The 300-page document recently published by the Cooperative Cyber Defense Center for Excellence (NATO CCD COE) has prompted a reaction from several Russian agencies, from the Foreign and Defense ministries to the Security Council and the special services.

The document is called the “Tallinn Manual of Cyber Warfare” for a reason. The CCD COE was opened in the Estonian capital in 2008, one year after the Bronze Soldier affair and massive hacker attacks on Estonian websites. Estonia declared itself to be the first victim of an interstate cyber conflict and accused Russia as the aggressor, though proof of Moscow’s involvement has yet to be provided.

The Tallinn Manual describes, for the first time, what actions states and military alliances should take in the event of larger-scale attacks. It argues that the existing international legal rules (notably, international humanitarian law) are applicable to cyberspace. Thus, no new laws are needed, contrary to the position taken by Russia and some other states.

The Manual describes such attacks as “unlawful” if carried out in the absence of military actions. The victim state can respond to such an attack either by bringing the aggressor to account or by resorting to “commensurate counter measures.”

The authors stress that, depending on the scale and nature of the consequences (loss of life, damage or destruction of facilities), an attack in peacetime may be equated to “use of force” or an “armed attack,” entitling the victim state to defend itself, including through the use of traditional weapons.

The Manual’s biggest section is devoted to cyberattacks that accompany traditional armed conflicts. The authors believe such attacks are covered by all the provisions of humanitarian law, including the qualification of the participants and organizers of computer sabotage as combatants who may be taken prisoner or eliminated.

The Tallinn Manual met with a highly positive reaction in the West, with many American experts noting that its key ideas reflect Washington’s view that no new laws need to be created for cyberspace.

The Russian authorities — especially the military — have taken a very guarded view of the Tallinn Manual. Moscow thinks its publication marks a step toward legitimizing the concept of cyberwars.

Russian Defense Ministry spokesperson Konstantin Peschanenko came out with a statement to this effect in April. He was backed by Russia’s Roving Ambassador, Andrei Krutskikh, who said that, while Russia is trying to prevent militarization of cyberspace by urging the international community to adopt a code of conduct in this sphere, the United States and its allies are already agreeing the rules for prosecuting cyber warfare.

Some Russian experts, though, see some pluses in the publication of the Tallinn Manual. Alexander Bedritsky of the Russian Institute for Strategic Studies points out that Moscow’s calls for a broad international discussion of the issues connected with the struggle between states in cyberspace were, for a long time, rejected by Washington. “The situation is beginning to change,” the expert noted.

Bedritsky does not believe the sides are likely to come to an agreement any time soon.

PIR Center expert Oleg Demidov believes a compromise is possible.

“If Russia and its allies see their mission as to prevent  interstate cyber conflicts and put these phenomena beyond the pale of acceptable international actions, the Tallinn Manual seems to answer the question: ‘What should be done if thunder strikes?’” he said. “These approaches can be mutually complementary.”

In the expert’s opinion, the Tallinn Manual, not being backed up by any international rules restraining states from launching cyberwars, may contribute to legitimization of cyber conflicts, “making them part of the system of international relations in the 21st century, as a permissible means for pursuing foreign policy goals and ensuring national interests.”

“There needs to be a balance in the shape of the international legal restrictions on which Russia insists,” said Demidov.

Even so, although the positions of Russia and the U.S. (along with NATO) on the legal aspects are wide apart, there are signs that the gulf is narrowing in practical terms. According to Kommersant-Vlast, a number of intergovernmental agreements on confidence measures in cyberspace are to be signed during the June meeting between President Putin and President Obama.

The artice is first published in Russian in Kommersant Daily.  

Notorious cyberattacks in the recent past

By Anton Mukhatayev, Kommersant-Vlast

Source: AP

The number of cyberattacks has been growing since the 2000s. Source: AP

1. In April 2007, amid riots sparked by relocation of the Bronze Soldier monument in Tallinn, websites of the Estonian government and other government agencies were targeted by major cyberattacks. Foreign Minister Urmas Paet accused Russia of masterminding the attacks and called on the European Union to apply sanctions.

2. In early 2009, Pakistani hackers defaced vital Indian infrastructure websites, among which were those of a few financial agencies, including the State Bank of India. The attacks were carried out in response to demands by the Indian government that all terrorist camps in Pakistan be destroyed and the Mumbai blast suspects extradited.

3. In September 2010, Iran announced that some 30,000 computers in its centralized industrial computer network had been damaged by the Stuxnet virus. The worm also infected the local network of the Bushehr Nuclear Power Plant and shut down centrifuges at the Natanz nuclear facility. According to Iran, the virus was traced back to computers in Israel and Texas.

4. In January and September 2012, hackers targeted some of America's biggest banks, including Bank of America, BB&T, Capital One, Citi, and JPMorgan Chase. The U.S. government suspected that Iranian hackers, allegedly linked to the Iranian government, were behind the hacking, though Tehran denied this in a public statement and condemned the attacks.

5. In January 2013, The New York Times said it had been targeted by hackers from China for four months. According to the newspaper, the attacks might have been prompted by a report on an investigation by The New York Times into the “secret fortune” of the family of China's prime minister, Wen Jiabao.

In February, The Wall Street Journal, social networking services Twitter and Facebook, the U.S. Department of Energy, Apple and Microsoft also fell victim to attackers, leading the U.S. government to accuse China openly of the hacking attempts.

6. In March 2013, South Korea's banking system was paralyzed for several days, following a major cyberattack. Initially, the South Korean authorities traced the attack to China but later shifted the blame onto North Korea.

7. In May 2013, the Pentagon said in a report to U.S. Congress that North Korea was using small-scale attacks to gain psychological advantage in diplomacy. According to South Korean intelligence, North Korea is training hackers at special military schools. North Korea has denied the allegation.

8. In February-May 2013, the Anonymous “hacktivist” group that hit the Federal Reserve network (gaining access to the details of 4,000 bank executives) and the Syrian Electronic Army hackers joined the attacks on the United States. Among other targets, hackers from Syria attacked Western media, including the Guardian, Financial Times, the BBC and AP.

In the case of AP, hackers compromised the agency's Twitter account by publishing a misleading tweet on a White House blast, which caused the U.S. stock exchanges to take a temporary dive.

First published in Russian in Kommersant-Vlast magazine