16 February 2017

What Tallinn Manual 2.0 Teaches Us About The New Cyber Order


Kalev Leetaru

Front cover of the Tallinn Manual 2.0 (Image provided by and used with the permission of Cambridge University Press)

Yesterday marked the inaugural launch event for the release of the second version of the famous Tallinn Manual on the legal landscape of cyberwarfare. Appropriately named “Tallinn Manual 2.0: International Law Applicable to Cyber Operations,” the new book offers a fascinating look at how far the cyber threat landscape has evolved in the less than half decade since the first version’s release in 2013, shifting the focus from conventional state-authorized and operated cyber warfare to the small-bore deniable cyber activities that form the majority of day-to-day cyber attacks today.

It is notable that in just four years the book’s title has changed from referring to “cyber warfare” to “cyber operations,” reflecting that in today’s world cyber attacks most commonly fall beneath the threshold at which international law would typically declare them to be a formal act of war.

As the book’s authors put it “the focus of the original Manual was on the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self-defence, and/or occur during armed conflict,” while the new version “adds a legal analysis of the more common cyber incidents that states encounter on a day-to-day basis and that fall below the thresholds of the use of force or armed conflict.”

Indeed, Michael Schmitt, chairman of the U.S. Naval War College International Law Department noted that the alleged Russian hacking of the DNC during the 2016 US presidential campaign was “not an initiation of armed conflict. It’s not a violation of the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow the U.S. to respond in self-defense militarily.” In short, it is precisely the kind of “cyber operation” that will come to define the coming decade.

The manual itself is essentially a massive 642 page narrative on the legal landscape of cyber today as seen through a global (though decidedly Western) lens. It presents a myriad of legal questions that commonly arise in cyber operations and discusses the current state of international law and how it might apply to each given scenario. In many cases its panel of drafters were unable to reach a consensus, illustrating the complexities and vagaries that still plague the cyber world.

Given the public prominence of cyber espionage in the era of Edward Snowden and Wikileaks, the Manual explores the legality of the kinds of methods employed by the NSA and finds on page 170 that its panelists “were incapable of achieving consensus as to whether remote cyber espionage reaching a particular threshold of severity violates international law.”

The Manual also explores on the following page the legality of actions such as one nation hacking into a nuclear power plant in another nation and essentially holding it as a cyber hostage, threatening to cause the plant to go critical and kill large numbers of people unless the nation withdraws from an unrelated conflict, finding that that this would constitute a violation of international law. This is particularly noteworthy in that under the former administration, the US government announced precisely such plans, making special mention of holding hostage or triggering meltdowns in nuclear power plants to affect civilian populations.

In one intriguing discussion on page 521, the Manual theorizes about the future incorporation into military practice of the Internet’s ability to humiliate and harass. For example, could a POW camp strip prisoners naked, photograph them in humiliating poses and then publish those images publicly and share them far and wide? What about forcibly interrogating them for their social media, medical, financial and other login information and downloading and republishing that material? Or using their forcibly obtained social media logins to deceive their friends and contacts (who likely would not know they had been captured) into divulging sensitive and damaging information, such as requesting a nude photograph from a spouse, that is then republished online? The end result would be that even long after the war was concluded those soldiers and their families would be subject to eternal harm.

The authors interpret traditional Geneva Convention protections for prisoners of war in the cyber era and suggest that it is expressly prohibited to publish on the Internet humiliating or degrading information gathered from the prisoners or imagery taken of them in confinement. Specifically, “Prohibited cyber actions include posting defamatory information that reveals embarrassing or derogatory information or their emotional state. This would embrace, for example, posting information or images on the Internet that could be demeaning or that could subject prisoners of war or interned protected persons to public ridicule or public curiosity.” In addition, the detaining nation must also “guard against intrusion by public and private actors into the communications, financial assets, or electronic records of prisoners of war or interned protected persons.”

This situation most famously arose in 2004 with the publication of the Abu Ghraib photographs and again a year later when US military sources released to the international media partially nude photographs of Saddam Hussein taken while he was in US custody. In both cases the images spread virally and were widely republished by mainstream news outlets throughout the world, creating a permanent record of these individuals in their most intimate moments forever preserved on the Internet and profiting those outlets that published them by driving intense revenue-generating traffic to their sites. One can only imagine how far such images would spread in today's social media saturated world.

Governments must also physically separate the data they collect on prisoners from the rest of their military plans in anticipation that their computer networks may themselves become legitimate military targets: “Feasible measures must be taken to protect personal data relating to prisoners of war and interned protected persons from the effects of cyber operations, for example by being stored separately from data or objects that constitute a military objective.”

The concept of “cultural property” and the digitization of physical artifacts receives attention as well. In the past, destroying the cultural heritage of a nation or peoples could deny them a critical connection to their past. In today’s digital world, that heritage is increasingly being digitized meaning that even if the original photograph, statue, building or other work is destroyed by occupying military forces, the item will live on as a digital memory. What happens then when militaries begin specifically targeting that digital heritage, launching purposeful attacks designed with the primary intent to locate and delete all digital replicas of an important cultural artifact?

The Manual also touches on the frightening emerging world in which our most intimate details from our medical conditions to our sexual preferences to our very genetic makeup are digitized and available in vast searchable databases. Towards this end, the authors state “the use of digitised historical archives regarding a population to determine the ethnic origin of individuals with a view to facilitating genocide, crimes against humanity, or war crimes is clearly unlawful.” This further raises the question of a future in which governments or private organizations could hack into such databases to compile lists of “undesirables” and then humiliate and harass them from afar while remaining anonymous and beyond the reach of law enforcement.

Strangely, in spite of the rapidly evolving world of deep learning and autonomous warfare, the manual focuses primarily on a cyber environment populated by human actors and spends little time on the legal questions of fully autonomous cyber weapons that can make decisions entirely on their own and how those might fit into the concept of international law.

Putting this all together, this latest edition of the Tallinn Manual offers a fascinating glimpse at how far the cyber world has come in the half decade since its last iteration. Yet in envisioning the future of cyber operations over the coming years, it also paints a frightening nightmarish dystopia of how warfare is evolving from the tidy confines of the declared battlefield into an unbounded landscape in which anything and everything is likely to become fair game, from blowing up nuclear power plants to posting medical records online. Of course, in the real world, only the losing side of a war is subject to the penalties of international law and so a book like the Tallinn Manual will always have limited deterrence effect. However, by sketching out the frightening contours of the new cyber world, it should at the very least get governments thinking about how to better defend themselves in this brave and frightening new dystopia we live in, where war knows no borders.

No comments: