Tallinn Manual and the use of force
Written by
Equipe IRIS-BH (See all posts from this author)
30 de June de 2016
Francisco Rogério Moreira Campos and Bruno de Pinheiro Tavares
What’s the Tallinn Manual?
The Tallinn Manual, developed by researchers and experts on cyber conflicts applied to international law, is a non binding academic document, which interprets international norms in order to find common ground in complex legal cases involving cyber wars and cyber operations, while focusing particularly on the humanitarian law concepts of jus ad bellum and jus in bello.
Through a NATO (North Atlantic Treaty Organization) initiative, along with the Cooperative Cyber Defence Centre of Excellence, an international military organization based in Tallin, Estonia, the manual was published by the Cambridge University in 2013 as an answer to the rise of hacker attacks after the late 90s. Such attacks became increasingly common, like the ones suffered by Estonia itself in 2007, with government, banks and political parties websites shutting down through DDoS (distributed denial of service) attacks.
Even though the Tallinn Manual doesn’t represent the stances of NATO, or of any country or organization for that matter, as one of the first initiatives in treating the cybernetic context through the interpretation of international laws, it’s expected to impact such stances.
Jus ad bellum and Jus in bello
In Public International Law, jus ad bellum and jus in bello are criteria used to determine if a given State’s military acts are considered reasonable or not, even though, in principle, nothing is in the way of a country using its military forces against another country.
Jus ad bellum regards, specifically, reasons for a State to engage in a war conflict, and regards also what’s considered “fair”. Its main font is the Article 2 of the United Nations Charter, which specifies that all States in international relations must contain the threat and the use of force against the territorial integrity or political independence of any State. Besides, article 51 protects the right of a State to use force in self-defense against attacks to UN members.
Jus in bello, on the other hand, comes in after the beginning of a war. Its purpose is to regulate the outcomings of wars, without getting in the way of the reasons that drove such States into an armed conflict. Its fonts are customary law and international treaties, as the Geneva Convention of 1949, which protects civilians, victims and war prisoners.
Use of force
Use of force occurs when a State, using aggression through armed or coercive forces, threatens or violates the territorial integrity, the political independence or the practice of any other action incompatible with the purpose of the UN against another State. As cyber attacks don’t result in consequences as easily perceptible as physical aggression, death of individuals or immediate destruction of property, the biggest challenge for scholars is to interpret some of the situations produced in physical circumstances and translate them into the digital world, in order to find acts that may be considered equivalent to the use of force in the virtual context of a State.
According to the nonintervention principle, all States are prohibited from interfering directly or indirectly in internal or external matters of other States, such as the political choice, the cultural and social system, as well as the formulation of foreign policies. In theory, not every cybernetic intrusion violates the nonintervention principle. Acts such as cyber espionage and other operations lacking a coercive characteristic, by themselves, don’t violate such principle. Pure interference, such as political and economic pressure, isn’t the same as an intervention. Hence, similar cybernetic operations, like cyber psychological operations, would fit in that scope and would not qualify as use of force.
However, determining a principle violation will depend on the individual analysis of each case. Cyber operations that manipulate elections and the public opinion in times of election, such as the modification and shutdown of online services in favor of a given political party, or the distribution of fake information, might be considered a form of intervention. Similarly, financing equipment, training, and technology for a group of hacktivists to conduct insurgency operations against a country might be equated to the act of financing and offering equipment to guerrillas, which is also considered a use of force.
Use of force criteria
In order to facilitate the classification of cyber attacks as a use of force, Tallinn Manual establishes a series of criteria. Although not definitive, nor legally empowered, these criteria facilitate the comparison between cyber attacks and effects caused by armed forces.
a) Severity: any cyber-operation that results in damage, destruction, harm and death will be considered use of force;
b) Immediacy: the faster the effects of an attack surface, the fewer ways to defend itself a State has and, hence, the more severe are its damages;
c) Directness: the causal connection of a cyber attack;
d) Invasiveness: a cyber attack, which invades or shuts down a military or highly protected system will be considered more intrusive and, therefore, more aggressive than an attack against weaker online systems, such as a virtual store of a regular citizen;
e) Measurability of Effects: the quantitative value of the caused damage, such as the number of downed servers, corrupted data, stolen confidential files, etc.;
f) Military Character: the nexus on the use of military forces related to an attack;
g) State Involvement: the extension and continuous involvement in cyber operations conducted by a State;
h) Presumptive Legality: legal assumption over norms and international treatises.
Even though the use of force is forbidden, according to the Article 2(4) of the UN Charter, an exception is allowed if used in self-defense, or authorized by the UN Security Council, as long as the necessity and proportionality of the attacks are observed. In even more exceptional cases, if the threat or damage to be suffered are too severe, preventive use of force might be allowed. But these measures would depend on the specific context, analyzed by the Security Council.
About the authors
Bruno de Pinheiro Tavares has a degree in Law by Universidade da Amazônia (UNAMA). Is a member of the Grupo de Estudos Internacionais em Internet, Inovação e Propriedade Intelectual (GNeT-UFMG) and is interested in Public International Law, Economic Law, Cyberlaw, Internet Governance and Intellectual Property.
Francisco Rogério Moreira Campos is an undergraduate student at Universidade Federal de Minas Gerais and a member of the Grupo de Estudos Internacionais em Internet, Inovação e Propriedade Intelectual (GNet-UFMG). Is interested in: International Public Law, International Humanitarian Law, Constitutional Criminal Law and Cyber-Criminal Law.