Cyberwar, International Law, and the Tallinn Manual: A Puzzle of Positive Law and the Prism of Norm-Entrepreneurship

By: Nimrod Karin

There’s a cyberwar going on, apparently. More than one, actually, although we don’t really know how many, since we can’t count what we can’t see: cyberwars are waged in a virtual world, by avatar-armies and web-weapons, directed by all but invisible hands. Of course, the conduct and consequences of cyberwar are all too real, as are its high risks and huge stakes; yet to us, outside observers of State behaviour, all such aspects are heavily shrouded in secrecy. And as a global battlefield beyond sight, so to speak, the cyber realm seems almost made for the most shadowy (and possibly shady) sides of war. But have no fear, for law is here, and has already jumped into the fray: cyberwar has become the latest front and frontier for public international law’s intertwined branches of jus ad bellum (JAB) and jus in bello (JIB). Or at least so we’re told, and are effectively expected to take on faith, since if cyberwars can’t be seen in order to be counted, then surely they can’t be watched. So how can we, outside observers, tell what’s what in the recesses of cyberwar, either in terms of JAB or JIB?

Enter the Tallinn Manual on the International Law Applicable to Cyber Warfare (2011, 2016). As a corpus of legal rules, authored by a (supposedly) free-standing group of scholars and practitioners, the Tallinn Manual (seemingly) lacks any normative force as such, and thus promptly declares itself “a non-binding document.” Reading this disclaimer together with the stated purpose of the project – “to examine how extant legal norms applied to [cyber] warfare” – suggests that the Tallinn Manual is a study of sorts. At the same time, it appears that the participating authors have perceived their collective endeavour as exceeding the confines of academic research; by the same token, this self-styled International Group of Experts evidently envisioned its work would amount to more than a plain textbook.

Accepting, arguendo, the Tallinn Manual’s premise – namely, that positive law has by now emerged, without any formal instruments or any other meaningful, functional expressions by governments – still leaves the practical matter of extracting such purportedly pre-existing rules. This harkens back to the seemingly insurmountable obstacle that we, outside observers, came up against in attempting to ascertain whether JAB and JIB substantively apply to cyberwar. How did the Tallinn Experts overcome this predicament? What source-materials that contain or otherwise capture the relevant rules were consulted as part of their work? And insofar that no such cyberwar-related materials were available, where were said rules located, and how were they detected?

Asking such questions may seem as coy, since it’s far more reasonable to think that the legal rules pronounced by the Tallinn Manual were not so much discovered as devised. The Tallinn Experts wouldn’t necessarily disagree: they use words like “restatement,” “crafting,” and “replicating,” to describe their work, all of which imply it had a constitutive dimension. But if so (and with all due respect) then how could the Tallinn Experts have been sufficiently confident about their conclusions, so as to declare them lex lata rules and assert themselves “authoritative” in so doing, let alone put their project on a par with previous law-of-war manuals, despite the aforementioned disparities between conventional and cyber warfare? In short, what do the Tallinn Experts know about their work and conclusions that we don’t?

In tackling this question, I use a (relatively) novel and (highly) incisive sociological framing of norm-entrepreneurship, which pertains to the functional considerations that guided the project and thus ground its process and product. In other words, it’s the content of the strategic deliberations that took place in Tallinn and the practical decisions thus taken – all for the sake of affecting the actual conduct and consequences of cyberwar – as the Tallinn Experts sought to fulfil their instrumental goals of influencing and informing, by maximizing the Tallinn Manual’s usefulness and credence as a resource. In addition, my pragmatic characterization of project, process, and product, opens up to further questions regarding the particular expertise at play, as presumably required for bringing the Tallinn Manual into functional fruition. My research thereby attempts to reconstruct the Tallinn Manual as a collection of choices – background and strategic, by people and governments, of structure and substance. I submit that not only these choices are all connected, but also (and more crucially) they’re all currently hiding in plain sight, under broad lawyerly-scholarly headings as “law of the horse,” “teleological interpretation,” as well as application “by analogy” or “mutatis mutandis.”

My overarching argument thus targets the fallacy – and hazard, even – of ignoring these choices, whether by denying, dismissing, or simply by being oblivious to their making, as part of our subsequent legal research. To wit, I maintain that these choices are the variables, not constants, of the Tallinn Experts’ doctrinal analysis, and as such are reprised by their work and reconstituted by their conclusions. Accordingly, these choices render, rather than result from, the Tallinn Manual’s doctrinal annunciation of rules and commentary. By excavating and exposing these choices, my research will offer fresh and fruitful findings, in order to fill the profound explanatory gap regarding the nature and purpose of the Tallinn Manual. This, in turn, enables me to (begin) grappling with the real-life, overall significance of the Tallinn Manual; as indicated below, it goes to one of public international law’s principal engines of creation, and, relatedly, to the role and responsibility of the “invisible college” of legal scholars and practitioners in the current era of international law-of-war-making.