The Tallinn Manual, the first attempt to lay down international ground rules for cyberwar, was published this week under the direction of the NATO think tank, the NATO Cooperative Cyber Defense Center of Excellence. Written by more than 40 academics, lawyers and experts from NATO countries, the 282-page manual defines under which conditions a country can respond to a hack attack with military force; which targets are off-limits (schools, hospitals and UN staff, for example); and guidance on proportionate response to digital attacks carried out by non-state entities. It also warns that cyber war combatants can be tried for cyberwar crimes.
Almost on cue, a few hours after the manual was published, South Korea was hit by a crippling cyber attack that prompted local digital security experts to point the finger at North Korea—not the first timeits sworn cross-border enemy has been accused of state-sanctioned cyber war games.
Thomas Wingfield, one of the authors of the Tallinn Manual and a professor of international law at the George C. Marshall European Center for Security Studies, talked to Bloomberg Businessweek about the new ground rules for cyberwar and whether South Korea has a good case for launching a counter-strike against the culprit of today’s attack.
What are the new ground rules for cyberwar?
We sought to answer two questions: How can a country define when it is at war in cyber space? And if it is at war in cyber space, then what rules of engagement would apply? What is a permissible response, and what would be considered a war crime?
Can a country respond with military force to a cyber attack?
To answer this, we sought to define two types of cyber events. The first one being the “use of force.” This would be an unlawful attack on a country. But that does not permit the targeted country to respond militarily. The second type of cyber event is an armed attack. In this scenario, people are killed, or there is severe property damage. It might look something like a bomb went off, though the damage was wrought by malicious code. So far, we haven’t seen the stand-alone cyber armed attack.
So, under a “use of force” cyber attack, the targeted country is not permitted to respond with military force. Under the “armed attack” they can. Correct?
We didn’t invent any new rules or definitions here. With an armed attack, this is standard, a loss of human life or major property damage, caused by a cyber attack. No big insight there. It is a disruptive, unlawful act [to a nation’s critical infrastructure], but not quite so bad that it would allow for countries to retaliate and start bombing whoever is behind the attack.
How would you define today’s cyber attack on South Korea?
With South Korea today, from what I’ve seen, I’m not even sure that could be regarded as a “use of force” cyber event. With the Tallinn Manual, we’re only addressing attacks that kill people and cause widespread property damage. Most cyber events occur below the “use of force” threshold. The manual is not meant to be the official rule book on all things cyber and bad. Instead, it is the best set of rules that can be applied to the most violent end of the cyber spectrum.
What about hacking gangs? If it were individuals or groups who were to carry out a “violent” cyber attack against a country, could they be targeted militarily?
For a majority of the experts who worked on the manual, they agreed that no matter which type of entity produces the armed cyber attack—whether it be a pirate group, a country, individuals, whomever—it would not matter. For whichever entity that conducted that armed cyber attack, then the military response would be activated against them. A small minority in the group said “no, no, no” to this. But the clear majority of the group of experts were in support of this conclusion.
