In the aftermath of a cyber attack, it is up to the targeted institution or country to find a legal base for a response. This is tricky, as there is only very little legislation dealing with the issue. The Tallinn Manual, about to be introduced in its second version, provides a direction.
The Manual is a collection of guidelines for professionals and policymakers how to apply international law to cyberspace. While the first version was written explicitly with wartime situations in mind, version 2.0 tackles a broader range of possible incidents.
While incidences of cyber attacks as well as data theft and the like are on the increase, there is no comprehensive system of laws in place how to react to them. The Tallinn Manual provides a set of guidelines on how to apply existing law to situations involving cyberspace.
The legal interpretation of what is happening online is complicated, and little of it is regulated. At the end of the day, it is every country’s own issue how it wants to regulate and police the Internet, which is why the Manual neither makes new policy, nor does it suggest new legislation.
On the contrary, it makes suggestions regarding how to resolve situations and react to them applying existing international law. This is necessary in case a cyber attack violates legal boundaries like national sovereignty, or human rights, among others.
Estonia’s prime example is the attack originating in Russia it was exposed to in 2007, at the time of the Bronze Soldier Riot. At the time there was no agreed procedure how to react. In response to the attack, Estonia identified and blacklisted some foreign nationals.
This, according to Marina Kaljurand, is one way to go. Kaljurand is a diplomat, former Minister of Foreign Affairs and presidential candidate, and since late 2016 an adviser to the Estonian Ministry of Foreign Affairs as well as Estonia’s representative on the UN's Group of Governmental Experts on Cybersecurity.
As Kaljurand puts it, in the aftermath of an attack, the country at the receiving end typically does investigative work, identifies the culprits if possible, and then has to decide what part of existing law to apply to create a basis for an appropriate reaction. Kaljurand told ERR News on Tuesday that the Tallinn Manual provided an excellent tool to raise awareness of the legal implications of what was going on in cyberspace, and increased countries’ capacity to react to threats.
Responses to actual cyber attacks
While Estonia blacklisted people involved in the 2007 attacks, the United States under the previous administration reacted to a cyber attack on the Democratic Party’s servers during the 2016 presidential election by expelling Russian diplomats and closing diplomatic premises on American soil used by Russian intelligence.
This reaction and the application of international law in this case were based on the fact that as the attack originated in Russia, based on existing international law the United States held Russia ultimately responsible for it. This gave them the legal grounds for a reaction.
The Tallinn Manual provides a suggested legal course for cases like this. As Kaljurand points out, the Internet, and along with it any threat or attack through cyberspace are global, but so far there is no global legal response to them, which makes the second version of the Manual, written particularly with peacetime situations in mind, all the more important.
NATO’s Cyber Defence Centre of Excellence will introduce the Tallinn Manual 2.0 this Friday.
Editor: Dario Cavegn