Tallinn 2.0 and a Chinese View on the Tallinn Process

[InfoSec News <alerts () infosecnews org>]

http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/

By Ashley Deeks
LAWFARE
May 31, 2015

This past week, the NATO Cooperative Cyber Defense Center of Excellence 
put on its annual Cyber Conflict conference in Tallinn, Estonia. The 
conference boasted a number of experienced cyber-hands, including Adm. 
Mike Rodgers, DefCon founder Jeff Moss, and law of armed conflict expert 
Mike Schmitt.

One of the most interesting sessions, which included a presentation by 
Mike, focused on aspects of the Tallinn Manual versions 1.0 and 2.0. 
Version 1.0, produced by an independent group of experts, came out in 
2013. It proffered what the experts saw as current black letter law on jus 
ad bellum and jus in bello rules relevant to cyber operations. The Manual 
includes both crisp articulations of the rules and more extensive 
commentary setting out the legal basis for the rule and any differences 
that arose among the experts. Version 2.0 picks up where Version 1.0 left 
off, and will set forth the experts’ views on what international law 
applies to cyber activity that falls below the level of armed conflict or 
the use of force.

Mike previewed some of the topics that 2.0’s group of experts will 
discuss, including customary rules related to sovereignty. As Mike notes, 
sovereignty is not simply a factor restricting a state’s activities in 
other states’ territory. It also is the basis for states to regulate and 
exercise jurisdiction within their territory over people, hardware, and 
cyber operations. One challenge for the experts will be to achieve 
consensus on what types of activities by one state violate another state’s 
sovereignty: what level of damage, intrusion, or alteration of data 
suffices? Other norms up for discussion relate to due diligence 
obligations by states to stop actions that produce adverse consequences 
for other states, and the applicability of state responsibility (including 
counter-measures and the use of “necessity” arguments). Tallinn 2.0 has 
the potential to be even more influential than Tallinn 1.0, because it 
systematically will address activities that are far more prevalent in the 
cyber realm than uses of force or armed attacks.

Bill Boothby, a former Deputy Director of Legal Services for the UK Royal 
Air Force, then provided a retrospective look at Tallinn 1.0. Mike Schmitt 
had asked Bill to review all of the literature that offered reviews or 
critiques of Tallinn 1.0, to assess whether to consider certain modest 
amendments to the Manual’s commentary (though not to its black letter 
rules) or to take up certain issues that Tallinn 1.0 did not cover. Bill 
assessed that there has been huge interest in the Manual since it came 
out, but that the Manual reflected “all reasonable positions” on the 
issues it took up and that there were only a few amendments worth 
pondering. In particular, Bill wondered whether the definition of what 
constitutes a “cyber attack” might need to expand to include “major 
disruptions” that nevertheless do not produce physical harm to the 
affected state. He also asked whether the jus in bello rule on precautions 
was ill-suited to cyber, given that states utterly have failed to 
segregate their military cyber infrastructure from civilian cyber 
infrastructure.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/