The Tallinn Manual, an academic study on how international law applies to cyber operations with coordination provided by a NATO-accredited cyber center, has been updated and expanded in a second edition, the cyber center said Feb. 9

Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is written by 19 international law experts as a resource for legal advisers concerning cyber issues. The original and updated publications were both facilitated and led by the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE).

The CCDCOE is a NATO-accredited Tallinn, Estonia-based knowledge hub and training facility that focuses on interdisciplinary applied research and development concerning cyber security. Owned, staffed, and financed by the center’s member-nations, the CCDCOE is an independent organization.

The center’s sponsored member nations include the U.S., UK, Belgium, Czech Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Slovakia, Spain, and Turkey.

The first edition of the Tallinn Manual focused on the most severe cyber operations like those which violate the prohibition on the use of force in international relations; entitle states to exercise the right of self-defense, and/or occur during armed conflict. Manual 2.0 adds a legal analysis of the more common cyber incidents nations (states) encounter on a daily basis that fall below the thresholds of the use of force or armed conflict.

The CCDCOE emphasized that both editions of the manual represent the views of its authors and not NATO, the CCDCOE, sponsoring nations, or any other entities.

International law experts commented that this publication helps pave the way for states to develop cyber norms.

“The 154 black letter rules of the Tallinn Manual 2.0 reflect the consensus of our diverse, experienced and global group of experts. Taking a comprehensive look at how international law applies to cyber space, we assessed states’ rights and obligations in the cyber context,” Professor Michael Schmitt, the director of the Tallinn Manual Process, said in a statement.

Schmitt is the chairman of the Stockton Center at the U.S. Naval War College; a Lieber distinguished scholar with the Lieber Institute at the U.S. Military Academy at West Point; a professor of Public International Law at the University of Exeter, UK; a fellow at Harvard Law School’s program in international law and armed conflict; and a senior fellow at the CCDCOE.

The Tallinn Manual 2.0 European launch occurred at The Hague today and was organized by the CCDCOE, the Netherlands Ministry of Foreign Affairs, and The Asser Institute.

Liis Vihul, the book’s managing editor from the CCDCOE, noted that the manual plus state practice confirms international law applies to cyberspace as states have both rights and obligations in this field. “Norms, including those predating the cyber-era, apply to cyber operations, both conducted by and directed against states. The Manual draws on international law ranging from sovereignty and state responsibility to human rights and space law.”

Professor Michael Schmitt, Professor of International Law and director of the Tallinn Manual Process. Photo: U.S. Naval War College.Professor Michael Schmitt, Professor of International Law and director of the Tallinn Manual Process. Photo: U.S. Naval War College.

Vihul also said the manual includes issues like state responsibility for operations in cyber space, standards of attribution, the obligation to respect state sovereignty, and what the possible responses of victim states to cyber attacks might be.

Steven Hill, a legal advisor and director of NATO’s Office of Legal Affairs characterized the manual as a useful contribution on how international law applies in the cyber realm during both armed conflict and peacetime. “This independent analysis will be a valuable resource for NATO as the Allies consider their positions on the legal implications of ensuring collective defence in the cyber domain,” he said.

Marina Kaljurand, member of the United Nations group of governmental experts in the field of information and telecommunications and former Estonian Minister of Foreign Affairs, highlighted this does not create international law, which is up to states and governments. “Only states can offer formal and binding guidance on how international law applies to cyber events through practice, political statements, and globally agreed norms of responsible state behavior.”

Sven Sakkov, director of the CCDCOE, explained that 50 states were included in the manual’s consultations and over 50 additional specialists contributed to peer review.

The CCDCOE and the Netherlands Ministry of Foreign Affairs are co-hosting and organizing three launch events: at the Atlantic Council in Washington, DC on Feb. 8, The Hague on Feb. 13 co-organized with the T.M.C. Asser Instituut, and in Tallinn on Feb. 17.

The Tallinn Manual 2.0 is published by Cambridge University Press.