MOSCOW - Just a few months ago, NATO published the first-ever document meant to help establish international norms on cyber warfare. The document has already caught the attention of numerous Russian agencies – and not always in a good way.

The document is called the “Tallinn Manual on the International Law Applicable to Cyber Warfare,” and the appearance of Estonia’s capital in the document’s name is not coincidental. In 2007 there were massive hacker attacks on Estonian sites, and Estonia pointed the finger at Russia, making Estonia the first victim of a state-sponsored cyber attack. Moscow’s guilt was never officially proven, and Tallinn’s losses weren’t serious enough to warrant military defense. NATO’s Cooperative Cyber Defense Center opened in Tallinn a year later. 

The 300-page Tallinn Manual describes, for the first time, what actions alliance members should take in the case of a more serious cyber attack. The document argues that there are existing international legal rules that are applicable to cyber warfare. That is in direct conflict with the wishes of Russia and many other countries, which say that new laws are needed.

The document lists 95 existing laws that cover the use of information technology during conflicts. The NATO experts divided cyber attacks into different types and spelled out which rules would apply to each type of attack. 

For instance, for attacks carried out during peacetime, the attacked country can respond either by demanding compensation or with “proportional measures.” For example, if Uzbekistan carries out a cyber attack on a dam in Kyrgyzstan so that more water is released into the river, Kyrgyzstan could respond by attacking the Uzbek irrigation system.

The document’s authors stressed that depending on the scale and nature of the attack and the consequences (loss of life, damage or destruction of facilities) a peacetime cyber attack could be equated to “use of force” or an “armed attack,” which can be responded to with military force, including the use of traditional weapons.

The document states that a cyber attack could cause damages similar to attacks with chemical, biological or nuclear weapons. It also states clearly that the government who orders an attack is the one responsible, whether or not the attack is carried out from that country’s territory. If, for instance, North Korea hired Iranian hackers to infect computers in Saudi Arabia that would in turn infect U.S. computers, then the U.S. should respond against North Korea.

Legitimization of cyber warfare

The Tallinn Manual says that there have not been any cyber attacks that rise to the level of an act of war, although experts do point to one incident: the Stuxnet virus used to infect Iranian nuclear facilities in 2010. The document does not mention who might have been behind that incident, but most Russian authorities think it was the U.S. and Israel.

Many of the other stipulations are very similar to other international laws on warfare, such as forbidding attacks on civilians or civilian institutions such as hospitals.

In the west the Tallinn Manual received a warm welcome, and many experts have said that it matches Washington’s position on cyber warfare. Of course, non-NATO members were not part of the negotiations, so the document cannot be internationally binding or necessarily representative.

In Russia, officials are much less excited. Russia’s position is that cyber warfare should not simply be controlled – it should be completely forbidden. For Moscow, the Tallinn Manual marks a step toward the legitimization of cyber warfare.

From Moscow’s point of view, while Russia works to prevent the militarization of cyberspace by urging the international community and the UN to adopt a code of conduct, the U.S. and its allies are already working out the rules for prosecuting cyber warfare.

But many Russian experts also see an upside to the Tallinn Manual. Moscow has long tried to talk about cyber security and run up against an unwillingness to talk in Washington, but now that situation is starting to change, according to Aleksander Bedritsky, an expert at the Russian Institute of Strategic Research. Still, he thinks an agreement is unlikely. “It is much more likely that the U.S. and its allies will try to force its understanding of cyber security on others, and if there is no progress during negotiation they will blame Russia,” says Bedritsky.

In spite of the differences on legal matters, there are signs that Russia and the U.S. are getting closer to agreement on practical matters. Vladimir Putin and Barack Obama are planning to sign a number of bilateral agreements about security in cyberspace during their upcoming June meeting.

It’s also extremely unlikely that even if a large number of people in the U.S. were killed due to, for instance, a virus at a dam and the hackers were tracked to Russia, that the U.S. would immediately start seizing Russian computers. That would be allowed under the Tallinn Manual. According to the prepared agreements, they would at least call and ask for an explanation first.