The Tallinn Manual on “International law applicable to cyber warfare” is not legally binding and only a reflection of the opinions of each individual author. Each author has attempted to logically apply international warfare law to the cyber realm – resulting in the following 95 rules:
- A State may exercise control over cyber infrastructure and activities within its sovereign territory.
- Without prejudice to applicable international obligations, a State may exercise it jurisdiction: over persons engaged in cyber activities on its territory; over cyber infrastructure located on its territory; and extraterritorially, in accordance with international law.
- Cyber infrastructure located on aircraft, ships, or other platforms in international airspace, on the high seas, or in outer space is subject to the jurisdiction of the flag State or State of registration.
- Any interference by a State with cyber infrastructure aboard a platform, wherever located, that enjoys sovereign immunity constitutes a violation of sovereignty.
- A State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States.
- A State bears international legal responsibility for a cyber operation attributable to it and which constitutes a breach of an international obligation.
- The mere fact that a cyber operation has been launched or otherwise originates from governmental cyber infrastructure is not sufficient evidence for attributing the operation to that State, but is an indication that the State in question is associated with the operation.
- The fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State.
- A State injered by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures against the responsible State.
- A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.
- A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.
- A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force.
- A State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on its scale and effects.
- A use of force involving cyber operations undertaken by a State in the exercise of its right of self-defence must be necessary and proportionate.
- The right to use force is self-defence arises if a cyber armed attack occurs or is imminent. It is further subject to a requirement of immediacy.
- The right of self-defence my be exercised collectively. Collective self-defence against a cyber operation amounting to an armed attack may only exercised at the request of the victim State and within the scope of the request.
- Measures involving cyber operations undertaken by States in the exercise of the right of self-defence pursuant to Article 51 of the United Nations Charter shall be immediately reported to the United Nations Security Council.
- Should the United Nations Security Council determine that an act constitutes a threat to the peace, breach of the peace, or act of aggression it may authorize non-forceful measures, including cyber operations. If the Security Council considers such measures to be inadequate, it may decide upon forceful measures, including cyber measures.
- International organizations, arrangements, or agencies of a regional character may conduct enforcement actions, involving or in response to cyber operations, pursuant to a mandate from, or authorization by, the United Nations Security Council.
- Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.
- Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.
- An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations, occurring between two or more States.
- A non-international armed conflict exists whenever there is protracted armed violence, which may include or be limited to cyber operations, occurring between governmental armed forces and the forces of one or more armed groups, or between such groups. The confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum degree of organisation.
- a) Commanders and other superiors are criminally responsible for ordering cyber operations that constitute war crimes
b) Commanders are also criminally responsible if they knew or, owing to the circumstances at the time, show have known their subordinates were committing, were about to commit, or had committed war crimes and failed to take al reasonable and available measures to prevent their commission or to punish those responsible.
- The law of armed conflict does not bar any category of person from participating in cyber operations. However, the legal consequences of participation differ, based on the nature of the armed conflict and the category to which an individual belongs.
- In an international armed conflict, members of the armed forces of a party to the conflict who, in the course of cyber operations, fail to comply with the requirements of combatant status lose their entitlement to combatant immunity and prisoner of war status.
- In an international armed conflict, inhabitants of unoccupied territory who engage in cyber operations as part of a levée en masse enjoy combatant immunity and prisoner of war status.
- Mercenaries involved in cyber operations do not enjoy combatant immunity or prisoner of war status.
- Civilians are not prohibited from directly participating in cyber operations amounting to hostilities, but forfeit their protection from attacks for such time as the so participate.
- A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.
- The principle of distinction applies to cyber attacks.
- The civilian population as such, as well as individual civilians, shall not be the object of cyber attack.
- In case of doubt as to whether a person is a civilian, that person shall be considered to be a civilian.
- The following persons may be made the object of cyber attacks:
a) members of the armed forces;
b) members of organised armed groups;
c) civilians taking a direct part in hostilities; and
d) in an international armed conflict, participants in a levée en masse.
- Civilians enjoy protection against attack unless and for such time as they directly participate in hostilities.
- Cyber attacks, or the threat thereof, the primary purpose of which is to spread terror among the civilian population, are prohibited.
- Civilian objects shall not be made the object of cyber attacks. Computers, computer networks, and cyber infrastructure may be made the object of attack if they are minitary objectives.
- Civilian objects are all objects that are not military objectives. Military objectives are those objects which by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture or neutralisation, in the circumstances ruling at the time, offers a definite military advantage. Military objectives may include computers, computer networks, and cyber infrastructure.
- An object used for both civilian and military purposes – including computers, computer networks, and cyber infrastructure – is a military objective.
- In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, a determination that it is so being used may only be made following a careful assessment.
- For the purposes of this Manual:
a) ‘means of cyber warfare’ are cuber weapons and their associated cyber systems and
b) ‘methods of cyber warfare’ are the cyber tactics, techniques, and procedures by which hostilities are conducted.
- It is prohibited to employ means or methods of cyber warfare that are of a nature to cause superfluous injury or unnecessary suffering.
- It is prohibited to employ means or methods of cyber warfare that are indiscriminate by nature. Means or methods cyber warfare are indiscriminate by nature when they cannot be:
a) directed at a specific military objective, or
b) limited in their effects are required by the lar of armed conflict
and consequently are of a nature to strike military objectives and civilians or civilian objects without distinction.
- It is forbidden to employ cyber booby traps associated with certain objects specified in the law of armed conflict.
- Starvation of civilians as a method of cyber warfare is prohibited.
- Belligerent reprisals by way of cyber operations against:
a) prisoners or war;
b) interned civilians, civilians in occupied territory or otherwise in the hands of an adverse party to the conflict, and their property;
c) those hors de combat; and
d) medical personnel, facilities, vehicles and equipment are prohibited.
Where not prohibited by international law, belligerent reprisals are subject to stringent conditions.
- Additional Protocol I prohibits States Parties from making the civilian population, individual civilians, civilian objects, cultural objects and places of worship, objects indispensable to the survival of the civilian population, the nature environment, and dams, dykes, and nuclear electrical generating stations the object of a cyber attack by way of reprisal.
- a) All States are required to ensure that the cyber means of warfare that they acquire or use comply with the rules of the law of armed conflict that bind the State.
b) States that are Party to Additional Protocol I are required in the study, development, acquisition, or adoption of a new means or method of cyber warfare to determine whether its employment would, in some or all circumstances, be prohibited by that Protocol or by any other rule of international law applicable to that State.
- Cyber attacks that are not directed at a lawful target, and consequently are of a nature to strike lawful targets and civilians or civilian objects without distinction, are prohibited.
- A cyber attack that treats as a single target a number of clearly discrete cyber military objectives in cyber infrastructure primarily used for civilian purposes is prohibited if to do so would harm protected persons or objects.
- A cyber attack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited.
- During hostilities involving cyber operations, constant care shall be taken to spare the civilian population, individual civilians, and civilian objects.
- Those who plan or decide upon a cyber attack shall do everything feasible to verify that the objectives to be attacked are neither civilians nor civilian objects and are not subject to special protection.
- Those who plan or decide upon a cyber attack shall take all feasible precautions in the choice of means or methods of warfare employed in such an attack, with a view to avoiding, and in any to minimising, incidental injury to civilians, loss of civilian life, and damage to or destruction of civilian objects.
- Those who plan or decide upon attacks shall refrain from deciding to launch any cyber attack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.
- For States Party to Additional Protocol I, when a choice is possible between several military objectives for obtaining a similar military advantage, the objective to be selected for cyber attack shall be that the attack on which may be expected to cause the least danger to civilian lives and to civilian objects.
- Those who plan, approve, or execute a cyber attack shall cancel or suspend the attack if it becomes apparent that:
a) the objective is not a military one or is subject to special protection; or
the attack may be expected to cause, directly or indirectly, incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof that would be excessive in relation to the concrete and direct military advantage anticipated.
- Effective advance warning shall be given of cyber attacks that may affect the civilian population unless circumstances do not permit.
- The parties to an armed conflict shall, to the maximum extent feasible, take necessary precautions to protect the civilian population, individual civilians, and civilian objects under their control against the dangers resulting from cyber attacks.
- In the conduct of hostilities involving cyber operations, it is prohibited to kill or injure and adversary by resort to perfidy. Acts that invite the confidence of an adversary to lead him to believe he or she is entitled to receive, or is obliged to accord, protection under the law of armed conflict with intent to betray that confidence constitute perfidy.
- Cyber operations that qualify as ruses of war are permitted.
- It is prohibited to make improper use of the protective emblems, signs, or signals that are set forth in the law of armed conflict.
- It is prohibited to make use of the distinctive emblem of the United Nations in cyber operations, except as authorised by that organisation.
- it is prohibited to make use of the flags, military emblems, insignia, or uniforms of the enemy while visible to the enemy during an attack including a cyber attack.
- In cyber operations, it is prohibited to make use of flags, military emblems, insignia, or uniforms of neutral or other States not party to the conflict.
- a) Cyber espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict.
b) A member of the armed forces who has engaged in cyber espionage in enemy-controlled territory loses the right to be a prisoner of war and may be treated as a spy if captured before re-joining the armed forces to which he or she belongs.
- Cyber methods and means of warfare may be used to maintain and enforce a naval or aerial blockade provided that they do not, alone or in combination with other methods, result in acts inconsistent with the law of international armed conflict.
- The use of cyber operations to enforce a naval or aerial blockade must not have the effect of barring, or otherwise seriously affective, access to neutral territory.
- To the extent that States establish zones, whether in peacetime or during armed conflict, lawful cyber operations may be used to exercise their rights in such zones.
- Medical and religious personnel, medical units, and medical transports must be respected and protected and, in particular, may not be made the object of cyber attack.
- Computers, computer networks, and data that form an integral part of the operations or administration of medical units and transports must be respected and protected, and in particular may not be made the object of attack.
- All feasible measures shall be tken to ensure that computers, computer networks, and data that form an integral part of the operations or administration of medical units and transports are clearly identified through appropriate means, including electronic markings. Failure to so identify them does not deprive them of their protected status.
- The protection to which medical units and transports, including computers computer networks, and data that form an integral prt of their operations or administration, are entitled by virtue of this section does not cease unless they are used to commit, outside their humanitarian function, acts harmful to the enemy. In such situations protection may cease only after a warning setting a reasonable time limit for compliance, when appropriate, remains unheeded.
- a) As long as they are entitled to the protection given to civilians and civilian objects under the law of armed conflict, United Nations personnel, installations, materiel, units and vehicles, including computers and computer networks that support United Nations operations, must be respected and protected and are not subject to cyber attack.
b) Other personnel, installations, materiel, units, or vehicles, including computers and computer networks, involved in a humanitarian assistance or peacekeeping mission in accordance with the United Nations Charter are protected against cyber attack under the same conditions.
- Prisoners of war interned protected persons, and other detained persons must be protected from the harmful effects of cyber operations.
- The right of prisoners of war, interned protected persons, and other detained persons to certain correspondence must not be interfered with by cyber operations.
- Prisoners of war and interned protected persons shall not be compelled to participate in or support cyber operations directed against their own country.
- It is prohibited to conscript or enlist children into the armed forces or to allow them to take part in cyber hostilities.
- Civilian journalists engaged in dangerous professional missions in areas of armed conflict are civilians and shall be respected as such, in particular with regard to cyber attacks, as long as they are not taking a direct part in hostilities.
- In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber attacks against works and installations containing dangerous forces, namely dams, dykes, and nuclear electrical generating stations, as well as installations located in their vicinity.
- Attacking, destroying, removing, or rendering useless objects indispensable to the survival of the civilian population by means of cyber operations is prohibited.
- The parties to an armed conflict must respect and protect cultural property that may be affected by cyber operations or that is located in cyberspace. In particular, they are prohibited from using digital cultural property for military purposes.
- a) The natural environment is a civilian object and as such enjoys general protection from cyber attacks and their effects.
b) States Party to Additional Protocol I are prohibited from employing cyber methods or means of warfare which are intended, or may be expected, to cause widespread, long-term, and severe damage to the natural environment.
- Diplomatic archives and communications are protected from cyber operations at all times.
- Collective punishment by cyber means is prohibited.
- Cyber operations shall not be designed or conducted to interfere unduly with impartial efforts to provide humanitarian assistance.
- Protected persons in occupied territory must be respected and protected from the harmful effects of cyber operations.
- The Occupying Power shall take all the measures in its power to restore and ensure, as far as possible, public order and safety, while respecting, unless absolutely prevented, the laws in force in the country, including the laws applicable to cyber activities.
- The Occupying Power may take measures necessary to ensure its general security, including the integrity and reliability of its own cyber systems.
- To the extend the law of occupation permits the confiscation or requisition of property, taking control of cyber infrastructure or systems is likewise permitted.
- The exercise of belligerent rights by cyber means directed against neutral cyber infrastructure is prohibited.
- The exercise of belligerent rights by cyber means in neutral territory is prohibited.
- A neutral State may not knowingly allow the exercise of belligerent rights by the parties to the conflict from cyber infrastructure located in its territory or under its exclusive control.
- If a neutral State fails to terminate the exercise of belligerent rights on its territory, the aggrieved party to the conflict may take such steps, including by cyber operations, as are necessary to counter that conduct.
- A State may not rely upon the law of neutrality to justify conduct, including cyber operations, that would be incompatible with preventive or enforcement measures decided upon by the Security Council under Chapter VII of the Charter of the United Nations.