This document summarizes the key conclusions from the Tallinn Manual 2.0 regarding states' responses under international law to harmful cyber operations. It discusses options such as exercising self-defense if an armed attack occurs; undertaking countermeasures in response to internationally wrongful acts by other states; invoking the plea of necessity; and using traditional lawful responses like law enforcement, diplomacy, and retorsion. While the law is still developing, the Tallinn Manual provides guidance on when responses like countermeasures or self-defense may be justified under international law to address malicious cyber activities.
4. Tallinn Manual 2.0
• Broader scope
• New group of experts
• More international
• External drafting
• Peer review
• State involvement
– “Hague Process”
5. Key Question for States
What can a State do in response to harmful
cyber operations beyond criminal law
enforcement?
If State involved?
If no State involved or involvement uncertain?
6. Self-defense
Nothing in the present Charter shall impair the
inherent right of individual or collective self-defense
if an armed attack occurs…” UN Charter, art. 51
• Shoot back kinetically OR with cyber
• Unclear whether applies to non-State actors
7. Application to Cyber?
Key: Is cyber op an “armed attack”?
• High threshold
• Tallinn Manual Suggested Answer: cyber op
intended to directly cause significant physical
damage to tangible objects or injury to humans
• Severe, non-destructive consequences?
• Political decision
9. Option 1: Countermeasures
• States responsible for “internationally
wrongful acts”
• E.g., intervening by cyber means into internal
affairs of State (manipulating election returns)
• Opens door to countermeasures
• Response to cyber operation that would otherwise
be unlawful
• E.g., non-destructive “hack-back”
10. Countermeasures
• Only State actions or actions of non-State
actors legally attributable to States
• Designed only to get other side to stop
• No “in-kind” requirement OR requirement to
strike only attacker
• Must be proportionate
11. Internationally Wrongful Acts
• Cyber breach of sovereignty
• Physical damage
• Making a system do something not intended to
do?
• Placement of malware causing no damage, e.g.,
malware used to monitor activities?
• Due diligence obligation
• If harmful activities & does nothing, but could
• Opens door to response v. non-State actor ops
• Duty to monitor? Take action to prevent?
12. Internationally Wrongful Acts
• Cyber intervention
• Domaine Réservée
• Coercion
• State compelled to do something would not
otherwise do
• DNC hack & release to influence elections
• Cyber espionage
• Not unlawful…per se
• Method may be unlawful
• Consequence may be unlawful
13. Attribution
Non-State actors
• “On instructions of”
• Performing particular functions; auxiliary
• E.g., identifying vulnerabilities in cyber
infrastructure that State exploits
• “Direction or control”
• Acting on State’s behalf;
• Determines the execution and course of
cyber operations
• Not financial support, providing malware
14. Who May Conduct?
• No collective countermeasures
• E.g., NATO cannot engage in countermeasures
• Private entities may not conduct
countermeasures
• But State may turn to private industry to
conduct on its behalf
15. Examples
• State A violates State B’s sovereignty with cyber op
damaging private cyber infrastructure
• State B responds with cyber ops v. A’s government or private
sites
• Group under “effective control” of A does same
• B responds with cyber ops v. group or A’s government or
private industry
• Group in A not under A’s control does same
• Is State A in violation of due diligence obligations?
• If so, strike back at group or cyber infrastructure in A
16. Option 2: Plea of Necessity
• Only in exceptional cases
• Protection of essential interests of a State
against grave & imminent peril
• Shall not seriously impair essential interests
of affected States
• Opens door to hack-back
• Available in response to non-State actor
cyber ops OR technical attribution unreliable
17. Option 3:
Traditional Lawful Responses
• Domestic criminal law enforcement
• International criminal law enforcement
• Civil remedies
• Resort to international tribunals
• Negotiation & diplomacy
• Arbitration or mediation
• Retorsion (unfriendly, but lawful responses)
• E.g., shutting off access to cyber infrastructure