches-us-about-the-new-cyber-order/

^[26] Schmitt, M., Goodman, R., Eisen, N. L., Watt, S., Rice, A., Barrilleaux, F., Markman, B., Nevett, M., Kolb, J., Stanton, J., Warren, A., Finucane, B., Hashimoto, E. J., Rosenblat, M. O., Mejia, S. C., Owiso, O., Nakandha, S., Tribe, L. H., Sikorsky, E., . . . Jones, A. E. (2017, February 9). Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn’t - Just Security. Just Security. https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/

^[27] Leetaru, K. (2017, February 9). What Tallinn Manual 2.0 Teaches Us About The New Cyber Order. Forbes. https://www.forbes.com/sites/kalevleetaru/2017/02/09/what-tallinn-manual-2-0-teaches-us-about-the-new-cyber-order/

Pic Courtsey-Michael Dziedzic at unsplash.com

(The views expressed are those of the author and do not represent views of CESCUBE.)