Legal scholars set guidelines for cyber skirmishes in Tallinn Manual
NEW YORK — After President Obama publicly blamed North Korea for a computer attack on Sony Entertainment and vowed the United States would respond in some fashion, that country’s Internet service went out for more than nine hours.
No one knew whether the United States caused the outage. But if it did, the administration could have been justified in taking credit publicly, said Michael Schmitt, director of the Stockton Center for the Study of International Law at the Naval War College in Newport, R.I.
“In my view, they violated our sovereignty,” Schmitt told the Tribune-Review. “It would have been entirely permissible of us to say, ‘… We responded because we don’t want you to do this again.’ ”
In addition to his job as a law professor, Schmitt has been working for the NATO Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia. He heads a group of 20 international scholars who work to expand legal guidelines for nations to follow in online skirmishes, known as the Tallinn Manual.
A first edition of the manual, released in 2013, focused on acts of cyber warfare. Tallinn 2.0, due in fall 2016, looks at “below the threshold” of war events that take place more frequently among nation-states.
Estonia was the victim of crippling computer attacks in 2007 that shut down the government, banks, communications and other businesses. Since then, NATO has established a military center in Estonia to study cybersecurity among its member nations.
Having the manual back then would have helped the country know how to respond to the attacks, said Liis Vihul, an Estonian who is the project manager and a senior analyst in the Law and Policy Branch of the NATO center.
“We now know something like this can happen again,” she said. “We’re certainly much better prepared for something like that. And we know that it wasn’t as bad as it seemed when it happened.”
The updated manual will contain guidelines for incidents such as the Sony Entertainment hack a year ago, human rights issues, a country’s obligations to prevent hacking within its borders and computer actions in space.
The manual is nonbinding, but it serves as direction for international leaders and could provide some perspective for United Nations experts who are working on a parallel project to set rules for online activities among countries. Participants in the Tallinn project come from the United States and other NATO countries, China, Japan and Belarus.
When Obama identified North Korea as the source of the computer breach at Sony, some lawmakers called for the United States to treat the hack as an act of war. At the Army War College in Carlisle months later, some analysts compared the incident to a foreign country detonating a bomb and causing physical damage.
The two things are not equal, Schmitt told the Trib. He said the Sony attack was a violation of the United States’ sovereignty that could have triggered a response, but an appropriate one.
“I don’t think we have the right to send in the Seventh Fleet against North Korea to put an end to the attacks,” Schmitt said, “and the reason is because even though it may have been to some degree destructive, which is usually the threshold, there is the de minimis standard.”
In other words, a large military response would be unreasonable. That doesn’t mean the United States could not have done anything, he said.
Even acts that are normally unlawful among countries can be justified to stop an adversary from an unlawful act, Schmitt said. So if North Korea invaded the United States’ sovereign territory, the United States could react by hacking the attackers or a target in North Korea, or taking some other proportional military response, he said.
“You don’t have to actually even target the people shooting at you in cyberspace,” Schmitt said. “You just have to increase the pain level to where they comply with law. And as soon as they start to comply with law, then it’s over.”
The challenge of deterring adversaries in cyberspace is that the United States hides much of its online capabilities. The country cannot tip its hand about what it can do online, Adm. Mike Rogers, head of the National Security Agency and U.S. Cyber Command, said during a recent visit to Pittsburgh.
So how does a country signal to attackers that it has the ability to strike back?
“If you want to have deterrence value in (cyberspace), you don’t necessarily have to carry out a counterattack — but you have to show you’re capable of doing it and you’re contemplating it under certain circumstances,” said Rhea Siers, a former National Security Agency policy analyst who is a scholar-in-residence at George Washington University’s Center of Homeland Security in Washington.
Most hackers assume the United States has the capability, but they don’t know exactly what the country can do. The broadening discussion on the United States’ potential responses to computer attacks helps clarify what would happen in response to incidents, Schmitt said.
“This countermeasure stuff is the most important work we’re doing,” he said. “It’s what opens the door to us robustly defending ourselves.”
Andrew Conte is a Trib Total Media staff writer. Contact him at [email protected] or 412-320-7835.