INVITATION TO CYBERSECURITY 282 Manual 2.0 (the 2017 update of the 2013 original), is a noteworthy attempt to apply principles like use of force to cyber operations. The title pays homage to the attack on Estonia in 2007 when Tallinn became the cyber conflict capital of the world. The Tallinn Manual outlines a series of “rules” and accompanying analyses that provide insight into how cyber operations intersect with jus ad bellum and jus in bello. It is not tied to any one nation and is not legally binding on any nation. It has several authors that The Tallinn Manual refers to as the International Groups of Experts. The Tallinn Manual defines the use of force in Rule 69: “A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.” A cyber operation that has kinetic effects (i.e., like an explosion) would qualify as a use of force under this definition. The authors consider the Stuxnet operation a use of force because it caused physical destruction. However, there are many types of cyber operations that are more difficult to categorize. For example, the installation of malware in a state’s critical infrastructure that remains inactive unless triggered is a threatening action that causes no immediate impact. According to The Tallinn Manual, it would not qualify as a use of force because no damage has occurred, but this could be debated by others who may see it as a type of preemptive strike. When it comes to state-on-state conflict, not only is it important to be able to clearly demarcate acceptable from unacceptable behavior, but it is also vital to be able to attribute activities to their origins. With lines drawn and attributions made, damaging activities can be deterred or at least appropriately retaliated against. But cyberspace suffers from the attribution problem. The inherent dynamics of cyberspace (e.g., distanceless, digital, dynamic) all help to create plausible deniability or even anonymity. It is difficult to pin any activity on a state in cyberspace with 100% confidence. Even if there are clues that indict a particular nation, it is possible that another state is actually the guilty party and carefully planted evidence to pin the blame on another nation. 10.3.3.3 Jus in bello Jus in bello addressed proper conduct in war. The Hague Conventions (1899, 1907) and the Geneva Conventions (1949) are international agreements on the humane conduct of war. These conventions defined war crimes such as the inhumane treatment of prisoners of war, attacks on civilians, violating the principle of proportionality, and others for which states can be punished by an international court of law. The Tallinn Manual defines a cyber attack as, ”a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” (Rule 92) Using this definition, a cyber attack against critical infrastructure that kills civilians would violate IHL. The Russian attack on Tallinn would not be considered a cyber attack even though it affected civilians, because it did not cause death or physical destruction.
RkJQdWJsaXNoZXIy MTM4ODY=