Vital Interests: Mike, thanks very much for joining us today on the Vital Interests Forum. During the past years much of your focus has been on cyber issues - cyberattacks, cybersecurity, and particularly developing international law related to cyber operations. We now have a heightened awareness of possible serious cyber attacks, ongoing cyber espionage, election interference using social media and new cyber tools, as well as unidentified hackers stealing data and holding computer systems hostage unless ransoms are paid. 

For most of us, cyber threats are something we learned about in the last five years or so. When did the realities of the malicious use of the internet and the need for cybersecurity appear on the radar of intelligence and security agencies?

Michael Schmitt: In the 1990s, we first began to think about cyber seriously. At the time, I was on the United States Naval War College faculty, where we started to think about cyber as a possible element to be employed in armed conflict. As a judge advocate, it struck me that no one anywhere was considering international law and how, in particular, international humanitarian law might govern those specific operations.

So, in 1998 the Naval War College held the first global conference on applying the law to cyber operations. Because it was at a war college, what we focused on – indeed, what the international law community concentrated on in the beginning - were the two significant issues.

First, when is a cyber operation a use of force in violation of Article 2(4) of the UN Charter? Second, how does international humanitarian law apply to cyber operations? In particular, when would cyber operations amount to an armed conflict to which that body of law applies? If already in an armed conflict, how would humanitarian law shape cyber operations? 

That’s what kicked-off the international law community’s consideration of the subject.

VI: The 9/11 attacks occurred in 2001, everyone’s total focus immediately changed to counter-terrorism  Did the Global War on Terror suck all the air out of the work being done on cyber operations?

Michael Schmitt: It almost wholly stopped consideration of that subject. The attention of the legal community around the world that had been directed to cyber as a result of the Naval War College conference, with the 9/11 attacks it shifted overnight to issues of international law and counter-terrorism, international law and detention, international law and the application of international humanitarian law in Afghanistan and Iraq, and so forth. 

In 2004, the United Nations did hold the first Group of Governmental Experts meeting on cyber issues, but it consisted primarily of preliminary discussions about the threats posed by cyber operations. Nothing of significance happened concerning international law and cyber operations until 2007, with the hostile cyber operations directed against Estonia.

In April 2007, hostile cyber operations were directed against Estonia in response to the moving of a Soviet-era statue commemorating the Great Patriotic War out of the center of Tallinn, Estonia’s capital. Ethnic Russians in the country were offended because, of course, the Soviet Union had suffered mightily during the Second World War, losing over 20 million people; the action was quite an offense to them. But to an ethnic Estonian, it was a statue commemorating a war during which Estonia lost its relatively new-found independence for half a century. 

At any rate, when the statue was relocated to a World War II-era war cemetery, riots by ethnic Russians erupted. Additionally, cyber operations from 177 different countries - or at least they were geo-located in 177 countries - targeted the country. But the vast majority originated in  Russian territory. This campaign begged the question of whether those involved were just individual patriotic hackers or independent hacker groups, or somehow under the influence of the Russian government. There’s lots of speculation as to whether the Russian government was directly or indirectly involved. I believe there was some Russian government involvement, but that the majority of the operations were spontaneous responses to the Estonian action.

VI: Was this a wake-up call because of the extensiveness and effect of the operation, or because it was the first time that people realized “Well, this is actually an external attack on a sovereign nation that caused harm to the Estonian people.”the

Michael Schmitt: The Estonian cyber attack was a real wake-up call because Estonia had recently become a NATO member. The Estonians never formally went to the North Atlantic Council, but there was a lot of chatter at the time about whether or not this was an “armed attack” under Article 51 of the UN Charter. If so, it would give Estonia the right of self-defense and permit it, under Article 5 of the North Atlantic Treaty, to seek help from NATO allies pursuant to the right of collective self-defense.

And you have to remember this was occurring as key NATO countries - particularly the United States - were heavily involved in operations in Iraq and Afghanistan. The last thing we needed was to add increased tension or conflict with Russia to those challenges. The situation captured everyone’s attention in a big way.

Many legal questions surrounded the hostile operations, especially because they were primarily disruptive, not destructive; the operations included, for example, distributed denial of service operations that shut down banks, the media, and government websites. And that was hugely problematic for Estonia because the country was pretty wired at the time. Estonians did everything from getting their pensions to parking their cars online.

As a matter of law, were the operations a “use of force” in violation of the UN Charter? Was it an “armed attack” such that Estonia could go to NATO or other countries on an ad hoc basis and seek assistance at the use of force level? In other words, did this situation rise to the level of collective self-defense? Could the operations be attributed to Russia under the law of state responsibility? 

Frankly, attorneys like myself who had done a little bit of work in the late 1990s on cyber threats were caught cold, for we had not thought through these and other issues in any depth. So, when our policy colleagues asked, “What have we just witnessed?” we very much had a deer-in-headlights look on our faces. 

VI: In other words, the Estonia cyber attack was seen to be qualitatively different than anything that had come before. Governments have always meddled in blocking communications and spreading disinformation and propaganda. Espionage has also been part of a government’s foreign operations. However, this was seen to be something quite different?

Michael Schmitt: Qualitatively and quantitatively, it was very different. Qualitatively different because the campaign went well beyond one government spying on another using electronic means, which numerous governments already were doing at the time. And quantitatively, it was more severe in terms of consequences than the vast majority of cyber operations that states had mounted to date. It was an aggressive offensive cyber campaign that shut down much of a nation by non-destructive means. 

The situation was also complicated because of the attribution issue. We weren’t quite sure who did it, and we hadn’t thought through situations where a state might be influencing non-state actors, either individuals or groups, to engage in activities against other states, something that is much easier to do in the virtual world. 

NATO and some countries individually assisted in remediating some of the damage, but the Estonians did most of the work. They took their country offline for a while. It was a wake-up call for other countries because taking a country offline is a big deal. It interferes with commerce, disrupts banking, complicates communications, etc.

Imagine a COVID response where you significantly disrupt cyber activities. Today, we’re trying to find out where to get the vaccine and sign up online to receive it. Today, the government tells us online what to do to protect ourselves during the pandemic. Today, our education has moved online. Today, many of us work from home. So, you can imagine the consequences of even a short-term disruption of national cyber-networks.

VI: The 2007 Estonia cyber operation increased awareness of the necessity of cybersecurity but did it also tweak interest in the concept of using cyber attacks as part of an offensive military or intelligence operation?  Not too long after in 2010, the Stuxnet cyber attack inserted a very destructive malware worm into Iranian computer systems that controlled their nuclear centrifuges doing extensive damage to an important strategic Iranian government asset. So were the gloves now off in the cyber sphere?

Michael Schmitt: Yes, it’s all related. Events unfolded rapidly before the international law community could catch its breath. In 2008, the year after the anti-Estonia cyber campaign, a classic armed conflict broke out between Russia and Georgia. Accompanying the kinetic operations were many cyber operations, widely speculated to have been orchestrated by Russia.

Again, there were issues of attribution. Who is conducting them? Are they patriotic hackers? The Russian government? Are they meant to accompany the kinetic operations? And the targets included civilian cyber infrastructure as well as military targets like the Ministry of Defense websites. For example, the Georgians had to shut down their banking system to protect it from hostile operations.

Now we had a new legal issue. During the Estonia campaign, most questions dealt with the UN Charter and customary law prohibitions on the use of force, and the related right of self-defense. With Georgia, international humanitarian law loomed large. It looked like the Russians had just conducted a large-scale cyber campaign against civilian targets. Were the attacks against civilian objects such that international humanitarian law had been violated and war crimes committed?

We had no answers. We knew that if the Russians had bombed a civilian facility, that would be a classic unlawful attack. But what if they just shut it down? What if the cyber operation was unsuccessful because the Georgians took the target offline? Would this be an unlawful attack? There were many questions, and most folks were just guessing at the answers.

Those two events -  in Estonia and Georgia - caused the international community - NATO - to turn its attention back to cyber. Remember, both events occurred in regions about which NATO is extremely concerned; one involved a new NATO ally. In response, NATO established the NATO Cooperative Cyber Defense Centre of Excellence in 2009, based in Tallinn, Estonia.

Beyond addressing technology, strategy, and policy, the Centre took on the international law aspects of cyber operations because of our confusion in the face of the two watershed events for our field. Experts associated with the Centre began to ask how they could contribute to understanding the international law context of cyber operations. They approached me because of the work I had done on this subject in the 1990s at the Naval War College. 

It occurred to me that the problem from a legal perspective was that government attorneys worldwide hadn’t thought about hostile cyber operations, nor did they have the time to figure out the complex legal environment in which those operations now were unfolding. We launched an undertaking called the Tallinn Manual Project to address this urgent dilemma.

The first phase of analysis began in 2009. Its results were published in 2013 by Cambridge University Press as the Tallinn Manual on the International Law Applicable to Cyber Warfare. We took on the two key bodies of law implicated by the Estonian and Georgian incidents: the jus ad bellum and international humanitarian law. 

The Manual set out ninety-five “black-letter rules” governing cyber conflicts, primarily addressing the jus ad bellum (authorization for the use of force), international humanitarian law, and the law of neutrality. An extensive commentary accompanied each rule that included the rule’s basis in treaty and customary law, an explanation of how the Group of Experts interpreted the rule in the cyber context, and a delineation of any disagreements as to its application in practice.

VI: Your intended goal was to put cyber attacks into the context of existing international law on armed conflict?

Michael Schmitt: We had an initial group of five people who met early on - extraordinarily gifted international lawyers who had all worked with governments. The question was simple. If we were going to do triage on international law for cyberspace, where should we start? Given that we had just witnessed Estonia and the Georgia/Russia conflict was fresh in our minds - we had to start there. Even though we knew that most hostile cyber operations occur at a lower threshold on a day-to-day basis,  we felt compelled to address what had just happened.

VI: There was a follow-up volume in 2017 that did focus on cyber operations more generally - the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.

Michael Schmitt: That’s exactly right. Late in the drafting of the Tallinn Manual 1.0, I had the opportunity to spend some time with Daniel Bethlehem, who was then the Legal Adviser to the UK Foreign and Commonwealth Office. Daniel very perceptively observed, “If all you have in life is a hammer, every problem is a nail. And if all you have is a manual that addresses issues of high-order conflict, then when government attorneys begin to deal with hostile cyber operations below that threshold, they’re going to look to your manual and interpret the situation through the prism of conflict. He was 100% correct.

So, when we finished Tallinn 1.0, and the NATO Center asked “What’s next,” we decided to keep going and address those cyber operations that fall below-the-threshold or uses of force and armed conflict. We also took the opportunity to update Tallinn 1.0 to include events like Stuxnet, which had occurred relatively late in the first phase, and to which states had not had a chance to react.

We convened a new group of experts because we were going to consider different areas of law. The other difference was that states held us at arm’s length during the first Tallinn Manual effort - at least publicly. There was concern about what a group of twenty scholars/practitioners might conclude. If they didn’t like our conclusions, states wanted to be able to say, “Those guys got it wrong. We won’t be bound by what they came up with.” However, behind the scenes, several states provided us with invaluable input.

But when we got to Tallinn 2.0, the difference was night and day. After states saw the impact of the first Tallinn Manual, they aggressively chased us to provide input because they understood that the Manual would be globally influential.  Late in the Tallinn 2.0 Manual effort, the Netherlands agreed to host a series of meetings called “The Hague Process.” That nation brought fifty states and international governmental organizations - including all of the P5 - to three meetings held in The Hague, where we provided them drafts and allowed them to comment thereon. States also provided over a thousand written comments on the draft.

The Tallinn Manual is different from other manuals. Most have tended to assert, “This is the law,” with their commentary explaining why the authors came to that conclusion. In the Tallinn Manual, the rules require unanimity, but the commentary allowed for interpretative differences. The rules are very straight forward – “you may not conduct cyber attacks against civilians during an armed conflict,” and so on. That’s a very bland rule, but many pages of commentary deal with the various views as to the kinds of cyber ops that constitute an attack, such that the rule applies. 

The Manual commentary sets forth the views of the majority and minority of the experts on interpretive issues. When the Manual notes that the experts acknowledged a view, a state usually had that view during the Hague Process. None of the experts agreed with it, but we nevertheless deemed it reasonable.  We were committed to producing a document that would allow states to make their own choice as to the proper legal interpretation. Therefore, we identified all reasonable options while highlighting our interpretive preference, for what it was worth.

The experts were all relatively committed to the notion that states make and authoritatively interpret the law. Although other inputs from the NGO community, scholars, and expert manual projects are influential, states authoritatively interpret international law at the end of the day.

The approach gave the Manual credibility among states. Most, but not all, understood that we were trying to facilitate their determination of how international law applies in cyberspace. This was key to laying the groundwork for a consensus on how to understand and properly respond to hostile cyber operations

VI: Between the publication of the Tallinn Manual 1.0 in 2013 and  2.0 coming out in 2017, there was Edward Snowden’s exposure of NSA surveillance of the internet and cell phones in the US, as well as cyber spying on diplomats and leaders of other countries, tapping into meetings of the G7, the G20, and the United Nations.

Were questions of espionage and the rights of privacy and the limits of government surveillance using cyber tools ever discussed?

Michael Schmitt: Tallinn Manual 2.0 addressed all of that. We have a chapter on diplomatic law and one on human rights law. But I would say that those are two areas that need to be addressed more fully in what is now going to be Tallinn Manual 3.0, for the events you mention caused states to react in normatively significant ways.

In that regard, the decision has been taken to update, if you will, Tallinn Manual 2.0. It’s a five-year project that I’ll be directing again. Liis Vihul of Cyber Law International and Marko Milanovic of Nottingham University are joining me as co-editors. And there is a lot to update, not only with regard to incidents like you mentioned but also because controversies arose that we had not anticipated, such as whether there is a rule of sovereignty.

For instance, when we wrote Tallinn 2.0, the consensus was there is a rule of sovereignty that protected states against some form of remote cyber operations. Since then, the United Kingdom has adopted a different position, and we need to highlight it since our commitment was to set forth all reasonable views. Even though I disagree with the UK assertion, that nation’s view deserves to be reflected in the Manual for other states to consider.

In addition to diplomatic law, human rights, and sovereignty, the rule of intervention will need to be re-examined in light of election meddling by cyber means, and the rule of due diligence, which not all states agree is a rule, will need to be assessed more thoroughly. After a couple of years of work, we will reconvene a group of experts of different compositions because we’ll have a different emphasis this time. We also intend to have a state engagement process hosted by some nation or nations. We haven’t identified those yet.

VI: In recent years we’ve seen a proliferation of ransomware and cyber attacks coming from non-state actors, from individuals, from who knows where. A case that received a good deal of attention was a cyber attack against Sony Pictures allegedly because they released a film that insulted the North Korean leader. There are increasing ransomware cyber attacks against hospitals, municipalities, and companies - there are some estimates of more than 4000 per day.

How should these kinds of cyber operations be categorized and dealt with?

Michael Schmitt: They illustrate that the problem of attribution is multifaceted and merits much more attention. What many folks miss is there are three kinds of attribution. There’s technical attribution where a technical expert opines, “They did it.” Techies set a very high bar for attribution.

There is also political attribution. Governments have accused other governments of being behind hostile cyber operations on numerous occasions. The United States, for instance, attributed the Sony hack to North Korea. Political attribution doesn’t have to reach any evidential threshold because there’s nothing unlawful about state A accusing state B of unlawful behavior. Even if the accusation is malicious and false, it is lawful. There are political costs if you get caught misattributing, but not legal ones.

Then there’s what we address in the Manual - legal attribution - a complex topic. We looked to the International Law Commission’s Articles on State Responsibility (a restatement of the customary law) as our primary source of guidance on legal attribution. Under the law on state responsibility, there are various ways that a cyber operation can be attributed to a state, such that you may say the state mounted the operation as a matter of law. The most common is when an organ of the state, like an intelligence agency, conducts it. Additionally, when non-state actors operate according to the instructions, direction, or control of a state, the operation is attributable to that state.  

Since most international law rules can only be violated by states, the first question you need to answer when considering a hostile cyber operation is always who did it? If attributable to a state under one of the attribution rules,  the response options are more robust than would otherwise be the case. For example, operations known as countermeasures, which are those that would be unlawful but for the fact that they are designed to cause another state to desist in its unlawful activities against the state taking the countermeasure, are only available if the operation can be legally attributed to a state. Absent attribution, a state is often limited to responding through law enforcement.

The United States has taken this route numerous times through indictments of individuals from China, North Korea, Iran, and Russia. In certain exceptional cases, a state may also look to a right in international law called the “plea of necessity.” It allows a state to take otherwise unlawful actions like a hack back into another country in response to situations that pose a “grave and imminent peril” to the state's “essential interests." This is so even if the state into which the response is launched had nothing to do with the original hostile operations. And in some cases, a state may be able to look to the law of self-defense as the basis for a response, even a forcible one, when the consequences of a cyber attack are severe enough.

Once you get over the attribution hurdle, the question is whether the hostile cyber operation breached any legal obligation owed to the victim state. Take a recent example, espionage targeting vaccine development by private companies. The basic rule is that espionage is not a violation of international law, per se. 

However, companies that were affected by the espionage now have a problem. They cannot rely on their systems to provide reliable data because they are not sure what the intruders have done inside their networks. When they are testing the viability of a vaccine, for example, they need to know with absolute certainty that their system generates accurate results. They may need to replace the machines or delay vaccine testing while security is ensured. If so, some people in a pandemic that might otherwise have received the vaccine sooner will become ill. 

This raises the question of whether the espionage violated the target state’s sovereignty, for countries that believe there’s a rule of sovereignty agree that a cyber operation causing physical damage or illness is a breach of sovereignty. Does replacement of affected systems qualify as damage, such that the target state has been the victim of a breach of its sovereignty? What about any illness indirectly caused by a delay of the vaccine program? 

This simple example illustrates the complexity of the rules when applied to cyberspace. Our challenge is not identifying whether international law rules apply in cyberspace. We’re well beyond silly characterizations of cyberspace as a Wild West in which there is no law. The question is, how does it apply, given the unique characteristics of cyberspace?

Another contemporary example of the complexity deals with elections. To the extent one state is manipulating cyberinfrastructure used by another for elections, it’s evident that the operation is both a breach of sovereignty based on interference with an “inherently governmental function” (elections) and  intervention into its internal affairs.

But what if the other state, as Russia has, engages in a campaign of false news? Is that somehow a violation of sovereignty or intervention? We have recently had plenty of our own people putting out fake news, some in very high places. Does the fact that another state is doing it matter? What if the other state’s operatives are pretending to be Americans? Does that change matters?

There was a very interesting incident in 2016 in which Russia used social media to create the impression that Americans could vote for Hillary Clinton via text message. Persons who were fooled believed they had voted but had not. I would say that the operation was a sovereignty breach and wrongful intervention, but others might disagree. Until states begin to opine on how these rules should be interpreted in the cyber context, which some states have started to do, we’re not going to be sure how to interpret them.

These are the questions Tallinn 3.0 will tackle. Many events need to be examined and given a fresh look – COVID cyber interference, human rights abuses online, diplomatic law violations, remote election interference, and the extensive use of cyber on the battlefield, to name a few. 

As importantly, the experts who drafted the Manual were committed to the premise that states are the ones with the authoritative vote. Since states are beginning to speak to the issue of international law in cyberspace with greater granularity, we agreed the time was right to take on these new issues. Tallinn 2.0 is slowly losing its contemporary feeling. For example, the COVID situation presents a whole new set of circumstances that Marko Milanovic and I have written about in the Journal of National Security Law & Policy. None were addressed directly in 2.0.

VI: Talking about new situations - in recent months the biggest thing concerning the security community is the SolarWinds cyber breach. This is another very complex case where an external actor- to be identified at some point although most believe it was the work of the Russian SVR -  hacked into a SolarWinds’ software update that migrated to Microsoft and eventually provided “backdoor” access to the computer systems of over 18,000 government agencies and private companies. Whether this is just an espionage operation or will eventually lead to potentially very damaging intervention remains to be seen.

This extensive cyber breach caused lots of comments. Some stated this was an external attack on the US that constituted a cyber Pearl Harbor - a definite act of war that demanded retaliation. Others have been less extreme, but all agree this event is yet another wake-up call about vulnerabilities to cyber operations that could cause massive disruptions and harm to the nation. Can you give us your view on this event?

Michael Schmitt: When I began looking at media reports on SolarWinds, my first thought was, “Here we go again.” From a legal perspective, the characterization of the SolarWinds breach and other incidents by people in and out of government often fail to reflect the state of law. Recall the claims that SolarWinds was an “act of war.” Maybe it was a new form of virtual Pearl Harbor, as some asserted, but Solarwinds was not a new Pearl Harbor in international law terms. Pearl Harbor was an armed attack by one nation against another that initiated an international armed conflict. This was not.

Accordingly, options available in an armed conflict or when engaging in cyber operations at the armed attack level were all off the table. Nevertheless, many so-called experts talked about them irresponsibly in the narrative of war. Ditto with regard to retaliation. International law bars retaliation as such and wisely so. If you don’t have an international law violation to which you are trying to put an end, your response options are very limited.

One is where you engage in retorsion, which is an unfriendly but lawful act. An example would be President Obama’s 2016 response to the Russian election meddling – expulsion of Russian diplomats, closure of diplomatic facilities, the imposition of sanctions, and so forth. Without a clear violation of international law, retorsion is usually the answer when assessing how to respond.

Did the operations violate international law? Maybe, but remember, the vast majority of the operations were espionage, and espionage is lawful. Based upon open-source reporting, it struck me that the most likely violation, if any, was a violation of the sovereignty of the United States on two bases. One is that SolarWinds required replacing systems because we could no longer rely upon some of those affected. The other is that it interfered with some inherently governmental functions, particularly ensuring national security. Whatever the case, it is clear “They’re spying on us” is not a ground for labeling hostile cyber operations as unlawful. 

VI: In other words, there’s no international law that says that operations that create a potential to do future harm can be acted against?

Michael Schmitt: Yes, that’s right, At least there’s no international law to that effect yet. If states begin to interpret the rules in that manner over time, it could arguably become an authoritative interpretation. In light of cyberspace’s unique characteristics, I can imagine evolution in that direction. Yet, our closest ally, the United Kingdom, doesn’t even agree there’s a rule of sovereignty to violate. You can see the challenges of moving forward.

But SolarWinds should cause us to think harder about how we interpret the rules, such that we can, in good faith, say that a particular interpretation not only suits our national security interests but also is appropriate as a matter of law. 

I see SolarWinds as particularly interesting because we, together with countries that share our values and commitment to democracy and human rights, also engage in robust cyber espionage. This means that we need to be careful about the position we adopt, for by the principle of sovereign equality in international law, the law binds all states equally. Thus they need to interpret international law as prohibiting certain hostile cyber operations while still allowing them the leeway to maintain their national security; that is difficult to do.

It’s also, by the way, a dynamic that we experience at the domestic level. After Snowden and similar revelations, we throttled back on government agencies’ ability to monitor cyberspace in the United States. We did that for a good reason, but we gave up ground in terms of maximizing security. Finding that balance at both the domestic and international level is challenging.

VI: Mike – we are coming to the end of our time. Thanks for this in-depth discussion about how cyber operations directed at the security of nations has gotten the attention of governments and societies. We are deeply in the era of the “Internet of Things” with an estimated 15 billion devices now in the world. In another ten years, there will be perhaps 30 billion devices all able to be hacked into and compromised for malicious purposes.

There is much work to be done to understand and respond to this new reality. I appreciate the work you and your colleagues around the world are doing to put the cyber phenomenon into context and think about how the global society can thoughtfully prepare and respond. 

Michael Schmitt: I couldn’t agree more. The real challenge is the one you point out. We’re trying to understand the law, as that very law is undergoing a continuous process of normative evolution. It is a daunting task but a necessary one.

Michael Schmitt is Professor of International Law at the University of Reading (UK); Francis Lieber Distinguished Scholar at West Point; Stockton Distinguished Scholar at the US Naval War College; and Strauss Center Distinguished Scholar and Visiting Professor of Law at the University of Texas.