How can international law be applied on a cyberattack? What is the legal meaning of sovereignty and human rights in cyberspace? Modern technology represents an enormous challenge for law and policy makers. The Tallinn Manual 2.0 is a pioneering tool that helps them find their own direction.
The recently published Tallinn Manual 2.0 provides guidelines for the application of international law on cyberspace. Though states will eventually have to derive their own approach from it, it is a pioneering collection of opinions of legal experts how to apply established principles to a still very new field.
ERR News had the opportunity to talk to Marina Kaljurand, adviser to the Estonian Ministry of Foreign Affairs in matters of security as well as Estonia's representative on the UN's Group of Governmental Experts on Cybersecurity, about the meaning and application of the Tallinn Manual.
ERR News: What real policy have the Tallinn Manual 1.0 and 2.0 created?
Marina Kaljurand: These manuals are not creating new law, and they are not creating new policy, they are interpreting international law. The international community has agreed that international law applies to cyberspace. But the big question is how, because when international law developed we didn't have any idea of cyberspace.
In real life, jurisdiction is very clear, territory and sovereignty are very clear. They are marked by a border, and the territory of a country is very specifically determined. But talking about cyberspace, it becomes more complicated. Cyber operations can originate in one country, the effects might be in another, and they might use a third country. The Tallinn Manual gives lawyers and politicians an idea how international law might apply to that.
So it's a collection of guidelines rather than an actual manual.
To me, guidelines and manuals are the same. It depends on the interpretation. The practice of writing guidelines like these dates back to the 18th century. Usually they are interpretations by respected and experienced lawyers. The first Tallinn Manual was written by 20, and the second one by 19 international lawyers, the best experts in the field.
The next step is very important, what states will do with the manual. What a foreign ministry will do with it, what a defense ministry will do with it, if their legal advisers will look into the manuals and express their own views. The final interpretation depends on the political will of governments.
The manuals are very practical. For example, in the case of a cyberattack and deciding about possible retaliation and countermeasures, government lawyers can turn to the Tallinn Manual to see how lawyers have interpreted international law applicable to those situations.
The difference between the first and the second manual is that the first was written about the applicability of international law to cyberspace in wartime, and the second in peacetime. Until today we haven't seen any cyber operations that would qualify as use of force. There were incidents where actual military attacks were accompanied by malicious cyber operations (Georgia 2008, Ukraine).
But the large majority of cyber operations are not destructive, do not cause deaths, and so on. Incidents like cases of espionage, hacking, messing with elections. They are disturbing, but they are not destructive. In that sense, the Tallinn Manual 2.0 is more topical, because it looks at the cyber operations in peacetime, at low risk cyber operations.
Does this mean that now there is a broader application?
Exactly. It's about how to apply international law to cyber operations in the everyday world during peacetime. What is allowed, and what is not. For example, all countries are responsible for cyber operations originating from their territory. It also states that countries have to intervene if somebody is using their territory [for a cyberattack].
Can a country from the territory of which a cyberattack originated say they had no idea what was going on after the attack happened?
They can, but if they know about the incident, they are responsible. It might be the case that they don't have any knowledge of the incident. In that case, somebody has to inform them. For example, we are attacked, and we inform the country from where the cyberattack is coming, then from that time on they're responsible.
When Estonia was exposed to a cyberattack in 2007, the manuals did not yet exist. How did Estonia apply international law back then?
First, we gathered evidence, asked for clarification from Russia, and then we took countermeasures. We put individuals behind the cyberattacks on the so-called Schengen blacklist. Compare this with what the United States did after the DNC incident, they expelled diplomats. So today we can say that we have already some practice applying international law. We have examples how countries can react to cyber operations.
In 2007 there also was the question whether or not to trigger NATO Article 4 or 5. But the answer was very simple, those attacks were not destructive, they didn't kill anybody, they just interfered with our e-lifestyle. And as we were looking at the effects, we decided to retaliate in the way we did.
What's the biggest advantage of having this manual now? How does it help in practice?
It's a very good handbook for legal advisors in the ministries, and also for politicians.
International law is applied and interpreted by the states. They have to look at the provisions and say what they agree with and what they don't agree with. This is not an easy task, as in the virtual world we have the same ideological division as in the real world. Some countries see the Internet as a challenge to their sovereignty, other countries like Estonia see ICT as an enabler of development.
So most likely if we're unable to agree in the real world, it will be very difficult to agree on the application of international law on cyberspace as well. The interpretation of the manual will depend on the political will of the interpreting states. The Tallinn Manual itself sometimes offers several options. There are situations where all of its authors agree, and others where there are different opinions. Even in like-minded countries, in democratic countries we interpret different provisions of international law differently.
This means not everything that's in the manual will be applied. That isn't going to happen. We have to find norms and rules that can be accepted by at least several states, only then can we talk about progress interpreting the manual. In the end it all depends on political will and support.
Does the manual provide help for someone that's being attacked? Can the manual increase the speed of the reaction?
Absolutely. I would say that it is a great advantage because it raises awareness of an essential issue. It's an excellent example for confidence-building, because it allows officials to start a discussion about it.
This isn't a topic for rich and tech-savvy countries only. I very much hope that we'll have everyone on board, geographically. African countries, Asian countries, countries that today don't have to deal with the issue on an everyday basis.
Cyber is here to stay, it's global, and so the rules of behavior have to be global. If only Finland and Estonia apply the manual, for example, that isn't enough in terms of international law.
Editor: Aili Vahtla