NATO on Wednesday released the first major revision to the Tallinn Manual, the closest thing there is to a rulebook for nation-led cyber operations.
Like the original 2013 manual, the new version is the result of a study by NATO to gauge consensus opinions from international law experts on what types of cyber statecraft are acceptable.
“Let me assure you, the manual will sit on the desk of every legal advisor in every ministry of defense and every ministry of foreign affairs in the entire world,” Director and General Editor Michael Schmitt said at a press briefing before its launch at the Atlantic Council headquarters in Washington.
The original text was extremely influential and widely used.
Both manuals pull together law originally developed to cover fields ranging from armed conflicts to outer space to extrapolate the likely legal consequences for cyber operations. But while the first draft covered war-like cyber attacks between nations, the new draft adds legal analysis of peacetime operations.
“Even though the first book was a big achievement, it was clear before it was published that the issues that states were grappling with on a day-to-day basis are not the subject matter of the first Tallinn Manual,” said Liis Vihul, managing editor for the manual and a official of the NATO Cooperative Cyber Defence Centre of Excellence that commissioned its creation.
The book compiles the expertise of dozens of international law experts who huddled to determine which issues had a clear legal consensus. Dozens more, including current government representatives, provided non-voting advice.
The new book comes after a variety of new nation-led attacks begin to reshape how politicians view the prospect of cyber warfare.
Many U.S. lawmakers have argued that the breach at the Office of Personnel Management should be considered something beyond run-of-the-mill espionage. Espionage is considered legal by international law, but the immense scope of the breach has lead some to wonder if the breach was a special circumstance beyond what was acceptable.
“That is not correct as a matter of law,” said Schmitt, who had personal information stolen in the breach.
“Espionage is espionage is espionage. It doesn’t matter if you steal one document or five million files. Espionage is not unlawful under international law.”
But the experts could not reach a consensus on the Democratic National Committee breach that impacted last year’s presidential race.
Espionage is often prosecuted as a violation of national laws. The authors agreed that if Russia in fact stole and distributed the files, it was definitely in violation of U.S. laws, and that if Russia coerced voters, it would be in violation of the international laws. But they differed on which jurisdiction the attacks would fall under.
The new manual, caution Vihul and Schmitt, is not legal doctrine, but instead an analysis of the legal standing of various activities under current laws. But they say it will work as a tool to guide nations on how solid their footing might be in the international community to make different arguments.