Cyber Law and the Tallinn Manual
No paying of bills online. No appealing of fines. No reporting of hazards. No court sessions. No applying for municipal positions. No free WiFi for tourists at the airport. This is what life was like for Atlantans for over a week after a ransomware cyberattack was waged on the city government of the capital of Georgia, USA, on March 22, 2018. Cybersec experts hired by the city claim the attackers come from the SamSam hacking crew. And what did the initiators of what the New York Times called “one of the most sustained and consequential cyberattacks ever mounted against a major American city” ask for in return for the antidote? Six Bitcoin, at the time worth a measly $50,000 or so. Similar but smaller cyberattacks recently targeted Dallas, Texas, Birmingham, Ala., North Carolina, New Mexico, and Colorado.
One cannot help speculating that a few grand aren’t really what’s behind similar cyberaggressions, but rather a red herring to cover the tracks of an offensive by a state actor. It’s not only that it’s hard to irrefutably attribute a cyberattack to a state that tried to hide behind hacker groups – usually attacked states prefer not to make such attributions publicly, so that they may retaliate more freely, not being bound to traditional confrontations and war rules, and themselves masking their identity.
Eleven years earlier, no one mistook a massive cyberattack on Tallinn, capital of Estonia, for a ransom operation. “If you have a missile attack against, let’s say, an airport, it is an act of war. If the same result is caused by computers, then how else do you describe that kind of attack?" Madis Mikko, a spokesman for the Estonian Defense Ministry, rhetorically asked at the time.
One of the most connected countries in the world, the attack threatened to take so-called E-stonia back the stone age. Estonia didn’t hesitate to point a finger at Russia, who strongly advised against Estonia messing with the Bronze Soldier, a Soviet World War II memorial thorn at Tallinn’s side for 60 years, whose relocation ignited the attack.
As early as 2004, Estonia suggested that NATO create a cyber defense center. But only after this massive cyberattack, and another year, was the NATO Cooperative Cyber Defence Centre of Excellence founded. The Centre soon commissioned an academic study on the application of international law on cyberwar, better known as The Tallinn Manual. In 2017, Tallinn Manual 2.0 came out, expanding the scope to examine cyberevents that do not amount to an act of war, but are nonetheless potentially provoking and damaging.
In this episode of the Lex Cybernetica podcast, we look into the Tallinn Manual with our guests, Adv. Deborah Housen-Couriel, who talks about her experience as a member of the Tallinn Manual 2 team; Prof. Yuval Shany and Adv. Dan Efrony, who talk about their co-written paper, "The Tallinn Manual on Cyber Operations and the Laws of War: Towards Customary International Law"; and Lex Cybernetica’s host, Ido Kenan.
Our podcast is now on Stitcher and iTunes! You can listen to it via Android or IOS as well:
