Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations

by Michael N. Schmitt

the International Group of Experts took the position that so long as settlement remains possible by peaceful means such as negotiation, the parties to the dispute must continue to seek resolution even though an international armed conflict (Rule 82) has broken out between

A State may not intervene, including by cyber means, in the internal or external affairs of another State.

For the purposes of this Rule, ‘interference’ refers to acts by States that intrude into affairs reserved to the sovereign prerogative of another State, but lack the requisite coerciveness (see discussion below) to rise to the level of intervention.

The International Group of Experts acknowledged that the distinction between coercive and non-coercive cyber operations is not always clear. However, all of the Experts agreed that a cyber use of force (Rule 68) by one State against another is always coercive and therefore constitutes intervention.

The International Group of Experts agreed that the fact that a coercive cyber operation fails to produce the desired outcome has no bearing on whether this Rule has been breached.

The Experts were of the view that, in certain circumstances, a threat itself may violate this Rule. As with coercive acts, the threat must be coercive in nature and intrude into the internal or external affairs of another State.

Cyber espionage per se, as distinct from the underlying acts that enable the espionage (see discussion in Rule 32), does not qualify as intervention because it lacks a coercive element. In the view of the International Group of Experts, this holds true even where intrusion into cyber infrastructure in order to conduct espionage requires the remote breaching of protective virtual barriers

The Experts also rejected any suggestion that the nature of targeted cyber infrastructure is determinative of whether a cyber operation qualifies as a use of force.

There are two widely acknowledged exceptions to the prohibition on the use of force – uses of force authorised by the Security Council under Chapter VII (Rule 76) and self-defence pursuant to Article 51 and customary international law (Rule 71

An action qualifying as a ‘use of force’ need not necessarily be undertaken by a State’s armed forces.

A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.

Thus, for instance, merely funding a hacktivist group conducting cyber operations as part of an insurgency would not be a use of force against the State involved in the armed conflict with the insurgents.

Though highly invasive, cyber espionage does not per se rise to the level of a use of force; indeed, there is no direct prohibition in international law on espionage

A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force.

However, they acknowledged a view by which the term ‘armed’ applies solely to the use of weapons and that therefore unless the cyber operation involves the use of a cyber weapon (Rule 103), it does not qualify as an armed attack, irrespective of the consequences of the operation.

The majority of the International Group of Experts was of the view that intention is irrelevant in qualifying an operation as an armed attack and that only the scale and effects matter.

lack, of alternative courses of action that do not rise to the level of a use of force. Should passive (as distinct from active) cyber defences like firewalls be adequate to reliably and completely thwart a cyber armed attack, other measures, whether cyber or kinetic, at the level of a use of force are impermissible. Similarly, if active cyber operations not rising to the level of use of force suffice to deter or repel an armed attack (imminent or on-going), forceful cyber or kinetic alternatives will be barred by the necessity criterion.

a State need not wait idly as the enemy prepares to attack. Instead, a State may defend itself once an armed attack is ‘imminent’. Such action is labelled ‘anticipatory self-defence’ in international law.

a Security Council decision to disregard rules of international law should not be taken lightly. The International Group of Experts agreed that under no circumstances may the Security Council deviate from rules of a jus cogens nature.

Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.

Applying the test, if one State exercises overall control over an organised group of hackers that penetrates another State’s cyber infrastructure and causes significant physical damage, the armed conflict qualifies as ‘international’ in nature.

Mere support for a group of non-State actors involved in a non-international armed conflict does not ‘internationalise’ the conflict.

If the State’s support does not rise to the level of overall control of the group, it may nevertheless be unlawful as an intervention in the domestic affairs of the State concerned

As illustrated by the Stuxnet incident, significant legal and practical challenges stand in the way of definitively concluding that a cyber operation has initiated an international armed conflict.

In view of the intensity threshold, cyber operations alone can trigger a non-international armed conflict in only rare cases.

The majority of the International Group of Experts took the position that an informal grouping of individuals acting in a collective but otherwise uncoordinated fashion cannot comprise an organised armed group; there must be a distinct group with sufficient organisational structure that operates as a unit.

law. It should be cautioned in this regard that not every violation of the law of armed conflict qualifies as a war crime.

In accordance with Rule 97, a civilian who directly participates in hostilities loses certain protections attendant to civilian status for such time as he or she so participates.

If a person engaged in cyber operations during an armed conflict is a member of an organised armed group not belonging to a party to the conflict, it does not matter if the group and its members comply with the four criteria of combatancy. That person will not have combatant status and therefore not be entitled to combatant immunity or to be treated as a prisoner of war. Such a person would be an ‘unprivileged belligerent’,

11. Combatant status requires that the individual wear a ‘fixed distinctive sign’.

In a non-international armed conflict, the notion of belligerent (combatant) immunity does not exist. Domestic law exclusively determines the question of any immunity from prosecution.

In an international armed conflict, inhabitants of unoccupied territory who engage in cyber operations as part of a levée en masse enjoy combatant immunity and prisoner of war status.

Since it did not contemplate military operations deep into enemy territory, it is questionable whether individuals launching cyber operations against enemy military objectives other than the invading forces can be considered members of a levée en masse.

‘a spy who, after rejoining the army to which he belongs, is subsequently captured by the enemy, is treated as a prisoner of war and incurs no responsibility for his previous acts of spying’.

Non-violent operations, such as psychological cyber operations and cyber espionage, do not qualify as attacks.

While the notion of attack encompasses injury and death caused to individuals, the International Group of Experts agreed that it is, in light of the law of armed conflict’s underlying humanitarian purposes, reasonable to extend the definition to serious illness and severe mental suffering that are tantamount to injury.

Since terror is a psychological condition resulting in mental suffering, inclusion of such suffering in this Rule is supportable through analogy.

An attack that is successfully intercepted and does not result in actual harm is still an attack under the law of armed conflict. Thus, a cyber operation that has been defeated by passive cyber defences such as firewalls, anti-virus software, and intrusion detection or prevention systems nevertheless qualifies as an attack if, absent such defences, it would have been likely to cause the requisite consequences.

The civilian population as such, as well as individual civilians, shall not be the object of cyber attack.

In the cyber context, it is essential to emphasise that an ‘act’ is required by the individual concerned. For instance, an unwitting person whose computer has become a part of a botnet used for cyber attack is not, without more, a direct participant. However, in such a case, the computer itself may qualify as a military objective, provided it fulfils the definition of military objective under the circumstances ruling at the time

For instance, military cyber systems, wherever located, and the facilities in which they are permanently housed, qualify as military objectives. The fact that civilians (whether government employees or contractors) may be operating these systems is irrelevant to the question of whether they qualify as military objectives.

When a civilian object or facility is used for military ends, it becomes a military objective through the ‘use’ criterion.

All of the Experts agreed that a factory that produces computer hardware or software under contract to the enemy’s armed forces is a military objective by use, even if it also produces items for other than military purposes.