In 2015 INSCT began a collaboration with the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE), based in Tallinn, Estonia. The authors of the “Tallinn Manual on International Law Applicable to Cyber Warfare,” experts at CCDCOE are at the forefront of understanding the challenges of applying existing international laws and norms to the constantly evolving cyber realm. As the Tallinn Manual project continues, INSCT staff, faculty, and associates have been invited to add their insights into how to reform international law and domestic law in the digital age.
Tallinn Manual 2.0
Tallinn Manual 2.0 expands on the highly influential first edition by extending its coverage of the international law governing cyber operations to peacetime legal regimes. The product of a three-year follow-on project by a new group of 20 renowned international law experts, it addresses such topics as sovereignty, state responsibility, human rights, and the law of air, space, and the sea.
Tallinn Manual 2.0 identifies 154 ‘black letter’ rules governing cyber operations and provides extensive commentary on each rule. Although Tallinn Manual 2.0 represents the views of the experts in their personal capacity, the project benefitted from the unofficial input of many states and over 50 peer reviewers.
- Revised and updated, Tallinn Manual 2.0 now covers peacetime legal regimes
- “Black letter” rules state the international law applicable to cyber warfare
- The Commentary discusses the rules and lays out their legal basis and logic
Project 1: Controlling Economic Cyber Espionage
Contemporary cyber spies—often under the control of nation states—are just as likely to be plundering the intellectual property and customer information of international businesses as waging covert cyberwar against military enemies. Yet legal, policy, and technological means for countering cyber espionage are not always clear.
“Who is doing the spying and by what methods? What is the current thinking of government and industry about the problem? And what methods of protection—such as identity assurance—currently exist?”
In order to examine the state of domestic and international approaches for controlling—and to offer recommendations for policymakers and practitioners who are addressing—this postmodern form of economic, military, and industrial spying, INSCT joined with the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) to host “Controlling Economic Cyber Espionage,” an interdisciplinary workshop held at SU College of Law on June 18 and 19, 2015.
The workshop convened cyber experts from around the globe, including:
- Michael Schmitt, Director of the Stockton Center for the Study of International Law at the US Naval War College
- Joel Brenner, former Inspector General, US National Security Agency
- Herb Lin, Senior Research Scholar for cyber policy and security, Hoover Institution
- Xiaofeng Wang, Researcher, Center for American Studies, Fudan University, Shanghai, China
- Gregory Nojeim, Senior Counsel, Center for Democracy and Technology
- Liis Vihul, Law and Policy Researcher, CCDCOE, who was a project manager for the “Tallinn Manual on International Law Applicable to Cyber Warfare.”
Representing a cross-section of SU schools and colleges were INSCT Director William C. Banks; Professor Shiu-Kai Chin, College of Engineering and Computer Science (ECS); INSCT Faculty Member Nathan Sales; Dean James B. Steinberg, Maxwell School; and Professor Laura Steinberg, ECS.
Panels asked who is doing the spying and by what methods, what is the current thinking of government and industry about the problem, and what methods of protection—such as identity assurance—currently exist? The workshop also analyzed the domestic and international law and policy landscape to ascertain what reforms and actions are necessary as cyber espionage—and cyber war in general—evolves. Answers were drawn from the disciplines of foreign and domestic law, public policy, international affairs, defense strategy, law enforcement, computer engineering, and finance.
“Cyber Espionage & Electronic Surveillance: Beyond the Media Coverage.” Emory Law Journal, 66 (2017).
By William C. Banks
“The confluence of interests between victims of overbroad surveillance and cyber espionage presents an opportunity to begin developing new norms and eventual international law that could bring more rationality, predictability, and privacy protections to the cyber domain. The costs of cyber espionage are real, and the threats and vulnerabilities will increase with the progression of technology. Companies and governments are underprepared for the level of cyber espionage they are facing. Solutions vary, but they all share the common foundation of increased international cooperation and the development of a customary international legal framework that everyone understands.”
|“The Un-Territoriality of Data.” Yale Law Journal, 125:2
By Jennifer C. Daskal
|“Spying and Fighting in Cyberspace: What is Which?” JNSLP, 8:3
By Gary Brown
Brown presents the nuances of cyber espionage versus cyber attacks that are becoming more pervasive in the national security context. He defines the differences between the two, and proposes a method of analyzing cyber operations to properly categorize them. Then, using an extended hypothetical and several real-life examples, Brown illustrates how dangerous cyber operations can be, and the need to properly define them so as to respond most effectively.
“Deterring Financially Motivated Cybercrime.” JNSLP, 8:3
By Zachary K. Goldman & Damon McCoy
In “Deterring Financially Motivated Cybercrime,” Zachary K. Goldman and Damon McCoy present three strategies for deterring attacks that use malicious cyber capabilities to generate a profit. Each strategy—the imposition of financial sanctions, public/private partnerships to disrupt tools of cybercrime, and activities to disrupt payment networks run by criminals who sell fraudulent goods over the Internet—is analyzed for strengths and weaknesses. The authors conclude with a discussion of the ways in which regulatory tools to combat cybercrime can overcome problems with formulating a cohesive deterrent strategy such as secrecy and attribution.
“The 2014 Sony Hack & the Role of International Law.” JNSLP, 8:3
By Clare Sullivan
Clare Sullivan posits that the 2014 hack of Sony Pictures Entertainment (“Sony Hack”) heralds the arrival of a new form of modern warfare. She argues that the current state of international law is inadequate to deal with hacks like this one, which do not cause physical damage but which nonetheless result in serious economic harm and violations of privacy. In the author’s view, a new approach is needed to ensure that countries are permitted under international law to respond to and take countermeasures against such hacks.
By William C. Banks (In Research Handbook on the Politics of International Law. Eds. W. Sandholtz & C. Whytock. Edward Elgar, 2017.)
“In this chapter, the focus is on legal change. When the normative framework governing kinetic warfare does not fit cyber conflict, how do adaptations occur that permit regulation of or responses to harmful cyber intrusions? In other words, the most important stage of governance in managing cyber conflict has arrived long after the norms and institutions are in place. In setting up legal change in the cyber domain, I will review the ad bellum justifications for conducting cyber war within the Charter and LOAC systems …”
Trey Herr and Paul Rosenzweig take up the complex task of characterizing software products in the context of the current export regulatory regime. Herr and Rosenzweig use their PrEP model to distinguish the components of the software functionally. They isolate the payload component as requiring special consideration, and propose a policy approach to regulating software exports based on their effects.
States are not likely to consent to new international rules that restrict the use of cyber weapons. For better or worse the conditions necessary to promote the emergence and development of legalist constraints are not present in sufficient degree to support further international rules governing cyber conflict – any more than those conditions have been present in the past to support the emergence of rules governing clandestine or covert intelligence operations of which cyber activity normally is a part.
Making Good Cybersecurity Law and Policy: How Can We Get Tasty Sausage? (I/S: A Journal of Law and Policy for the Information Society, 2012)
By Paul Rosenzweig
“This brief essay will focus on two more interesting questions: First, whether or not there is a class of issues and challenges in policy making that is unique to the cyber domain; and second, whether there are issues that, if not unique, are more predominant or readily apparent in the context of cyber policy making than in other areas of governmental endeavor …”
Selected readings from the “Controlling Economic Cyber Espionage” workshop (to browse all readings, click here):
Selected blogs, commentary, and scholarship by cyberespionage experts:
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations
Feb. 7, 2017 | Strauss Center for International Security and Law, University of Texas-Austin
On Feb. 7, 2017, the Texas Law Review hosted the symposium “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations,” co-sponsored by the Robert Strauss Center for International Security and Law and the Lieber Institute for Law & Land Warfare at the United States Military Academy.
This day-long event featured panels addressing sovereignty in cyberspace, jurisdiction over cyber activities, international human rights law in cyberspace, among other timely topics.
INSCT Director William C. Banks spoke on Panel 3 “Responding to Cyber Operations Not Amounting to an Armed Attack under Article 51.” Other INSCT/CCDCOE project participants were Michael Schmitt, USMA-West Point, and Liis Vihul, NATO CCDCOE.
Cyber at NATO: The Operational Domain Challenge
Oct. 24, 2016 | Siim Alatalu (MAIR’06), Head of International Relations, NATO CCDCOE
A guest of professors William Snyder and Lee McKnight and their Cybersecurity Law and Policy/Information Security Policy class, INSCT alumnus Siim Alatalu (MAIR ’06) spoke about NATO, cyber attacks and cyberwar, and international policy and cooperation at SU College of Law on Oct. 24, 2016. Alatalu is an international relations advisor at INSCT partner the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE).
The Frontiers of Cybersecurity Policy and Law
Feb. 4-6, 2016 | Strauss Center for International Security and Law, University of Texas-Austin
In February 2016, the Strauss Center at the University of Texas-Austin hosted a conference on the legal and policy dimensions of cybersecurity. Sponsors were the Christian Science Monitor, the American Journal of Criminal Law, and with the ABA Standing Committee on Law and National Security.
Topics included the aftermath of the “going dark” debate; the evolving regulatory environment for the security/research sector; export controls; “active defense” of networks (including “hackbacks” and “botnet takedowns”).
ABA SCOLANS also sponsored a training workshop on cybersecurity law and policy, with sessions addressing federal criminal law, investigative and intelligence law, regulatory law, and international law.
INSCT/NATO project participants included INSCT Director William C. Banks; Greg Nojeim, Senior Counsel, Center for Democracy & Technology; and Professor Jen Daskal, American University Washington College of Law.
Project 2: Human Rights in Cyberspace
The continuing, rapid development of online technologies, while offering unprecedented opportunities for individuals and groups to exercise the freedom of expression, can easily lead to human rights infringements.
“Law is playing catch-up with technology and nations are running the risk of undermining human rights instead of strengthening them.”
In October 2015, lawyers and legal scholars from governments, academia, and NGOs gathered in Tallinn, Estonia, to discuss the future of human rights in cyberspace, in a workshop hosted by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and co-sponsored by the Institute for National Security and Counterterrorism at SU (INSCT). Specifically, esteemed delegates at “Human Rights in Cyberspace” focused on how to apply the long-established principles of international human rights law to rapid technological developments and on the balance between free expression and law enforcement in a realm that is increasingly borderless, expansive, and chaotic.
In introducing the workshop, Lorena Trinberg, a legal researcher at CCDCOE, emphasized that governmental cyber measures need to be in line with human rights norms and that “law is playing catch-up with technology and nations are running the risk of undermining human rights instead of strengthening them.”
“The Internet provides new means for enabling governmental privacy intrusions and causing national security and economic harm. At the same time it gives states tools to keep tabs on different actors,” explained Professor William C. Banks, Dean of SU Law and INSCT Founding Director. “International law should and will have an important role to play in bringing some order, predictability, and stability to these aspects of the cyber domain.”
“The Internet presents unprecedented challenges to human rights through cyberattacks and surveillance. It also functions as a platform for crime and incitement of violence through hate speech and recruitment to terrorism,” said visiting Professor Gabor Rona of the Benjamin N. Cardozo School of Law and the former International Legal Director of Human Rights First. “States are drawn between obligations to ensure privacy and free expression online while having to police the Internet for human rights violations, such as incitement to hate crimes, fraud, child pornography, and threats to national security.”
Products & Relevant Scholarship
|Human Rights in Cyberspace Workshop Report
By Lorena Trinberg, Tomáš Minárik, & CPT Pascal Brangetto (CCDCOE)
Part A of this report provides a brief overview on the workshop’s main topics. The workshop begun with evolutionary aspects of the cyber realm and human rights, and continued with debates on specific problems, such as the extraterritorial application of human rights treaties and an intriguing debate on future developments in cyber law. Part B offers the event agenda, while Part C features presentation abstracts and biographies of the speakers and other project principals.
|State Responsibility to Respect, Protect, and Fulfill Human Rights Obligations in Cyberspace
By Gabor Rona & Lauren Aarons (JNSLP 8:3)
In this article, Gabor Rona and Lauren Aarons explore how international human rights law applies to cyberspace. They address the substantive obligations of the state responsibility to respect, ensure, and promote human rights in cyberspace, including protecting against third party abuse and providing remedies for violations. Finally, the authors outline the limitations of and permissible restrictions on human rights obligations in cyberspace.
|Law Enforcement Access to Data Across Borders: The Evolving Human Rights Issues
By Jennifer Daskal (JNSLP 8:3)
Jennifer Daskal describes the challenges facing law enforcement access to data across borders and examines the legal and political issues at stake in formulating clear standards for cross-border access to data.
The guide was developed by SU students and alumni across the iSchool, Maxwell School, and College of Law, on behalf of the IRPC and the UN Internet Governance Forum, with a lead role taken by INSCT alumnus Kevin Risser (MPA ’16; CAS in Security Studies) and by INSCT Affiliated Faculty Member Lee McKnight.