The Tallinn Manual, the first attempt to lay down international ground rules for cyberwar, was published this week under the direction of NATO’s think tank, the NATO Cooperative Cyber Defense Center of Excellence. Written by more than 40 academics, lawyers, and experts from NATO countries, the 282-page manual defines under which conditions a country can respond to a hack attack with military force; which targets are off limits (schools, hospitals, and UN staff, for example); and guidance on proportionate response to digital attacks carried out by non-state entities. It also warns that cyberwar combatants can be tried for cyberwar crimes.
Almost on cue, a few hours after the manual was published, South Korea was hit by a crippling cyberattack that prompted local digital security experts to point the finger at North Korea—not the first time its sworn cross-border enemy has been accused of state-sanctioned cyberwar games.
Thomas Wingfield, one of the authors of the Tallinn Manual and a professor of international law at the George C. Marshall European Center for Security Studies, talked to Bloomberg Businessweek about the new ground rules for cyberwar and whether South Korea has a good case for launching a counterstrike against the culprit of today’s attack.
What are the new ground rules for cyberwar?
We sought to answer two questions: How can a country define when it is at war in cyberspace? And if it is at war in cyberspace, what rules of engagement would apply? What is a permissible response, and what would be considered a war crime?
Can a country respond with military force to a cyberattack?
To answer this, we sought to define two types of cyber events—the first one being the “use of force.” This would be an unlawful attack on a country. But that does not permit the targeted country to respond militarily. The second type of cyber event is an armed attack. In this scenario, people are killed or there is severe property damage. It might look something like a bomb went off, though the damage was wrought by malicious code. So far we haven’t seen the standalone cyber-armed attack.
So, under a “use of force” cyberattack, the targeted country is not permitted to respond with military force. Under the “armed attack,” they can. Correct?
We didn’t invent any new rules or definitions here. With an armed attack, this is standard—a loss of human life or major property damage, caused by a cyberattack. No big insight there. With “use of force,” it’s a bit trickier. It is a disruptive, unlawful act [to a nation’s critical infrastructure], but not quite so bad that it would allow for countries to retaliate and start bombing whomever is behind the attack.
How would you define today’s cyberattack on South Korea?
With South Korea today, from what I’ve seen, I’m not even sure that could be regarded as a “use of force” cyber event. With the Tallinn Manual, we’re addressing only attacks that kill people and cause widespread property damage. Most cyber events occur below the “use of force” threshold. The manual is not meant to be the official rule book on all things cyber and bad. Instead, it is the best set of rules that can be applied to the most violent end of the cyber spectrum.
What about hacking gangs? If it were individuals or groups who were to carry out a “violent” cyberattack against a country, could they be targeted militarily?
For a majority of the experts who worked on the manual, they agreed that no matter which type of entity produces the armed cyberattack—whether it be a pirate group, a country, individuals, whomever—it would not matter. For whichever entity that conducted that armed cyberattack, then the military response would be activated against them. A small minority in the group said “no, no, no” to this. But the clear majority of the group of experts were in support of this conclusion.