The Tallinn Manual is meant to guide governments through some of this hard thinking. Under international law, states are legally entitled to respond to an “armed attack” or a “use of force” in a proportionate way. Vihul says that “cyber activities carried out by states that injure or kill people or damage or destroy objects are most likely to be considered as uses of force.” If a state suffers such an attack, it could be legally entitled to retaliate with cyber or conventional forces, even if the attack was purely cyber in nature, and even if the attack was perpetrated by civilian, rather than military, agencies.
However, cyber complicates the application of the existing law in two ways. The victim of a cyber attack might hide the fact that the attack ever took place so as not to reveal its vulnerability to other potential aggressors. Even more importantly, it is hard to attribute a cyber attack to another state in a way that would satisfy international law, given the attacking state’s likely use of proxies.
The first challenge that states face is therefore proving the origin of an attack.Enjoying this article? Click here to subscribe for full access. Just $5 a month.
Secondly, states have to decide how to respond legally and effectively to cyber crime and cyber espionage. So far the governments have seemed inclined either to accept such attacks as a fact of interconnected life, or to try to retaliate with cyber operations of their own. The former approach only encourages further aggression, while the latter probably breaches international law if the original hack was not an example of the use of force. In future, the victims of virtual theft might instead focus on gathering evidence and then seek reparations at the World Trade Organisation or the International Court of Justice, much as they would do in cases of IP theft or breaches of sovereignty.
Thirdly, the international community must continue the debate where the Tallinn Manual has left it, and work to develop universally accepted rules and norms for operating in cyberspace. “I think the risks of miscalculation or inadvertent escalation are very high if two sides do not share a common vision of what are legitimate targets or thresholds for acts of war,” says Segal.
China and the U.S. have both said that they would like to see a rules-based cyberspace, but they do not see eye to eye on how those rules should be established. A costly and potentially dangerous Cyber Cold War awaits if they cannot do better, and agree on some rules of engagement for their rapidly expanding online forces.