In 2007, Estonia faced cyber-attacks that have been widely acknowledged as the world’s first cyber war. At the peak of these attacks, fifty-eight Estonian websites were offline at once, including those of the government, most newspapers and banks.
Even though the attacks were technically rather robust and there was nothing novel about them, their size and length was quite surprising. Politically motivated large-scale assaults brought the attention of the international community to cyber security.
Prior to the incident, cyber-attacks had not been seriously considered as an imminent threat to the state or its citizens. There was no common code of conduct or universal agreement between policy-makers. For example, it was not defined if this kind of an offence would qualify as an attack against a member state of NATO and hence activate collective defence under Article V. It was not even clear if a state could legitimately respond to cyber-attacks.
Protecting cyberspace from the enemy
It became understandable that compared with other dimensions of security, cyberspace requires different logic. To start with, there are no territorial borders that could be followed or secured. It is difficult to draw the lines not only between different states but also between nations and private-sector organisations. This turns the distinction between war and crime into a question of interpretation. It also raises questions about a state’s sovereignty in cyberspace and thus limits its power to conduct security policies.
One of the most important obstacles in cyber security is that it is often almost impossible to find (and prove) the culprit of the attack. If the ”enemy” is unknown then it is very difficult to organise a counterattack. It is also risky to act based on uncertain information. It is very easy for a state to change from being a victim to becoming an offender. Key strategic threat also lies in potential escalatory responses, turning a miscalculation in cyberspace into a full-scale war in the real world.
Looking at contemporary conflicts, it is evident that cyberspace is already becoming one of the theatres of conflict. Technological achievements are an important part of our everyday lives, making a technologically developed state dependent on the functioning of its computer systems. This reflects how vulnerable cyberspace can be when it comes to defending the state from a potential enemy.
It is the complicated nature of the field that obstructs its regulation by concrete laws. At the same time, nations have to be very careful with the measures they apply in the name of security in cyberspace (or how they use cyberspace in the name of state security).
The Tallinn Manual
There are a lot of difficult issues waiting to be solved. The CCD COE (NATO Cooperative Cyber Defence Centre of Excellence) has made one of the first attempts to set some guiding principles in the legal affairs of conflicts in cyberspace — a process which produced the Tallinn Manual. Experts who participated in the making of the Tallinn Manual, believe that the answers are to be found in existing international law. The manual does not focus on cyber security, but rather on how international law regarding warfare can be adapted to conflicts in cyberspace. It is a unique document that does not represent new officially binding rules but rather shows how policy-makers can interpret the law we have today. It is recognised that the distinctive nature of networked technology requires additional work on traditional laws. Nonetheless, it does not require a reinvention of international norms.
Looking at the Tallinn Manual from a cyber-security perspective, it is definitely a relevant foundation for future discussions. It examines in great depth how the requirements of an armed attack that have to be met before self-defence is justified, could be transferred to cyberspace. It also looks for legitimate ways of tackling attacks from criminal groups or individual hackers working in the name of another state. No doubt this is only the beginning and there are many issues that have to be carefully discussed before a common understanding on the code of conduct is reached.
In real world politics, it might be difficult to deter attacked states from responding to the offence. Hence, it is necessary to adapt international norms of other domains to cyberspace. It also allows us to start making sense of the nature of this new domain and the challenges that it brings.