Are the "Cyber Norms” same as the “International Law on Cyberspace”?

When we talk about International Law in Cyberspace, the document that comes to our mind are - Tallinn Manual 1.0 and Tallinn Manual 2.0. In April 2007, political differences between Estonia and Russia over the interpretation of the relocation of the Bronze Soldier of Tallinn led to a catastrophic cyberattack targeted at the Estonian Organisation. It was a Distributed Denial of Service (DDOS) attack aimed at Estonian organizations' websites, including the Estonian parliament, banks, ministries, newspapers, and broadcasters. The North Atlantic Treaty Organisation (NATO) conducted an internal assessment as a cybersecurity and infrastructure defense. As a result, a cyber-defense policy and the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) were created. It was followed by the development of the Tallinn Manual 1.0.

A criminal investigation into the matter was initiated under the Estonian Penal Code, and assistance was requested from the Russian Federation's Supreme Procurator under the Mutual Legal Assistance Treaty (MLAT) between Estonia and Russia. However, the Russian authorities refused assistance, claiming that the applicable MLAT did not cover the proposed investigative process. Later, there was speculation that it might be a state-sponsored attack. Also, the absence of an International Law to deal with this scenario led to the Tallinn Manual's making.

So, what is the Tallinn Manual?

"Ultimately, Tallinn Manual 2.0 must be understood only as an expression of the two International Groups of Experts' opinions as to the state of the law. This Manual is meant to reflect the law as it existed at the point of the Manual's adoption by the two International Groups of Experts in June 2016. It is not a 'best practices' guide, does not represent 'progressive development of the law,' and is policy and politics-neutral. In other words, Tallinn Manual 2.0 is intended as an objective restatement of the lex lata ” Introduction to the Tallinn Manual 2.0

In response to this widespread state-sponsored cyberattacks, including the cyber incident in Estonia, the Cooperative Cyber Defense Center of Excellence (CCDCOE) in Tallinn hosted a multi-year process on the views from a group of renowned experts on the application of international law to cyber incidents. The first Tallinn Manual dealt with the law applicable to armed conflict. The second Tallinn Manual (known as Tallinn 2.0) deals with a broader cyber operations type” those both in and out of armed conflict. A group wrote the Manuals of international legal experts gathered under the leadership of Michael N. Schmitt, faculty from the U.S. NAVAL WAR COLLEGE, a prominent global cyber expert.

The first group included the law of armed conflict (LOAC) experts, primarily from the Western Hemisphere. In response to criticism, the international group of experts for Tallinn 2.0 was broader in origin (including members from Thailand, Japan, China, and Belarus) and substantive expertise (including experts in human rights, space law, and international telecommunications law). The International Committee of the Red Cross (ICRC) was invited to send observers to both groups, other states, and organizations. It is essentially a massive 642-page narrative on the legal landscape of cyber today, as seen through a global lens,” especially in the West. Also, the Manual is divided into four parts. Part one deals with general international law and cyberspace. The second part covers specialized regimes of international law and cyberspace. Then the concerns about global peace, security, and cyber activities are highlighted, primarily drawn from Tallinn 1.0. The last part is the rest of Tallinn 1.0 and applies to the law of cyber-armed conflict.

The Manual presents a myriad of legal questions that commonly arise in cyber operations and discusses international law's current state and how it might apply to each given scenario. In many cases, its panel of drafters could not reach a consensus, illustrating the complexities that still haunt the cyber world.

Sovereignty Issue

Regarding sovereignty, the Manual suggests that the states do not have power over the Internet but do have authority over Internet components in their territory. Regarding the public prominence of cyber espionage, the Manual explores the legality of the NSA's kinds of methods. It finds that its panelists "were incapable of achieving consensus on whether remote cyber espionage reaching a particular threshold of severity violates international law."

Countermeasures to a cyber-operation

Rule nine of the Tallinn Manual states the countermeasures to a cyber-process. Rules six, seven, and sight outline some norms for attributing cyberattacks in a rather typical fashion. These rules establish that the mere fact that a cyberattack originates in a state's territory and that a cyberattack is routed through a state's cyber infrastructure is not enough to attribute that attack to the country in question. Therefore, rule nine regulates a victimized state's potential countermeasures to a cyber operation.

Prohibition of Threat or Use of Force Rule

Rule ten of the Manual regulates the prohibition of the threat or use of force to cyber operations that constitute a threat or use of force. Both the ban and the presumption on the issue of power could be part of customary international law on force use. By using and extending customary international law to cyber conflict, the Tallinn Manual has disambiguated the nature of cyber operations. He sends a clear legal message to nation-states: because a given cyber attack may not rise to an "armed attack," it does not mean it is illegal. The Tallinn Manual treated the issue of the use of force in cyberspace adequately: it clearly and unequivocally stated that the use of force, regardless of the means, violates customary international law. Despite this clarification, uncertainties remain in the right approach to cyber operations under the war paradigm law.

Categorizing cyber incidents as an act of war

Rule Eleven clarifies this issue. The classification factors are severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement, and presumptive legality. While these factors help determine whether an act is a use of force, some aspects are more pertinent than others. The element of "severity" is the most critical consideration when characterizing a cyber operation as an act of war. The Tallinn Manual notes that severity is a de minimis element: actions resulting in physical harm to persons or property will always be a use of force. At the same time, minor acts are a little more but will never be used. However, cyber operations that fall in the middle are subject to an analysis based on the other factors and other subordinate components of "severity," such as a state's critical interests, scope, intensity, and duration.

Protection of the Prisoners of war in the cyber era

Prohibited cyber actions include posting defamatory information that reveals embarrassing or derogatory information or their emotional state. For example, this would embrace posting information or images on the Internet that could be demeaning or that could subject prisoners of war or interned protected persons to public ridicule or public curiosity. Guard against intrusion by public and private actors into the communications, financial assets, or electronic records of prisoners of war or interned protected persons. The authors interpret traditional Geneva Convention protections for prisoners of war in the cyber era. They suggest that it is expressly prohibited to publish on the Internet humiliating or degrading information gathered from the prisoners or imagery taken of them in confinement.

Safeguarding cultural property in the digital age

"The use of digitized historical archives regarding a population to determine individuals' ethnic origin to facilitate genocide, crimes against humanity, or war crimes is unlawful.”

The concept of cultural property and the digitization of physical artifacts also receive attention. In the past, destroying cultural heritage or people could deny them a critical connection to their past. In today's digital world, heritage is increasingly digitized, meaning that even if the original photograph, statue, building, or other work is destroyed by occupying military forces, it will live on as a digital memory. The Manual also touches on the frightening emerging world. The most intimate details, from our medical conditions to our sexual preferences to our genetic makeup, are digitized and available in vast searchable databases.

The criticism of the previous efforts was that many states felt sidelined as their viewpoints were not considered. Therefore, many experts suggest that we need a Tallinn Manual 3.0, considering the private interests and the interests of the Non-NATO member states from a much broader spectrum.

Another challenge highlighted in the previous capacity-building effort was that "the states didn't want anyone to tell them what to do in cyberspace." They want to leverage cyberspace to fight a proxy war. Therefore, Tallinn Manual 3.0 must have defined accountability mechanisms and address all the ambiguities. Also, it must consider cyber-espionage incidents and deem the act wrongful.

"State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut the fair competition in our global economy by stealing ideas when they cannot create them...We call on all states to support the evolving framework and to join us to ensure greater accountability and stability in cyberspace." - Joint Statement on Cyber Norms.

Although the statement echoes norms established at past U.N. meetings, the effort to hold nation-states accountable comes as two separate groups push their efforts to develop what those norms should be.

Several norms have been established over the past few years at the U.N. through a process known as the Group of Governmental Experts (GGEs), with representatives from approximately 20 countries interested in determining acceptable behavior in cyberspace.

But over the last year, as the dialogues have stalled, some nations have pushed for an alternative norms-creating forum. One group, known as the Open-Ended Working Group (OEWG), was established over the last year by Russia and China. Two governments are known for flagrant efforts to interfere in other states' domestic politics and conduct cyber-enabled theft of intellectual property. That group started holding its own set of meetings recently.

Contested cyber norms

Some experts see the Open-Ended Working Group,” which met for its first substantive meetings two weeks ago,” as a challenge to the Group of Governmental Experts' work. Over several years, the GGE convinced Russia and China to sign agreements that conducting cyberattacks against critical infrastructure during peacetime is unacceptable. But in recent years, U.N. dialogues have fallen apart over reported objections that advancing the GGE could infringe on some states' right to self-defense.

U.S. Deputy Secretary of State John Sullivan acknowledged during remarks Monday that dignitaries say the new OEWG group meetings may hamper progress made by the GGE over the years, causing a problem for norms to be established.

Moreover, we have Shanghai Cooperation Organisation and its members, like China and Russia, developing cyber-norms that do not uphold the Western Powers' established norms.

Therefore, we must still assess if the Cyber Norms are equivalent to International Law on Cyberspace. Also, is there no explicit consent on a state or non-state behavior in cyberspace reflecting failed diplomacy? Research in cyber diplomacy highlights that there is significant action taken. However, it is small compared to the volume of the problem we have in place.