35+ Years of Freedom of Information Action

Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations

Published: Apr 24, 2019

Edited by Rosemary Tropeano

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

Washington D.C., April 24, 2019 – The Tallinn Manual 2.0 is the second edition of NATO’s Cooperative Cyber Defence Centre of Excellence’s analysis on the application of international law to cyberspace. The analysis rests on the idea that cyber operations do not occur in a legal vacuum, and preexisting obligations under international law apply equally to the cyber domain. As such, the Tallinn Manual 2.0 is broken into four parts with twenty chapters total, each examining a different area of existing international law. The first section deals with general legal principles, while the latter three sections address specific specialized legal regimes. Consistent with its premise, the Tallinn Manual 2.0 cites over a century’s worth of treaties and case law, extending the premises of international law principles and regimes to their applications in cyberspace. Presented below is a list of the cases and treaties cited by the Tallinn Manual 2.0, listed in order of appearance by chapter, which serves as both a reference guide for the manual itself, as well as to illustrate the diversity of law which governs cyber activities.

Part 1: General International Law and Cyberspace

1: Sovereignty

This chapter addresses the foundational legal principle of sovereignty. While cyberspace is often portrayed as a borderless “global common,” the Tallinn Manual 2.0 uses existing definitions of sovereignty and international precedence to delineate state sovereignty over cyber infrastructure, actors, and activities, and the attendant legal rights and responsibilities implied by sovereign cyberspace.

2: Due diligence

“Due diligence” refers to the general international legal principle that states must exercise due diligence in ensuring that territory and objects over which they have sovereignty are not used to harm other states. This elaborates on the legal rights and responsibilities implied by sovereign cyberspace.

3: Jurisdiction

This chapter outlines state jurisdiction over cyber infrastructure, actors, and activities for both territorial and extraterritorial jurisdiction. Much as the first chapter delineates sovereign responsibility in a “borderless” domain, this chapter applies the definitions of jurisdiction in international law to the cyber domain.

4: Law of international responsibility

This chapter is divided into four sections. The first three deal with the responsibilities of states under customary international law, while the final section deals with the responsibilities of international organizations. Largely, this chapter deals with a state’s responsibility not to conduct internationally harmful cyber activities against other states. It addresses the questions of which states’ harmful actions can be legally attributed, what countermeasures are acceptable, and what are the obligations of states which do conduct internationally harmful acts.

5: Cyber operations not per se regulated by international law

This chapter, as the title may imply, does not cite international law. It addresses primarily the questions of the legality of peacetime cyber espionage and the standing of actions by nonstate actors. As neither of these questions is addressed within the scope of international law, the Tallinn Manual 2.0 instead draws on other sources.

  • No relevant case law citations.

Part 2: Specialised regimes of international law and cyberspace

6: International Human Rights Law

It is generally accepted that many of the human rights enjoyed by individuals offline also exist online. This chapter elaborates on this extension, pulling on the body of existing international human rights law to articulate online human rights and the obligations of states to those rights.

7: Diplomatic and consular law

The foundations of diplomatic and consular law are the inviolability of the physical premises of a diplomatic mission, its correspondence, and the immunity afforded to diplomatic personnel. This chapter extends that principle into the cyber domain. In a similar vein, this chapter discusses the extension of the obligations of diplomatic missions to refrain from activities inconsistent with their diplomatic function or incompatible with the laws and regulations of the host state in the cyber domain.

8: Law of the Sea

This chapter largely addresses a gamut of questions regarding the conduct of cyber operations on the seas, both the high seas and in exclusive economic zones, as defined by the Law of the Sea Convention. It extends both peacetime and wartime principles derived from the Convention to the cyber domain.

9: Air Law

Aircraft can serve as both a target of and platform for cyber operations. This chapter uses principles primarily derived from the Chicago Convention to clarify legal questions related to both roles, as well as the conduct of cyber activities in international airspace.

10: Space Law

This chapter overviews the application of the treaties governing states’ use of outer space to cyber operations. Much like the chapter overviewing Air Law, the Tallinn Manual 2.0 treats space, particularly satellites and other space objects, as both a platform and target for cyberattacks. It also details the state’s responsibility under the existing regime to supervise the activities of nonstate actors and state liability for the outcomes of cyber operations involving space objects.

11: International Telecommunication Law

States have preexisting obligations regarding the exchange of international telecommunications under the ITU Constitution and ITU regulations. This chapter extends those obligations to include cyber infrastructure for international telecommunications and details the implications of that extension.

Part 3: International peace and security and cyber activities

12: Peaceful Settlement

This chapter is a brief discussion of the principle of peaceful settlement, which requires states to settle international disputes through peaceful means. This principle holds true for disputes involving cyber activities.

13: Prohibition of Intervention

States and the United Nations are expected not to intervene in the internal or external affairs of other states under international law. The Tallinn Manual 2.0 acknowledges that cyberspace creates new opportunities for states to intervene in others' affairs, but declares that international law prohibits this cyber intervention as much as any other kind.

14: The use of force

This chapter addresses questions relating to uses of force through cyber means. It defines when cyber operations constitute uses of force and iterates that the general international legal principle prohibiting the threat or use of force would cover such operations. The chapter is broken into two sections, with the second section addressing the interaction between the body of international law covering self-defense and its relation to cyber uses of force.

15: Collective security

The United Nations Charter empowers the UN Security Council to determine the existence of threats to the peace and make recommendations or take measures to restore international peace and security. This chapter discusses the application of those powers in two senses. First, it addresses the UNSC’s right to determine that a cyber operation constitutes a threat to the peace. Second, it addresses the power of the UNSC to authorize cyber operations as a measure to restore international peace.

Part 4: The law of cyber armed conflict

16: The law of armed conflict generally

This chapter focuses on the general applicability of the laws of armed conflict to cyber operations. These applications hold true for cyber operations conducted as a part of larger-scale conflict as well as conflicts limited to cyber operations. It also outlines the applicability of the Geneva Conventions to cyber operations and individual criminal responsibility for cyber operations under international law.

17: Conduct of hostilities

This chapter is broken into nine sections: participation in armed conflict; attacks generally; attacks against persons; attacks against objects; means and methods of warfare; conduct of attacks; precautions; perfidy and improper use; and blockades and zones. It applies the body of customary international law governing hostilities to the use of cyber operations in warfare.

18: Certain persons, objects, and activities

The law of armed conflict sets out several specific classes of persons, objects, and activities that are provided special protections. Following from the general applicability of the law of armed conflict to cyber operations, these classes retain their protections against cyber operations as a part of armed conflict. This chapter is broken into ten sections: medical and religious personnel and medical units, transports, and material; children; journalists; installations containing dangerous forces; objects indispensable to the survival of the civilian population; cultural property; the natural environment; collective punishment; and humanitarian assistance.

19: Occupation

Despite the existence of sovereign cyberspace, there is no legal notion of occupation of cyberspace. However, international law does recognize the applicability of international law governing the obligations of states occupying physical territory to the cyber domain. Occupying powers have both the right to use cyber means to accomplish their responsibilities, and the responsibility to respect and protect protected persons in occupied territories from the harmful effects of cyber operations.

20: Neutrality

The law of neutrality in international armed conflict regulates the relationship between parties of an armed conflict and states not party to the conflict. These regulations largely exist to protect neutral states, safeguard their rights, and protect the parties to the conflict against action or inaction benefiting their enemies. This chapter applies these principles to the cyber domain, protecting the cyber infrastructure of neutral parties and protecting the parties to the conflict from actions or inactions from neutral parties in the cyber domain.