NATO Secretary General Anders Fogh Rasmussen, center, and the director of the NATO Cooperative Cyber Defence Centre of Excellence, Col. Ilmar Tamm, right, visit the center in 2012 (NATO)
TALLINN, ESTONIA — Scholars involved in a project sponsored by NATO’s Cooperative Cyber Defence Centre of Excellence in Tallinn will meet in February to consider what options governments have, under international law, to respond to cyberattacks from other countries. The project will not look at national laws.
The project, called the Tallinn Manual 2.0, is due to be published in 2016 and is a follow-up to the Tallinn Manual, which was published in 2013. The Tallinn Manual looks at cyberattacks against a country that are physically disruptive or injure people, and responses via the use of force under the UN charter and military rules on the cyber battlefield.
“This doesn’t happen so often though,” said project director Michael Schmitt, chairman of the US Naval War College’s International Law Department, professor of Public International Law at the University of Exeter School of Law and a senior fellow at NATO’s Cooperative Cyber Defence Centre of Excellence.
“We’re now looking at the other half of the equation, i.e., what happens on a day-to-day basis. We don’t have that many attacks against a country that are physically disruptive or injuring people and most countries don’t wield a cyber capability on the battlefield.
“There are regular attempts to intrude into military systems,” Schmitt says. Possible scenarios include hackers trying to put malware into a country’s military command-and-control systems that could then be activated if that country gets into a conflict, or mapping air defense systems of a country so that a potential enemy could be in a position to attack it.
“At a conservative estimate, there are thousands of attacks on ministries of defense on a daily basis. Some are easily handled with anti-virus software but some are very complex. A key question is how countries should respond legally if this happens,” he says.
The idea of the project is to explain, in particular scenarios, if a country has acted illegally, under international law, against another country and if the second country has responded illegally. For example, Schmitt says that it may be legal for country X to ‘hack back’ by destroying data in country Y’s military system if country Y has destroyed similar data in country X first.
The project can draw on real cyberattack situations as the Centre of Excellence has a database of such events. Two examples of international law that the scholars are drawing on are the UN Charter and Draft Articles on State Responsibility for Internationally Wrongful Acts, as adopted by the UN General Assembly in 2001.
“We’ll take the laws and see how they apply in cyberspace. That might cover working out who is responsible in cases where contractors harm other states when conducting Cyber activities for one state,” says Schmitt.
Scholars will meet in February behind closed doors to challenge each other’s opinions. At a later date, Schmitt says he hopes to bring representatives of governments into non-attributable meetings to provide their input.
“We don’t see this as another academic text. We want it to have impact with the end product reflecting the positions of states, the international community and scholars,” says Schmitt.