Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations

by Michael N. Schmitt

For its advocates, this approach is especially appropriate in situations in which no State is responsible for the malicious cyber operation in question. Consider a case in which a terrorist group situated in one State engages in cyber operations against another State, and the operations result in physical damage to hardware on the territory of the latter. Had the operations been conducted by a State, they would at least have violated the latter’s sovereignty (Rule 4). The first State takes all feasible measures to terminate the group’s cyber operations originating in its territory, in line with its duty to exercise due diligence (Rules 6–7), but ultimately fails and the operations persist. The target State, continuing to suffer harm from the group’s activities, may, according to proponents of the approach, take countermeasures against the group, even though those measures might infringe upon the first State’s sovereignty.