Tallinn 2.0: cyberspace and the law
Co-authored with Jessica Woodall
At the Global Conference on CyberSpace last month, Australia argued that the international landscape was too ‘premature’ for a comprehensive international agreement to govern international security in cyberspace. With disagreements over even the most basic cyber terminology, let alone basic norms governing state activities in cyberspace, there is a need to focus on key issues, and guide efforts towards norm creation. One such area ripe for this purpose has been international law in cyberspace, however, nutting out issues of international law have not always been without issue.
This is why the consensus reached by the United Nations Group of Government Experts (UNGGE) on cyber in 2013 was such a landmark decision. The group, chaired by Australia and containing representatives from both China and Russia, recognised the applicability of existing international law in cyberspace.
That first step, while monumental, is just the first of many on a long road. Devising how exactly international law is applied to cyberspace, an entirely new domain, is the current conundrum.
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) has had the first, and most substantive crack at resolving the issue by introducing its Tallinn Manual Process.
The Tallinn Manual Process began in 2009 by bringing twenty leading legal scholars and practitioners together to tackle the applicability of international law to cyber warfare. ‘Tallinn 1.0’ covered issues of sovereignty, state responsibility, jus ad bellum, international humanitarian law and the law of neutrality in an effort to ‘bring clarity to the complex legal issues surrounding cyber operations.’
The International Committee of the Red Cross, US Cyber Command, and the NATO Allied Command Transformation were invited to observe the process which resulted in a final peer-reviewed document: the Tallinn Manual on the International Law Applicable to Cyber Warfare.
It’s important to note that the Tallinn Manual Process isn’t a NATO initiative and rather, is a non-binding academic product. However, with a group of experts from Australia, Belgium, Canada, Estonia, Germany, Sweden, Switzerland, the UK and the US, the process has drawn criticism for its transatlantic framing and lack of global representation.
As the second iteration of the manual, dubbed ‘Tallinn 2.0’, works to expand its coverage to include peace-time international law, it too has expanded its engagement with the wider community. On the sidelines of the GCCS, the International Group of Experts consulted with legal advisers from European, North and Latin American, African, and Asian and Asia-Pacific states to gather national viewpoints and concerns to include in the decision-making process.
The event in The Hague could have easily been a box-ticking engagement effort. However, with the encouragement of the Dutch hosts, the consultation meeting was an energised discussion that saw representatives fully engage the material presented by the CCDCOE. Most notable was the strong participation of Asia-Pacific countries, including Australia, China, India, Japan, Pakistan, Philippines, South Korea, Sri Lanka and Thailand.
The CCDCOE has committed itself to further engagement with states as well as with private sector actors. Speaking about the expanded engagement process, a representative from the Dutch Ministry of Foreign Affairs commented, ‘this is a complex challenge, but it is relevant for a growing number of States and therefore requires broad and inclusive engagement,’ adding ‘The Netherlands is a strong supporter of clarifying the application of existing international law in cyberspace … the Tallinn Manual can be a useful source of academic interpretation in this field.’
Efforts like this are what is needed to move the discussion beyond its ‘infancy.’ In The Hague, Foreign Minister Julie Bishop stated ‘Australia acknowledges that the application of international law to State conduct in cyberspace is not easy – it requires careful analysis of exactly how the rules of international law apply in a cyber setting’. This is precisely what the Tallinn Process aims to achieve. The Tallinn Manual has set an important precedent, establishing the strong legal perspectives needed to make the 2013 UNGGE consensus more actionable. The internationalisation of Tallinn 2.0 adds much needed legitimacy to what must be an inclusive and open process.