What does international law mean for cyber warfare?

Creating rules of engagement for operations in cyberspace has been an ongoing process at the Defense Department, where such rules -- if and when they are finished -- will remain classified. Now some say a new international manual intended for application to cyber warfare could provide a boost for the Pentagon.

The Tallinn Manual, commissioned by NATO but created by several dozen experts, builds on established international law, much as the Pentagon’s cyber rules are modeled on existing rules of engagement. The manual particularly focuses on the principles of jus ad bellum, which regulates use of force in international law, and jus in bello, which governs conduct in armed conflict.

According to cyber and legal experts, the Tallinn Manual will help supplement DOD’s guidelines for cyber warfare by offering additional insight and references to international law that can help with strategic, tactical and operational decision-making.

"I think the manual will have greater influence on battlefield rules of engagement because there’s a lot more granularity in the section on the use of in bello and humanitarian law," said Michael Schmitt, chairman of the International Law Department at the Naval War College. "I think that will feed into battlefield [rules of engagement], as distinct from the day-to-day [rules of engagement]."

Schmitt, who spoke as part of a panel convened by the Atlantic Council on March 28 in Washington, noted that one of the toughest aspects of cyber conflict is determining use of force, which the manual addresses. Furthermore, determining what constitutes a cyberattack has also been a sticking point in U.S. policy-making, the panelists said.

"For years, U.S. policy has been frozen, sort of burdened, with this overly generous definition of computer network attacks that the Defense Department had put forth," said Gary Brown, deputy legal adviser for the U.S. and Canadian regional delegation at the International Committee of the Red Cross. "That made it difficult to move forward because folks were reluctant to say that international humanitarian law applies to…everything we do in cyber that denies, degrades, disrupts or destroys cyber systems. That’s a very broad range of cyber activities that would be governed by [international law], so there was a reluctance to put pen to paper."

Brown, a retired Air Force colonel, said that attitude has changed in recent months -- something that might be reflected in how the Tallinn Manual affects DOD’s cyberspace operations.

"It will have some effect, and it will have positive effect because the United States is going to comply with international laws and comport with the rules as presented," he said. "We don’t know what the rules are, but just this month [Gen. Keith Alexander, commander of U.S. Cyber Command] came out and indicated there will be specific offensive teams, so one wonders what the rules of engagement will be to govern these offensive cyber teams. The manual can’t hurt."

Although the military’s cyber rules of engagement remain classified for national security reasons, some transparency could help gauge where DOD stands on cyber conflict’s most significant issues. Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, said that although Pentagon officials have noted the need to respond quickly to cyber threats, fast reactions are not necessarily as important as some believe.

"Seeing how much engagement in conflicts can take weeks, months and years, I’m personally cautious the [rules of engagement] will be built by people who have dealt with this tactically, saying ‘A strike could come at us from nowhere, and we have to respond quickly,’" Healey said. "Which is absolutely true, but that can be true in all the other domains of warfare also. So I’m concerned we could be focused on the technical truths rather than the strategic truths, which say we have more time."

As the United States and other countries struggle to define cyberattacks, officials also must consider how to handle activities in cyberspace that do not necessarily constitute an attack but do have malicious intent, such as disruptive actions or espionage, the panelists said.

"One of the big challenges now is we’ve drawn that line in the sand of what a cyberattack is and what might constitute armed conflict in cyber," Brown said. "That leaves unanswered most of the issues around what’s happening now outside the context of armed conflict. Most things we read about fall into this second category. It’s not part of a conflict, it’s not part of an ongoing war. These are things that aren’t really addressed by laws of warfare because it doesn’t fall under that definition of warfare. But the main reason the manual is incredibly important is because it finally draws the line."