Keynote by HE Mr. Stef Blok MA, Minister of Foreign Affairs1

When I took office a little over three months ago, I saw in my calendar that I’d be delivering a speech on the first ‘birthday’ of… a manual. A first birthday is a special occasion, as any parent will agree. You know how new parents are – they love to celebrate every little milestone: baby’s first smile, baby’s first steps… All very understandable – for a child. But for a manual?

It makes me think of the booklet you get when you buy a new appliance or some flat-pack furniture. Not exactly a page-turner. And yet: very handy, if you want to get the most out of your expensive purchase. Or put together a piece of furniture that actually looks like the picture. In a sense, a manual can be the difference between a job well done and a disaster - as you will know, if you’ve ever tried to get by without it. The same is true of the Tallinn Manual - our set of instructions for state behaviour in cyberspace. It’s more than just a user’s guide. And this first birthday is more than just an anniversary; it’s an occasion to take stock of an issue of vital interest to us all.

The internet enriches our society and economy. It allows for big efficiency gains. The benefits can be very concrete. In that sense, cyberspace has come down from ‘the cloud’ and entered the reality of our daily lives. Consider, for example, the ultra-short supply lines for supermarkets: information about stock levels is communicated in real time. Stocks can then be replenished as needed.

But of course, this dependence comes with a risk. If the Web goes down, the supermarket may soon find itself with empty shelves. The impact of an unreliable internet can be highly concrete. And then the damage is not virtual, but painfully tangible. And quite substantial, too. We’ve unfortunately seen some real-world examples of that too. The WannaCry attack – untargeted but destructive – cost companies an estimated $592.5 million. The NotPetya attack was even worse: it cost companies an estimated $892.5 million in lost revenue.

Important battle

So, the Tallinn Manual is part of an important battle. A battle being waged by many, to defend the interests of many. Relevant not only to supermarkets, but to every domain of our daily lives. From parking garages to the port of Rotterdam, from power plants to public services like healthcare. Just an example. The WannaCry virus shut down computers in more than 80 National Health Service organisations in England alone. The result: almost 20,000 cancelled appointments, 600 family doctors’ practices having to resort to pen and paper, and five hospitals diverting ambulances, unable to handle any more emergency cases. So cyberspace is definitely no longer this elusive, distant dimension. There is no longer anything abstract or virtual about it. It is material, here and now, for all of us. Just look at the Netherlands. Our digital economy has been growing at an astonishing pace. We’re now one of the world’s most digitally advanced countries. Our digital economy accounts for 7.7 per cent of our total economy, a figure which is increasing all the time. IT plays an essential part in the daily work of 1.5 million Dutch workers. This digitally dependent workforce created €182 billion in added value in 2016 – around 30% of total GDP. And digital growth still hasn’t reached its peak. So it’s no surprise that the Netherlands is at the forefront of efforts to advance the debate on keeping cyberspace stable and safe.

Complex challenge

The challenge is a complex one. The internet belongs to everyone, and to no one. We have to work on many different tracks simultaneously: public and private, national and international. For example, in the Global Conference on Cyberspace (GCCS) and in the Global Commission on the Stability of Cyberspace (GCSC).

Domestically, the Netherlands is also investing heavily in this area.

The government has decided to set aside €95 million, with a special focus on setting standards for ‘Internet of Things’ – devices; establishing software liability; enhancing the National Cyber Security Centre; and improving public information campaigns. As a part of that investment, as of 2019, Dutch diplomacy will be further strengthened. As I also indicated in the Integrated International Security Strategy I recently presented: the diplomatic response to cyberattacks is essential. Of course, my ministry acts in concert with other ministries, including the Ministry of Defence – as Minister Bijleveld will confirm later today. Starting this year, cyber diplomats will be deployed at crucial bilateral missions, like Washington, Beijing and Moscow, and also at multilateral missions, like Brussels and Geneva. Other missions will be actively supported by a special cyber task force team.

What’s more, we are investing another 3 million euros in projects to deepen our knowledge about cyber issues, both in The Hague and in our network of missions abroad. This way, my ministry can continue to work effectively for the Netherlands, around the world – including in cyberspace.

International law

In our cyber-policy, one of the tracks we invest in heavily is the international law dimension. This should be no surprise in the country of Hugo Grotius, a country with a strong tradition in international law, and here in The Hague – city of peace and justice. The key to success lies in clear rules, which apply to everyone equally. This principle is no different for cyberspace: it’s not the technology that sets the rules; it’s us: the users. We take the position that there’s no need to develop a new system of international law for this purpose. On the contrary, making clear that existing laws apply equally in cyberspace is our best guarantee of a future with an open, free and stable internet.

Tallinn Manual

The question before us then is of course: ‘How?’.

This was the point of departure for the Tallinn Manual. Here, the Tallinn Manual gives clear guidance. On questions like, for instance: How should international law respond to cyberattacks? The Manual provides a framework. When can a state be held accountable? The roadmap is right there - in the Manual. What can we do in response, are countermeasures possible? The Manual describes the conditions and limitations clearly. Of course, the Tallinn Manual doesn’t provide all the answers. It’s not an official document, and the Netherlands doesn’t necessarily agree with everything in it. In fact, in some cases, the manual describes more than one possible interpretation. Nor is it simple. Issues like state responsibility are complicated enough in the ‘real’ world, let alone the ‘virtual’ world. In no small part, because there they represent uncharted legal territory. But the Tallinn Manual is the first document to address these questions. It is our first and only guide for this new world. And one year after its birth, our need for this guide has only grown. Because, in the meantime – as we must sadly note – the number of malicious attacks is on the rise. These are no longer isolated incidents. Rather, they are carefully planned attempts to trigger social disruption. So on this first birthday we must not only celebrate and eat cake. We must recognise that there is still reluctance to take action in the face of a cyberattack, to hold the perpetrators accountable. This reluctance is understandable. But over the long term it has a destabilising effect. Because in practice, failing to enforce the rules in cyberspace means: yielding to the law of the jungle. We can’t afford to let this happen. We can no longer live without the internet. It’s everywhere, and it lies at the foundation of everything: our ports and power grids; our hospitals and houses, our financial systems and supermarkets. So what are we all waiting for?

Second year

So in closing, I would like to say this. The Manual is now entering its second year. At this point, like the new parents, we cannot imagine our lives without this new arrival.

But now, the Manual needs to mature. It’s here to stay, and for our part, we have to start taking it seriously. If there ever was a time for governments to start applying this Manual, it is now.

This is the only way we can impose a price on bad behaviour.

This is the only way we can put an end to the growing impunity in cyberspace.

This is the only way we can keep the structure we call the internet stable and safe over the long term.

We will remain committed to that goal. Please, join us – here, and in cyberspace.

Prof. Dr. Michael N. Schmitt1

Recent events have proven rather discouraging with respect to the recognition and further development of a normative architecture to govern operations in cyberspace. Of particular note is the failure of the 2016 – 2017 UN Group of Governmental Experts (GGE) to agree on text regarding cyber norms for inclusion in the report it had expected to issue.2 Opposition from a number of states, most notably China and Russia, to any explicit mention of either the law of self-defense or international humanitarian law, as well as a degree of resistance to text that would implicate the right of states to take countermeasures (discussed below) pursuant to the law of state responsibility, prevented issuance of a consensus report by the group of 25 states.3 This was particularly disheartening because the 2013 and 2015 UN GGE reports had made significant progress with respect to articulating both binding and hortatory norms applicable in cyberspace.4 

Other efforts to identify cyber norms are underway, such as those of the Global Commission on the Stability of Cyberspace, which recently proposed adoption of a non-binding norm providing ‘State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites’.5 The private sector has also been active in the field. Perhaps most significant in this regard are Microsoft’s proposed Digital Geneva Convention6 and the Cybersecurity Tech Accord.7  There are also growing rumors about the prospect of a future GGE to take up where the previous five iterations left off. 

In my view, however, the greatest prospect for progress in the near term lies in states making clear their positions with respect to when and how specific international law principles and norms apply in cyberspace. Involvement of non-state actors, such as the private sector, nongovernmental organizations and academia, is appropriate in light of the multi-stakeholder approach to norms that of necessity must be taken due to the shared nature of cyberspace. Nevertheless, it remains the case that states, and only states, have the formal authority to craft new international legal regimes and authoritatively interpret international law’s existing principles and rules. They do so through the adoption of treaties or by engaging in practices that when combined with expressions of opinio juris (expressions by states that the practice in which they are engaged, or that they refrain from, is required by law) results in the crystallization of customary international law.8

I am relatively pessimistic about the likelihood of a multilateral cyber treaty that is general in scope, for, as demonstrated by the unsuccessful attempt to articulate norms during the 2016-2017 GGE, key cyberspace players appear to remain at some distance from each other vis-à-vis the role that international law should play in cyberspace. I am also doubtful about the possibility of new customary international law crystallizing in the near future. The almost mystical process of crystallization is both intricate and vague. Complicating matters in that regard are the secrecy that surrounds cyber activities and the practical difficulties of attribution to states of observed cyber activities. In other words, state practice is highly difficult to identify with the requisite clarity and objectivity.

This being so, the best hope for international law governance in cyberspace lies in state interpretation of extant norms. While the Convention on the Law of Treaties sets forth rules for treaty interpretation,9 and mechanisms exist regarding the identification and understanding of customary international law,10 the reality is that in this relatively new sphere of activity, what states actually say about how they understand treaty and customary international law is what will matter, especially given the paucity of visible state cyber practice. Over time, a critical mass of complementary state views on a particular cyber legal issue will accumulate and that interpretation may become binding law. There is no mathematical precision as to when this point is reached. Yet, states that fail to participate in the process must understand that they are surrendering the interpretive battlespace to those states willing to set forth their views or, indeed, even to non-state actors who deftly move in to fill a void ignored by states.11

Unfortunately, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is sometimes viewed as filling the interpretive void that has heretofore been unaddressed by states.12 Speaking as director of the project, I can confirm that this was never the intention of the participants who made up the two International Groups of Experts (IGE) that prepared the Manual. On the contrary the IGEs assiduously sought to set forth all reasonable views with respect to the application and interpretation of international law to cyber operations so as to empower states to better understand the interpretive options available to them. In other words, the Tallinn Manual 2.0 was always meant to be a tool for states in their own interpretive journey, rather than a document with any prescriptive effect, formal or informal.

The time is ripe for states to begin to set forth their positions with respect to the myriad issues of international law that arise in the cyber context.  Presentations by the Netherlands’ Ministers of Foreign Affairs and Defence made at the first anniversary celebration of Tallinn Manual 2.0’s publication, which are reprinted in this volume, are illustrative early steps in this process.13 So too are, for example, important speeches by U.S. Department of State Legal Advisors,14 submissions by states to international fora,15 and the very recent address by the Attorney General of the United Kingdom at Chatham House.16 Yet, in most cases such laudatory efforts, while substantively significant, fail to identify cyber norms with the granularity that is necessary to directly affect specific ongoing operations.

Accordingly, states need to redouble their efforts to shape the normative cyber architecture that will govern activities in cyberspace. Two tacks hold promise. First, they may do so by clearly articulating broad premises of law with which most states can agree, thereby allowing concentration on the narrower nuances of those positions. Second, there are certain areas of international cyber law where states need to immediately set forth their legal position in order to hold the line against assertions regarding international cyber law that are potentially destabilizing.

With respect to the former, states should confirm, and encourage other states to follow suit, the full applicability to cyber operations of the jus ad bellum, that is, the law governing the resort to force by states as an instrument of their national policy. Key to this legal regime are the customary law prohibition on the use of force codified in Article 2(4) of the UN Charter and the right of self-defense set forth in Article 51 of the Charter, which also reflects customary law.17 There appears to be relatively broad agreement that any cyber operation that is physically destructive or injurious is a use of force. There also appears to be, despite politically motivated opposition in the GGE by certain states, broad consensus that when the destruction or injuries are significant, the victim state enjoys the right of self-defense by both cyber and kinetic means against the state that launched the cyber ‘armed attack’.

Statements to this effect are useful in cementing these norms in place but could go further. In particular, states could publicly announce that cyber operations need be neither physically destructive nor injurious in order to trip over the ‘use of force’ or ‘armed attack’ thresholds respectively. Rather, they could announce their intention to assess harmful cyber operations against these thresholds based on the severity of the consequences that have manifested (or are expected to eventuate). An example is the Dutch Minister of Defence’s statement in her Tallinn Manual 2.0 anniversary presentation that a cyber-attack targets the entire Dutch financial system … or … prevents the government from carrying out essential tasks such as policing or taxation … would qualify as an armed attack.” Although such statements may lack legal precision in terms of articulating clear-cut criteria, a broad severity of consequences-based approach would serve a deterrent purpose by placing other states (and in the case of self-defense, non-state actors) on notice that, if severe, such a cyber operation would risk not only condemnation as an internationally wrongful act, but also, in certain cases, a robust response pursuant to the law of self-defense. The approach also reflects reality. After all, few states facing, or observing, a nationally disruptive cyber operation having widespread deleterious effects would hesitate to label it a violation of the prohibition on the use of force or believe themselves constrained by international law from responding forcefully pursuant to the right of self-defense.

Articulation of such a position would beg many questions, the most important of which is where to draw the lines and which criteria to apply when doing so. However, the position has the benefit of focusing the attention and effort of states where it belongs – on drawing those lines and identifying the appropriate criteria for qualifying a cyber operation that is neither destructive nor injurious as a use of force and, in acute cases, an armed attack. Moving the discussion in this direction would have the further benefit of sidelining the unsupportable objection of a few states to overt references to the right of self-defense in cyberspace; as states begin to refine the thresholds, any assertion that no such line exists would soon be seen as puerile by the remainder of the international community.

States also should affirm the full applicability of the jus in bello (international humanitarian law) to cyber operations that take place during an armed conflict, whether international or non-international in character. Like the applicability of the jus ad bellum, no convincing argument supports the non-applicability of IHL to these operations. As noted, politically motivated opposition to reference to ‘international humanitarian law’ arose during the 2016 – 2017 GGE, but such opposition was without logical or normative foundation. Therefore, the advancement of international cyber norms would be fostered significantly by widespread public embrace of the position. Such declarations would contribute measurably to those already made by states such as the Netherlands, United States, and United Kingdom, as well as NATO and the European Union.18 They would also help clarify the veiled reference to IHL implied by the reference to the principles of humanity, necessity, proportionality and distinction found in the 2015 UN GGE report.19

States could venture even further in adding granularity to this broad, and in my view self-evident, assertion. In particular, there is no reason that they should refrain from specifically acknowledging that the conduct of hostility rules appearing in the 1977 Additional Protocol I to the 1949 Geneva Conventions, most of which reflect customary IHL, apply to cyber operations during armed conflict. 20 Of particular note in this respect are the rules prohibiting attacks against civilian objects, which would include civilian cyber infrastructure, the rule of proportionality and the requirement to take precautions and attack. 21   The effect of such rules is very significant in the cyber context.  For example, a commander considering an attack against a valid military objective must, pursuant to the requirement to take precautions in attack, consider whether directing cyber operations rather than kinetic attack against the target would avoid civilian collateral damage without sacrificing the military advantage that the operation is intended to achieve. 22

There are unsettled issues with respect to IHL’s application to cyber operations that merit further development. It is there that states should focus their attention. Three merit particular attention. The first is the meaning of the term ‘attack’ in the cyber context. Article 49 of Additional Protocol I defines an attack as ‘an act of violence against the adversary, whether in offense or in defence’. This treaty provision, which is generally understood to reflect customary international law, confirms that a physically destructive or injurious cyber operation qualifies as an attack to which the prohibition on attacking civilian objects and other conduct of hostilities rules apply. It is important to note that despite the ‘against the adversary text’, it is well-accepted that violent cyber operations directed at civilians or civilian objects are attacks, as are cyber operations that, while not causing these effects with respect to the targeted system, nevertheless have indirect (collateral) consequences at that level.23

The unsettled issue is whether these rules apply to cyber operations not having physical effects or causing injury, such as those that interfere with the functionality of cyber infrastructure. It is my position that the rules governing attacks apply to many such operations,24 although the precise threshold at which the resulting consequences qualify an operation as an attack is a matter that demands the attention of states.  For instance, does a temporary loss of functionality do so? If the loss of functionality can be remedied through reloading either the operating system or data upon which functioning of the system relies, is the operation an attack? If this system continues to operate but does not do so in the intended manner, has the requisite loss of functionality occurred?  These are important queries because a cyber operation that does reach the attack threshold arguably may be conducted against civilian cyber infrastructure, as is the case with many cyber psychological operations. States need to develop their positions on such matters lest their armed forces be left without guidance when crafting rules of engagement and other guidance.

A related issue deals with the rule of proportionality, which prohibits an attack that is expected to cause collateral damage to civilian objects or incidental injury to civilians that is excessive in relation to the military advantage anticipated to be achieved as a result of the attack. The rule, which is found in both Articles 51 and 57 of Additional Protocol I, specifically refers to ‘damage’. The question is when does an effect on civilian cyber infrastructure that is not physically damaging nevertheless qualify as damage for the purpose of the rule?  Again, I am of the view that a loss of functionality may amount to damage that must be factored into the proportionality calculation. In my estimation, states should be focusing their attention on determining when it does so.

Finally, a long-standing debate surrounds the treatment of data. The issue is whether data is an ‘object’ such that the prohibition on targeting civilian objects25 applies to cyber operations that delete or alter civilian data. Relatedly, it is unsettled whether deletion or alteration of civilian data qualifies as collateral damage to civilian objects for the purposes of the rule of proportionality. There is widespread consensus that if the consequence of the loss of, or change to, the data is physical in nature, as in the case of cyber infrastructure that suffers physical damage when its data is altered, the prohibition applies. An example would be manipulation of data upon which the cooling system for cyber infrastructure relies, thereby causing the system to overheat in a manner that damages the infrastructure.

The legal challenge surrounds cyber operations directed at data that do not have a physical effect, such as those targeting civilian financial systems. There are some experts who assert that data should be treated as an object.26 In their view, broadly speaking, cyber operations against civilian data are unlawful attacks on civilian objects. Additionally, for them, any direct or indirect effect on civilian data that results collaterally during an operation directed against a lawful cyber target must be considered in the proportionality analysis and is subject to the requirement to seek to minimize civilian collateral damage (precautions in attack). This approach has the benefit of shielding the civilian population from the potential negative effects of cyber operations but is over inclusive in that it would include some cyber operations that states regularly engage in, like psychological operations.

Opponents of the approach note that data is intangible and therefore does not logically qualify as an object. This view seems to be consistent with the general approach in international law that terms should be interpreted in accordance with their ordinary meaning.27 Yet, if data is not an object, the door is wide open for cyber operations directed against civilian data; indeed, it would be lawful to conduct cyber operations that are extraordinarily disruptive to civilian life.

There is no easy answer to either the question of where the threshold of attack lies or that of how data should be treated as a matter of law. In a forthcoming article in the International Review of the Red Cross, I suggest that states make two policy commitments to address the situation.28 The first is that they accord special protection to certain ‘essential civilian functions or services’ by committing to refrain from conducting cyber operations against civilian infrastructure or data when doing so would interfere with those functions or services. The second proposal is states should commit to refraining from conducting cyber operations to which the IHL rules governing attacks do not apply (because, for instance, the operation is not at the attack level or data is not considered an object) when the expected concrete negative effects on individual civilians or the civilian population of the operation would be excessive relative to the concrete benefit related to the conflict that is anticipated to be gained through the operation. However, the adoption of policies does not resolve definitively the legal issues at hand. Therefore, states should begin to fashion their own stance on these issues and collaborate with other states in developing consensus positions, particularly within alliances like NATO.

As noted above, states also need to set forth their legal positions with respect to certain cyber issues that may prove destabilizing in the absence of rules governing them. Most significant among these is the question of sovereignty. Recently, assertions have been made that sovereignty is a principle of law that undergirds rules such as the prohibitions on intervention and the use of force, but not a rule that is separately binding of its own accord.29 By this interpretation, which appears to have been embraced by the United Kingdom,30 cyber operations are never rendered unlawful on the basis that they have violated the sovereignty of the target state.

This position makes operational sense if the objective is to avoid normative obstacles to offensive operations against other states. Yet, it must be cautioned that, pursuant to the principle of sovereign equality,31 the approach would apply equally to all states. As a result, a state that adopts the position cannot subsequently claim that other states have violated its sovereignty when it is victimized by hostile cyber operations conducted by, or attributable to, another state. For instance, the United Kingdom has now deprived itself of that argument when other states, like Russia, remotely conduct cyber operations into British territory.

Additionally, a state adopting this view cannot resort to cyber or non-cyber ‘countermeasures’ pursuant to the law of state responsibility by making the assertion that its sovereignty has been violated. A countermeasure in the cyber context is an operation that would violate international law but for the fact that it is designed to put an end to an unlawful cyber operation directed against the state taking the countermeasure. Thus, disavowal of a rule of sovereignty eliminates a significant response tool when facing hostile cyber operations. Moreover, states taking this position undervalue the effect of naming and shaming states to which hostile cyber operations may be attributed. The fact that most states deny their involvement in hostile cyber operations, as is unambiguously illustrated in the case of Russian election meddling around the world, is evidence of the importance states place on not being named a lawbreaker.

The better approach is for states to acknowledge that sovereignty is a rule that can be violated.32 and focus efforts on identifying when it is so violated. For instance, what types of effects must manifest before a remotely conducted cyber operation into a state’s territory violates that state’s sovereignty?  When is an activity inherently governmental such that interference with, or usurpation of, the activity by another state is a sovereignty violation? Addressing the matter in this manner would allow retain the protective veil of sovereignty while tempering its restrictive effect through reasonable interpretation consistent with the state’s national security imperatives. 

A second issue regarding which states are at legal risk if they do not seize the opportunity to take a position is due diligence. Pursuant to the rule of due diligence, which was raised in the International Court of Justice’s first case, Corfu Channel, a state is obligated to ensure that its territory is not used to the detriment of other states by either a state or a non-state actor.33 In the cyber context, this means that a state would have to put an end to a hostile cyber operation being launched from its territory or that remotely employ cyber infrastructure on that territory to conduct the operation.

There appears to be a degree of state concern that such an obligation imposes an unbearable burden. Therefore, although a number of states have adopted the position that the rule of due diligence applies, others are hesitant to acknowledge the obligation in the context of cyber operations. Such concerns are overstated, for the rule is often misunderstood.34 Most of the Tallinn Manual 2.0 experts were of the view that the due diligence obligation only requires states to act to terminate ongoing hostile cyber operations; it imposes no obligation to take measures to prevent future operations or to otherwise ensure the hygiene of cyber infrastructure located on the state’s territory. Moreover, the prevailing view is that it does not apply to all hostile cyber operations mounted from or through cyber infrastructure on the state’s territory, but rather only operations that have serious adverse consequences for another state.  This is a high bar to cross.

It is also generally understood that the rule does not apply to hostile cyber operations that only affect the interests of other states, as distinct from their rights. As an example, a hostile cyber operation against a bank’s network that causes damage affects (in my view) the sovereignty rights of the state where that network is located. But if the operation affects the ability of individuals in third states to access their bank accounts remotely, an interest of those states would be implicated, not a right under international law. Most importantly, pursuant to the rule, states need only take those actions that are feasible in the circumstances. If a state lacks the ability to put an end to the hostile operations, it is not in breach of its due diligence obligation. In other words, the obligation is one of conduct, not a result. In light of these limitations, states need not be concerned that the due diligence rule imposes an overly onerous obligation on them. On the contrary, as a responsible member of the international community they should already be taking measures consistent with it.

Additionally, what is sometimes missed is that the due diligence rule opens the door to conducting responses against cyber operations mounted by non-state actors.35 Pursuant to the law of state responsibility, countermeasures are only available in response to internationally wrongful acts that are engaged in by states, or that are attributable to states under that body of law.36 If a non-state actor’s hostile cyber operations cannot be attributed to a state, the victim state (‘injured’ state in the law of state responsibility) has no right to take countermeasures to put an end to the hostile operations.

Yet, because the non-state actors are operating from another state, that state has a due diligence obligation to put an end to the hostile operations. Should it be unwilling to do so, the state would be in breach of its obligations under the rule of due diligence. This would allow the injured state to take countermeasures against the territorial state on the basis of that breach and those countermeasures could take the form of violating the territorial state’s sovereignty by means of cyber operations against the non-state actor. The violation would be excused because the fact that the response qualifies as countermeasures is a ground for ‘precluding the wrongfulness’ of an action under the law of state responsibility.37 Simply put, the rule of due diligence makes possible responses against hostile cyber operations by non-state actors in situations in which a robust response would not otherwise be available. If only for this reason, states should acknowledge the due diligence obligation. 

Finally, states need to clearly articulate those response options that they believe are available under general international law. I have already addressed the issue of self-defense pursuant to Article 51 of the UN Charter and customary international law. However, most cyber operations do not rise to the level of an armed attack. Therefore, it is essential that two other response options be well understood and widely accepted.

The first, already mentioned, is the right to take countermeasures in the face of an unlawful cyber operation conducted by, or attributable to, another state. It should be cautioned that numerous restrictions apply to the taking of countermeasures, the most significant of which is a requirement that it be proportional in the sense of having some relation in terms of severity to the unlawful cyber operation to which it responds.38 Nevertheless, considering the degree of push-back against countermeasures during the 2016 - 2017 GGE, states should quickly seize the opportunity to affirm that they reserve the right to take countermeasures in response to unlawful cyber operations directed against them. Absent such an affirmation, states will generally be limited to responses called retorsion, that is, unfriendly but lawful actions such as the expulsion of diplomats and the imposition of economic sanctions.

An additional response option that has received very little attention is based upon what is known as the plea of necessity.39 Such responses, like countermeasures, may involve cyber operations that would otherwise be unlawful, but their wrongfulness has been ‘precluded’ because they are designed to put an end to hostile cyber operations directed against the state taking them. They are of particular importance because a response based on the plea of necessity is available against cyber operations mounted by non-state actors that are not attributable to a state or against those that cannot be reliably attributed to a state. In this sense, they differ from countermeasures. Thus, for example, a response based on the plea could be directed against non-state actors operating from a state that is in compliance with its due diligence obligation because it is willing to take measures to put an end to the non-state actor’s hostile cyber operations but lacks the ability to do so.

Although the plea of necessity remedies a number of the limitations that attach to countermeasures, it may only be resorted to when the ‘essential interests’ are facing ‘grave and imminent peril’.  The exact nature of these two phrases remains uncertain in international law. For example, states often designate certain infrastructure as ‘critical’, but that designation does not necessarily qualify the interest concerned as essential with respect to international law. Moreover, the point at which the harm being suffered can be characterized as grave is not only contextual, but also relatively vague. While these are complicated issues that states should be assessing with sensitivity to their own national interests, there is no obstacle to publicly taking the general position that the plea of necessity applies in the cyber contact.

Ultimately, the future of international cyber law lies in the hands of states, particularly as they interpret extant international law norms. They may choose to craft a relatively permissive environment in which international law plays little role in deterring hostile cyber operations or shaping the responses available thereto. This approach is exemplified in the British position that sovereignty is a principle of international law, but not a rule.

In my view, the better tactic is to employ the interpretive authority states enjoy vis-à-vis international law to safeguard the crucial activities of states and their societies in cyberspace, both during times of peace and armed conflict. With response options such as countermeasures, the plea of necessity and self-defence, states benefit from an array of lawful options for protecting these activities. And a well-developed IHL architecture applicable to cyber operations conducted during an armed conflict is consistent with the balancing of military necessity and humanitarian considerations that permeates all of international humanitarian law.40

Allow me to close by complementing the Kingdom of the Netherlands for its willingness to take the lead by beginning to announce its legal positions with respect to activities in cyberspace; other states must do the same.  The Netherlands also has perceptively identified a lack of understanding of the complexity of international cyber law as an obstacle to international agreement on the applicable norms for behavior in cyberspace. I accordingly also complement the Netherlands for its Hague Process, which provides international cyber law training, in collaboration with other governments and international organizations, for government officials around the world. Such programs will empower states to intelligently, responsibly and constructively craft their own legal positions with respect to the shared domain that is cyberspace.

Ms. Liisa Past MA1

Cyber security – at its core defined as is defending the confidentiality, integrity and availability of data, networks and systems – is often overly mystified. In practice, it is another sphere in which governments assert their interests in conflict and, more importantly, strive to provide a stable and safe environment during peacetime. For this, a stable legal and normative environment is required.

At the same time, the intensifying tensions in cyberspace are highlighted by an ever-increasing level of incidents and attacks. A number of recent campaigns have targeted nations and governments; these are often considered to have been state-backed.

Thus, 9 years ago, when the Tallinn Manual Process started, was perhaps a simpler, more hopeful time. In December 2012 when the Tallinn Manual 2.0 discussions kicked off, it was still hoped and sometimes believed that the lines in the sand regarding state-backed aggression in cyberspace will hold.

Amongst the most prominent of those red lines were the functioning of our democratic processes and our national critical information infrastructure. It was hoped that those two will not be targets of state-backed or politically inspired cyberattacks, at least not during peacetime. It is now clear that the attackers have broken those taboos in the last few years. Elections and participants in the democratic processes as well as water, power and air travel have all been targets of state-sponsored cyber-attacks.

The attacks against power supply in Ukraine on Christmas 2015 and 2016 served as a significant demonstration of the adversarial capabilities, a warning of things to come. By 2017 it was revealed that European and US power – including nuclear - and water systems had been compromised. Those attacks were initially believed to have been targeting business networks, often knocks on the door to map the perimeter. It is now known that the campaigns went further and the impact could potentially have been detrimental to power production and distribution.

The meddling in our democratic systems goes beyond campaign hacks or the compromise of candidates and parties as most notably seen with the campaigns of Emmanuel Macron and Hillary Clinton. Yes, the public most embarrassingly found out what Hillary Clinton's campaign chief John Podesta’s password was after a successful phishing incident, but election officials as well as vendors are now known to have been targeted.

This, in a number of ways, demonstrates the importance of the work that has gone into Tallinn Manual 2.0, particularly in terms of jurisdiction and state responsibility.

The biggest change underlining these attacks are that state-backed players or those directly representing the government agencies no longer operate in the grey zone of strategic ambiguity. The shame of being caught has diminished. The effects of state backed malicious cyber activity go further. This makes attribution more important than ever, not the least as a basis for any response to malicious state-backed cyber activity.

The US agencies have attributed the campaign hacks to Russia. Last May, WannaCry ransomware impacted 150 countries and hundreds of thousands of systems, paralyzing healthcare, production facilities and telecoms. It was attributed to North Korea by US, UK, Australia, New Zealand and Japan. Similarly, the NotPetya wiper was attributed to Russia by an international coalition in a show of solidarity.

Attribution, of course, matters as it can lead to deterrence. However, we need to be careful here, so that we are not trigger-happy. In the past few years, attribution has moved from being a largely technical discipline to something much larger than digital forensics. It balances technical, legal and political elements. And this balance is something states and governments have to consider carefully.

In looking for response options, in particular, the three elements have to be all considered. Attribution cannot be seen as paving way to retribution. This is simply not an option in our agreed-upon international law regime. Therefore the lawyers need to be present through the attribution process. In particular, cooperation is needed to figure out and address thresholds and mechanisms for attribution as well as standards for evidence within states and then internationally. This way we have a sustainable idea of what deterrence might look like.

Up to now, most of the options available in response to cyber attacks are not collective, leaving collective defence in the cyber sphere to be furnished by practice. Currently, governments are at most coordinating responses and countermeasures. It is clear that states are figuring out their diplomatic, cyber-enabled and conventional responses to the facilitators and organizers of nation-on-nation cyber attacks.

EU has recently empowered itself to respond to cyber attacks with a comprehensive set of Common Foreign and Security Policy (CFSP) measures, including diplomatic, economic and restrictive ones, “which can be used to prevent and respond to malicious cyber activities” (http://www.consilium.europa.eu/media/31666/st14435en17.pdf). NATO, having declared cyber space a domain of military operations, serves as the next step of the ladder of collective escalation of response to events in cyberspace. So, state responsibility as it is analysed in the Tallinn Manual continues to be central.

Looking ahead, there are obvious challenges. The use of AI, including possible automated weapons systems poses legal challenges, given how even regulating self-driving cars has been a struggle. The definition of data as military objective has multiple interpretations. However, state practice seems to becoming clearer, even if the legal interpretations are not moving closer to each other. Law enforcements ability to pursue cyber crime across borders needs to be improved, but again, this is up to the respective agencies.

The issues mentioned above refer to relationships between national actors and their actions. As societies and governments, however, we are uniquely and increasingly dependent on international corporations, their goods and services, be it software or equipment. We need to figure out ways, including legal mechanism, to be a demanding customer and have clear standards for supply chain assurance and vendors responsibility.

As governments, we have a pressing need for clarity and legal standards when it comes to cross border dependencies and supply chain management, particularly when dealing with global vulnerabilities such as Spectre. The Y2K bug, now almost two decades ago, was perhaps the first warning that national governments cannot ignore the role corporations play as vendors and supplies and the sort of dependencies we therefore have to be able to mitigate. A non-state problem cannot have a state solution, simply. These dependencies need to be addressed and governments need the international law discussion to move together with these challenges.

Wieteke Theeuwen  LL.M.1

The first lesson I learned when I started working on cyber was - or seemed - rather simple. International law applies to cyberspace. In that regard, I would like to quote one very important phrase from the 2013 report of the UN Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security:

"International law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment."

Thanks to the 2013 and the 2015 UN GGE reports, there is increasing recognition that international applies to cyber. So, many would agree with me that international law applies to cyberspace. When we start to apply the law and ask ourselves how international law applies to cyberspace the question is a more interesting one.

Part of my work has a focus on “the Hague Process”, an initiative by the Netherlands to further the debate on how international law applies in cyber space and to increase the level of agreement. For this purpose the Netherlands facilitated a number of consultation meetings between governmental legal advisors and the drafters of the Tallinn Manual.

The Tallinn Manual 2.0

The Manual is a well-used item in our library at the legal department. I carry it with me to meetings all the time. The book provides a good overview of the various legal questions that arise with respect to cyber and offers different views on the application of international law but it is not the law. It is not an official document, and the Netherlands does not necessarily agree with everything in it. In fact, in many cases the manual describes more than one possible interpretation of a particular rule. I consider the Tallinn Manual to be a very useful tool that we can use in our daily work. Whenever I am asked to advise on an issue relating to cyber and international law, I use the standard work for the specific field of law together with the Tallinn Manual, which provides helpful information on how this law may be applied in the cyber context. But the manual does not do all the thinking for me. To the contrary, the Tallinn manual 2.0 makes it very clear that there are a number of questions that still need a lot of thinking and debating before we can even dream of providing an answer to them. Which makes meetings like these so much more interesting. 

Attribution

Attribution has been the object of fierce debate. More specifically, attribution for the purposes of State responsibility - or legal attribution. Generally, depending on the context, the term attribution has different meanings when we talk about cyber.

My colleagues and I find it helpful to make a distinction between the following meanings of the word:

1) Technical attribution: the outcome of a factual and technical investigation both in terms of who the likely perpetrator is and the degree of certainty with which this can be established;

2) Political attribution: the decision whether or not to publicly and politically attribute a particular attack to a particular actor, without necessarily attaching legal consequences to this attribution; and

3) Legal attribution: the decision to attribute certain conduct to a particular State with a view to invoking the responsibility of that State for an internationally wrongful act.

Focusing on legal attribution, I am referring to the situation in which a State attributes a cyber operation to another State for the purpose of invoking State responsibility. The first State may then wish to enter into some form of judicial or diplomatic dispute settlement to take countermeasures or, in case the cyber operation is considered to amount to an armed attack, exercise its inherent right of self-defense.

Why is attribution important? When your car is stolen, or your house is covered in graffiti overnight, you want to take action. But against whom? That is why we go to the police when things like this happen: so that they can find out who did it and who deserves punishment. The same goes in international law: this body of law provides rules with regard to how States should behave towards each other, but it can only be applied when it is clear who violated the rules. When cyberattacks, or any attack for that matter, are launched, international law sets the parameters within which States can respond. The law on State responsibility, the example I will use, has a lot to say about when a State can be held responsible for the conduct of a proxy. It also allows taking measures that would normally be in breach of international law in order to address a prior breach by another State. But in order to do this, it is crucial to establish which other State committed the wrong in the first place.

So why is it important to be able to attribute a cyber operation to another State? When a cyber operation is directed against a State, or significantly impacts the society of that State, that State will want to take action. Certain action is only possible when it is clear which other State should be at the receptive end of such action. So, once a State has identified the actor behind the cyber operation and has established that this actor is in fact another State (either directly or by proxy), the targeted State has a number of options under international law.

Examples of responses are retorsive measures, unfriendly but not unlawful, such as the decision to declare a number of diplomats persona non grata. The taking of retorsions is permitted under international law, but may carry political consequences.

A State may also consider taking countermeasures, such as responding to a hack that constitutes an internationally wrongful act by hacking back. These are different from retorsive measures. Whereas retorsive measures can be taken at any time – again, this is according to international law, without taking into account possible political considerations  –  countermeasures are subject to strict requirements. This is reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts. One of the most important criteria of these Articles is that countermeasures may only be taken against a State that is responsible for an internationally wrongful act, in order to induce that State to comply with its obligations. One requirement for such responsibility is that the conduct, the allegedly unlawful cyber operation, is attributable to that State. There are other requirements, but these will not be discussed.

Therefore, for a State to be able to consider all its response options, including countermeasures, the first question it will need to ask is: who did it? In legal terms: can the cyber operation be attributed to a State under international law? That is when legal attribution becomes important. 

What is an internationally wrongful act?

Before discussing what the Tallinn Manual 2.0 says about internationally wrongful acts in the cyber context, I would like to first discuss the Draft Articles on the Responsibility of States for Internationally Wrongful Acts.

What amounts to a breach of international law by a State depends on the actual content of that State’s international obligations, and this varies from one State to the next.  A State can only be held accountable with regard to obligations it has subscribed to, either by treaty or through customary law. The underlying concepts of State responsibility, however, are general in character.

Article 1 of the draft Articles states that every internationally wrongful act of a State entails the international responsibility of that State. But what does this act need to consist of?

Article 2

There is an internationally wrongful act of a State when conduct consisting of an action or omission:

(a) Is attributable to the State under international law; and

(b) Constitutes a breach of an international obligation of the State.

I will discuss attribution, not the entire characterization of conduct as internationally wrongful. The purpose of attribution is to establish that the act considered as internationally wrongful emanates from a certain State for the purposes of responsibility. That a certain conduct is attributable to the State says nothing, as such, about the legality or otherwise of that conduct.

So when is a cyber operation attributable to a State? Let me turn to the conditions under which conduct is attributed to the State as a subject of international law for the purposes of determining its responsibility. What it essentially does is distinguish the State-sector from the non-State sector for the purpose of responsibility. Basically, conduct by State organs is always attributable to a State whereas conduct of private individuals is not, unless a sufficient connection between these individuals and the State can be established.

This graph explains the questions that need to be answered before a cyber operation can be attributed to a State.

The first question we need to ask in order to determine whether a cyber operation is attributable to a State is “Was the cyber operation conducted by an organ of the State?” If the answer is yes, the cyber operation is attributable to the State.

Rule 15 of the Tallinn Manual 2.0 states:

Cyber operations conducted by organs of a State, or by persons or entities empowered by domestic law to exercise elements of governmental authority, are attributable to the State.

The Tallinn Manual states that the clearest case of attribution is when State organs, such as the military or intelligence agencies, commit the wrongful acts. This includes for instance cyber activities of US Cyber Command, the Netherlands Defence Cyber Command, the French Network and Information Security Agency (ANSSI), and so forth. An organ of the State includes any person or entity which has that status in accordance with the internal law of the State, quite a broad concept according to the Tallinn Manual.

With cyber operations it is not always immediately clear whether the operation originated from an organ of the State. The use of proxies is very common in the cyber context. If it is not clear whether an individual or group are considered organs of the State, we need to determine whether their conduct can nonetheless invoke the responsibility of the State.

Proxies are individuals, groups or organisations carrying out cyber operations for States. This is the reality we are facing relatively often in the cyber context. We may be able to find which individual, group or organisation carried out the cyber operation, but can we link this to a State, and if so, how? Can the conduct of hacktivists be attributed to a State? What if the State told them to carry out a certain cyber operation? This brings me to the effective control test.

Effective control

When does a non – State actor operate under effective control of a State? As a general principle, the conduct of non-State actors such as private persons or entities is not attributable to the State under international law. The effective control test contains certain requirements that – if fulfilled – will allow to regard the conduct of the non-State actor as that of the State. This is the only way in which the conduct of proxies can be attributed to a State.

The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the cyber operation. The starting point is, however, that States are not responsible for the conduct of private individuals. This means that the threshold to establish effective control is high. It is not sufficient for example if a State has supported – financially or with supplies – the activities of the non-State actor.

Standard of proof

As regards the standard or burden of proof, international law does not dictate any minimum degree of proof regarding the decision to attribute a particular cyber operation politically to a particular State. Likewise, there is not a particular threshold of certainty for responses not amounting to countermeasures or the use of force.

However, if a State attributes a cyber operation to another State and takes countermeasures, or in case it exercises its inherent right of self-defence when the cyber operation is considered to amount to an armed attack, it may at some point have to provide justification for this attribution and meet a particular burden of proof. There is no internationally accepted legal standard in this respect. It will depend on the particular forum in which attribution takes place. The standard of proof required may differ depending on whether a claim is presented before a particular international court or tribunal, or whether it is part of diplomatic negotiations or consultations. The ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts do not include information on the standard of proof. The International Court of Justice (ICJ) has employed various formulations for the standard of proof. The Netherlands interprets these formulations as meaning that the standard may be different depending on the severity of the conduct and of the response considered.

Various cases show that the Court similarly pays regard to the specifics of the case when determining the level of proof required.

It would seem that the particular degree of proof required is closely connected to the severity of the cyber operation and of the response to such cyber operation: the more severe, the higher the standard. In some cases one may need to have absolute or near absolute certainty. For example, in the Bosnia Genocide the ICJ took the view that the Court had to be fully convinced that allegations of genocide and other acts had been clearly established. This concerned genocide. It makes perfect sense that a high degree of certainty, employed in different cases, would not have been sufficient.

How does attribution of cyber operations work in practice?

In May 2017 WannaCry ransomware targeted computers by encrypting data and demanding ransom payments in Bitcoin. The WannaCry Cyberattack affected a number of healthcare organisations in the United Kingdom (UK), including hospitals in London and Nottingham. So how did the UK respond?

19 December 2017 - Foreign Office Minister for Cyber, Lord Ahmad:

“The UK’s National Cyber Security Centre assesses it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign – one of the most significant to hit the UK in terms of scale and disruption.

[…]

We condemn these actions and commit ourselves to working with all responsible States to combat destructive criminal use of cyber space. The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions”.

So did the UK attribute the cyber operation to a State? To me, this question is difficult to answer. The UK referred to North Korean actors, not the State.

How did the United States (US) respond?

19 December 2017 - Tom Bossert, security adviser to the President:

“Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.

[…]

The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.”

Not only did the US refer to the State North Korea in its attribution, it also mentioned that the UK shares that analysis. A number of States issued statements on that same day, the 19^th of December, varying from the very strong statement by the US to a statement on the importance of the application of international law by others.

None of the statements were followed by countermeasures. Why not? And why were they taking so many months after the attack took place? Was the information the States had at their disposal not considered sufficient enough to satisfy the standard of proof? Maybe the public statements were never intended to lead to the taking of countermeasures in the first place. 

Conclusion

Attributing a cyber operation to a State for the purpose of State responsibility is subject to a number of requirements, especially when the operation is carried out by proxies. It is a very delicate process. But the process is not more delicate than attribution outside the cyber context. The example I mentioned concerning WannaCry shows that a new phenomenon has emerged: publicly attributing a cyber operation. This type of attribution might not fulfill the requirements for legal attribution, but does it need to?

However, if a State decides to take countermeasures, legal attribution is very important. I mentioned at the beginning that with the Tallinn Manual we have been provided with a very useful tool, but a number of questions still need a lot of thinking and debating. Let me conclude with some of these questions. Is the effective control test workable in the cyber context or do we need to develop further criteria? Should the challenges related to technical attribution lead to adjusting the standard of proof for legal attribution in the cyber domain? Do we agree that the various formulations of the standard of proof employed by the ICJ in State responsibility cases must be interpreted as meaning that the standard may be different depending on the severity of the conduct and the response considered?

Brigadier General Prof. Dr.  Paul Ducheine and Prof. Dr. Terry Gill1

Introduction

Ladies and gentlemen, you’ve just heard Brigadier General Hans Folmer explain what the purpose of applying cyber capabilities could look like. He described a wartime situation and explained that there was a need to prevent the enemy from using a specific airfield and dispatching aircraft from there. The military process to plan action to that end, is called targeting. In classic circumstances, those planning and deciding on operations of this kind, joined in a targeting board, would for instances consider the use of cluster munitions to destroy the runway of the airfield, so that aircraft are unable to start (and land). Thus rendering the airfield (and its aircraft) useless. Or, if the state involved would not possess this type of weapons (as it is a party to the treaty banning the use of it), the targeteers would come up with a larger scale operations with other air delivered weaponry. The backlash of the latter would perhaps be that collateral damage might occur, or that it might hamper future operations of own troops.

Brigadier General Folmer also presented another line of action. By tampering digitally with the airfield’s flight control system, aircraft would be unable to start (and land) as well. This cyber operation could nullify the amount of collateral damage and as it has only temporary effects, would guarantee future use of the airfield by own troops.

Today, targeting boards, at least in a number of states, have this alternative offered through cyber capabilities at hand. The process and procedures to consider these cyber capabilities is the same targeting process as is used in the classic situations. And it contains the same legal questions derived from the law of armed conflict (of international humanitarian law) as in the classic cases. The same basic questions, that is, with some new or not yet touched upon more detailed issues at hand.

My goal [Ducheine], is to briefly introduce this targeting process in the first place and then take you through the legal basic questions accompanying its various phases. Professor Gill will then elaborate on some of the general and specific legal issues involved.

The next lectures by Dr. Heather Harrison-Dinniss and mr. Joost Bunk will specifically deal with the issue of data as an object and its protection under IHL or other regimes such as intellectual property.

Just to iterate in order to prevent misinterpretation: we’re at war and IHL applies. In particular, the rules on hostilities, or in other words, the some called targeting rules in principle apply. These rules centre on the notion of attack (art. 49 API).

Targeting

As mentioned in the airfield case by Hans Folmer, all targeting starts with the ‘why’. The first phase of targeting involves stating the purpose, the end or goal of the action(s) to be taken. In the second phase potential targets that could be engaged with some kind of (military) action in order to contribute to that stated end will be listed. The weaponry will be considered in the third phase: what’s in the arsenal? What are the effects of those weapons? And will it be effective against the target(s)? Then, in the fourth phase, one of the weapons will allocated for a specific target. Phase five comprises the actual attack that will be launched, which will be evaluated (phase six) to see whether the attack was successful and generated the designated effect, thus contributing to the very purpose of the actions taken. If and when necessary, the procedures will be followed once more.

Just to remind you, this targeting process, or the targeting cycle, is based on a rational decision-making (and planning) model. The process itself can take up to months in preparation when pre-planned strategic campaigns are involved. But it could also be a matter of seconds when tactical opportunities arise on the battlefield.

Figure 1 : Targeting cycle with its legal (IHL) issues

During this targeting cycle, the staff officers combined in a targeting board and the commander who bears ultimate responsibility for the decision to (and how to) attack, are confronted which legal questions posed to them, as they are to adhere to the law of armed conflict when planning and conducting attacks. These legal questions are imposed through the so-called targeting rules, and they find their background in the principles of the law of armed conflict. The principles involved are: military necessity, humanity, distinction, proportionality and the obligation to take precautionary measures, and, finally, chivalry.

These principles and the more detailed targeting rules are part and parcel of the targeting cycle. When integrating the two – the targeting cycle and the legal issues – the targeting cycles can be amended to contain the legal questions related to targeting derived from the law of armed conflict (see Figure 1).

The first issue after having defined the goal (phase 1) and having listed the potential targets (phase 2) is which of these potential targets qualify as “military objectives” (ex art. 52 API), as “attacks shall be limited strictly to military objectives”.2

After that, when potential weapons are reviewed (phase 3), the question will be posed whether collateral damage (CD, ex art. 57 API) can be expected once the particular weapon is used against the legitimate target (i.e. a military objective). When no foreseeable collateral damage is expected, the weapon can be allocated to the legitimate target (phase 4). Quite often however, CD is to be foreseen.

Then, as part of one of the precautionary measures (ex art. 57 API), the question arises how this CD can be mitigated through changes in the choice of means (weapons) and/or methods of attacks. When tweaking of means and methods of attack nullifies the foreseeable CD expected, phase 4 (allocation) can be pursued. If and when this is not the case, the question will be posed whether this attack “may be expected to cause [collateral damage, that] would be excessive in relation to the concrete and direct military advantage anticipated”.3 If the attack is not expected to generate a disproportional (or “excessive”) amount of CD, allocation (phase 4) will commence. When the attack is disproportionate, the attack shall be “cancelled or suspended”.4 As a result, the targeting cycle has to start all over.

After weapons have been allocated to a legitimate target (“military objective”) in phase 4, the remaining precautionary measures, such as last minute verification and identification, warning, and last-minute actual checking of the CD estimation are to be taken. This could result in last-minute aborting the attack. After the attack (phase 5), the battle damage assessment is made (phase 6) and evaluation takes place.

This integration of the targeting cycle and the targeting rules apply to all attack in the meaning of article 49 API. Regardless of the weapons, or technique, used. This integrated cycle with targeting rules is thus to be used when the targeting board and the commander responsible for planning and executing the operations against general Folmer enemy airfield. Both when classic weapons are considered, and also when cyber capabilities are contemplated. In the first case, this is definitely a matter a legal obligation. In the latter, this will most likely be a matter of policy, as the debate on the applicability of the targeting rules to cyber operation is still continuing.5

This will now be explained by Prof. Gill in general terms.

A Brief Overview of the Main Controversies

The question of whether international humanitarian law (or the law of armed conflct as it is widely referred to in military circles) applies in cyber-space was supposed to have been resolved, but controversy remains on that issue.6 But assuming it does (and from our viewpoint it is impossible to see how it could not if cyber were employed in an armed conflict in either a stand-alone capacity or more probably alongside other means and methods of warfare), then certain other controversies remain. One of the most seemingly intractable of these is the question as to whether data is an “object” in the context of Article 49 of Additional Protocol I. The Group of Experts which drew up the Tallinn Manual could not reach consensus on this issue and various points of view have been put forward by other commentators , one of whom, Dr. Harrison Dinniss, will elaborate on her views in more detail presently.

The issue may seem for the non-lawyer perhaps a bit technical and arcane at first sight, but is of real importance in a practical sense. Put simply: if data is not an object, then the rules of IHL relating to targeting as set out above by my colleague Brigadier General Prof. Ducheine are not applicable to cyber operations which affect data without causing any directly related secondary physical injury to persons or damage to physical objects. Which rules would then be applicable are open to question, but in any case, the principles of proportionality, precautions in attack and so forth would be irrelevant in the absence of related physical effects resulting from tampering with or corrupting data. That means of course, that the permissible scope for many types of operations would be much wider. To take the example of the neutralization of an airfield by cyber means used by Brigadier General Folmer earlier, such an operation would not constitute an attack in the sense of Art. 49 AP I unless it caused the aircraft to crash. Simply making an airfield unusable by cyber means, without any directly related physical effects would be outside the scope of targeting principles if data did not constitute an object in itself. So this debate is really about whether a whole range of cyber actions in an armed conflict are subject to targeting law or not.

Several main positions have emerged on this issue. One is the majority opinion of the Group of Experts in the Tallinn Manual. This states in a nutshell that neither the text of Article 49, nor the Commentary thereto would include data as constituting an object for the purposes of determining whether its neutralization, alteration or removal would amount to an ‘attack’.7 This follows in the majority view expressed in the commentary from a textual interpretation of the word ‘object’ , which denotes in that view something with physical properties and is tangible in the “real” world. Another view expressed is that this is too restrictive and that data should be considered an object when its destruction or neutralization would have severe consequences for the civilian population even though these fell short of physical harm to persons or physical objects. This view has been put forward inter alia by Kubo Mačák, who argues that the term ‘object’ should be interpreted more expansively and that a teleological interpretation of Article 49 AP I is therefore called for to enhance the protection of the civilian population and internet infrastructure. 8 Other views include those of Dr. Harrison Dinniss who argues that while data as such may not constitute an object the systems data which operate the system as a whole do and that destruction thereof should fall within the ambit of ‘attack’.9 Still another is to be found in the writings of various commentators who argue by analogy that other intangibles such as intellectual property or electricity are regulated and protected by other branches of the law. Essentially what all these critiques of majority position in the Tallinn Manual is that they disagree with the outcome of excluding data from the general protection offered by the law of targeting in AP I. In this view an attack which would affect all or some data without any physical effects, but causing damage or destruction to the data with potential negative impact on the civilian population is or at least should be included in the notion of attack and covered by considerations of proportionality and precautions in attack.

This is as of yet, an unresolved issue, but one with real consequences. It remains to be seen how State practice and possibly other factors such as positions taken by the UN or by an international court or the preponderance of academic opinion may affect the outcome of this controversy.  In the meantime, it remains somewhat a grey area in the application of international law to cyberspace.