James Lewis of the Washington-based Center for Strategic and International Studies (CSIS), one of the country's top cyberwar experts, is somewhat skeptical about the new manual. He sees it as "a push to lower the threshold for military action." For Lewis, responding to a "denial of service" attack with military means is "really crazy." He says the Tallinn manual "shows is that you should never let lawyers go off by themselves."
Claus Kress, an international law expert and the director of the Institute for International Peace and Security Law at the University of Cologne, sees the manual as "setting the course," with "consequences for the entire law of the use of force." Important "legal thresholds," which in the past were intended to protect the world against the military escalation of political conflicts or acts of terror, are becoming "subject to renegotiation," he says.
According to Kress, the most critical issue is the "recognition of a national right of self-defense against certain cyber attacks." This corresponds to a state of defense, as defined under Article 51 of the Charter of the United Nations, which grants any nation that becomes the victim of an "armed attack" the right to defend itself by force of arms. The article gained new importance after Sept. 11, 2001, when the US declared the invasion of Afghanistan an act of self-defense against al-Qaida and NATO proclaimed the application of its mutual defense clause to come to the aid of the superpower.
Changing the Logic of War The question of how malicious malware must be to justify a counterattack can be critical when it comes to preserving peace. Under the new doctrine, only those attacks that cause physical or personal damage, but not virtual damage, are relevant in terms of international law. The malfunction of a computer or the loss of data alone is not sufficient justification for an "armed attack."
But what if, as is often the case, computer breakdowns do not result in physical damage but lead to substantial financial losses? A cyber attack on Wall Street, shutting down the market for several days, was the casus belli among the experts in Tallinn. The US representatives wanted to recognize it as a state of defense, while the Europeans preferred not to do so. But the US military lawyers were adamant, arguing that economic damage establishes the right to launch a counterattack if it is deemed "catastrophic."
Ultimately, it is left to each country to decide what amount of economic damage it considers sufficient to venture into war. German expert Kress fears that such an approach could lead to a "dam failure" for the prohibition of the use of force under international law.
So was it an armed attack that struck South Korea on March 20? The financial losses caused by the failure of bank computers haven't been fully calculated yet. It will be up to politicians, not lawyers, to decide whether they are "catastrophic."
Just how quickly the Internet can become a scene of massive conflicts became evident this month, when suddenly two large providers came under constant digital attack that seemed to appear out of nowhere.