We Need Cyberwar Rules of Engagement Now
Today, Russia and the U.S. are engaged in creeping cyberwarfare against each other, and they may well be working to disable or undermine each other’s critical infrastructure. The conflict is potentially deadly and, unlike military interactions between the two adversaries, not subject to even the most rudimentary rules or mutual arrangements. That needs to be fixed, and although a multilateral process under the auspices of the United Nations or the G-20 would be preferable, a bilateral working group, of the kind proposed by Russian President Vladimir Putin during his recent meeting with U.S. counterpart Donald Trump, could be a useful start.
The greatest tension in cyberspace today is between the U.S. and Russia; the two can lead the way in defusing it. They have experience doing so on nuclear disarmament after taking the world to the brink of catastrophe. An agreement could serve as a blueprint for a multilateral convention or other bilateral deals—say, with China, which has been known to take an interest in U.S. networks.
Countries need to agree on basic notions, such as what constitutes an attack or an illegal intervention, as opposed to a mere nuisance, and what retaliatory moves are legitimate or excessive. An informal but highly authoritative attempt to lay out the issues has already been made.
Earlier this year, NATO’s Cooperative Cyber Defense Center of Excellence presented the second edition of the so-called Tallinn Manual, a detailed exploration of current international law as it applies to cyberwarfare. The authors, 19 academics and international law practitioners led by Michael Schmitt of the U.S. Naval War College, had started compiling the manual in 2009 in response to massive Russian cyberattacks on Estonia and then on Georgia during the brief Russo-Georgian conflict. They identified 154 existing rules, but the manual isn’t an official document—it reflects only the authors’ understanding of the law.
Within the framework laid out in the Tallinn Manual, the interference U.S. intelligence services ascribe to Russia in the 2016 presidential election wouldn’t qualify as illegal intervention. The activity—spying, “criticism, public diplomacy, propaganda, retribution, mere maliciousness”—wasn’t meant to coerce Americans, who still chose their president freely.
Stealing Democratic Party functionaries’ emails, however, would be illegal because it violated their right to privacy. The U.S. would be justified in retaliating—or, in the manual’s legal language, taking “countermeasures.” The scope of such measures, however, would be limited: Any actions that violate fundamental human rights wouldn’t be allowed. The Tallinn Manual’s authors couldn’t agree on whether violating privacy would be permissible as a countermeasure.
To retaliate for the election interference, President Barack Obama, the Washington Post reported, ordered U.S. intelligence services to place “implants” in Russian networks “important to the adversary and that would cause them pain and discomfort if they were disrupted.” Activating the implants probably wouldn’t wash under the Tallinn Manual, because it would be a disproportional response.
We often use “cyberattack” indiscriminately to describe any kind of intrusion. The Tallinn Manual uses the word “attack” only for cyber operations “reasonably expected to cause injury or death to persons or damage or destruction to objects.” Shutting down a power grid, taking over a city’s traffic light system, or cutting off mobile communications to an area would qualify as an attack because of real-world consequences. It would also be an illegal attack, because it would target civilians, something prohibited by the existing rules of war.
Putin has denied interfering with the U.S. election “on a state level,” as he told international media at an economic forum in St. Petersburg in June, suggesting that patriotic Russian hackers could have taken action to influence the campaign. Under the Tallinn Manual, that’s not a good defense: Russia would be obliged to stop the “patriots” from committing illegal acts from Russian territory or to catch and punish them.
Today, Russia and the U.S. can go at each other in cyberspace without regard for some law professors’ view of the rules. But if their representatives sat down and agreed on which of these rules would apply, the exchanges between the two cyberpowers and the domestic public debate in both countries would become clearer and more focused. Both governments and the public would have a better idea of legitimate actions and counteractions, and words such as “attack” and “act of war” wouldn’t be thrown around as carelessly as they are now.
There will be political resistance to such talks in the U.S., with both Republican and Democratic voices pointing out that Putin can’t be trusted. It’ll be easier for Trump not to start the talks than to face accusations of being too soft on the Russians. But if nuclear agreements were possible with Soviet leaders, a cyber one with Putin shouldn’t be shunned, either.
Of course, international conventions and treaties are often broken. Syria is a signatory to the Chemical Weapons Convention, but the government of Bashar al-Assad is widely believed to have used the weapons in the country’s ongoing civil conflict. While the global community can sanction Assad and force him to destroy his chemical stockpiles, Russia and the U.S., as members of the United Nations Security Council, face almost no punishment for breaching an international convention. As for bilateral agreements, the two nations constantly accuse each other of breaking them.
Yet the rules are useful even if they can be broken with relative impunity. Leaders, even authoritarian ones such as Putin, like to be seen as acting in good faith. With clear rules and agreed-upon arbitration mechanisms—such as an international body to handle the attribution of cybermischief—deniability is harder to come by, and the optics of rule-breaking are potentially more damaging than when no rules exist. After the 2014 shooting down of Malaysia Airlines Flight 17 over eastern Ukraine, Russia cooperated with the Dutch Safety Board’s investigation, because it wanted to be seen as a good-faith actor. That it refused to accept the investigation’s damaging conclusions looks terrible for Moscow and helps European nations keep a united front on Russia sanctions.
Dialogue about the rules of engagement is essential before conflicts spiral out of control, critical infrastructure is disrupted, and people die. Humanity has plenty of experience defining hostile actions and their consequences, and extending the definitions to cyberspace isn’t impossible.
The Tallinn Manual
The 154 rules of engagement in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations include:
● Rule 20 Countermeasures
A State may be entitled to take countermeasures, whether cyber in nature or not, in response to a breach of an international legal obligation that it is owed by another State.
● Rule 66 Intervention by States
A State may not intervene, including by cyber means, in the internal or external affairs of another State.
● Rule 69 Definition of use of force
A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.
● Rule 90 Mercenaries
Mercenaries involved in cyber operations do not enjoy combatant immunity or prisoner of war status.
● Rule 151 Cyber operations in neutral territory
The exercise of belligerent rights by cyber means in neutral territory is prohibited.