Introduction
The rapid evolution of cyber capabilities has transformed the landscape of international conflict, blurring the lines between peace and war. In particular, grey-zone conflicts—characterised by hostile actions that fall below the threshold of traditional armed conflict—pose significant challenges to the application of international law. This essay explores the intersection of cyber operations and the legal threshold of armed conflict, focusing on the framework provided by the Tallinn Manual 2.0, a seminal work on the application of international law to cyber operations, authored by a group of experts under the leadership of Professor Michael N. Schmitt. As a student of international law with a focus on cyber security, this analysis seeks to evaluate how the Tallinn Manual 2.0 addresses the complexities of contemporary grey-zone conflicts. The essay will first outline the core principles of the Tallinn Manual 2.0, then examine its relevance to grey-zone cyber operations, and finally assess the limitations of its framework in providing clear legal guidance for state responses. By doing so, it aims to contribute to the ongoing discourse on the legal and practical challenges posed by cyber warfare in modern international relations.
The Tallinn Manual 2.0: A Framework for Cyber Operations under International Law
The Tallinn Manual 2.0, published in 2017, represents a comprehensive effort to apply existing international law to cyber operations. Compiled by the International Group of Experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence, it builds on the original 2013 manual to address a broader range of cyber activities, including those in peacetime and below the threshold of armed conflict (Schmitt, 2017). The manual is non-binding but offers authoritative guidance by interpreting principles such as sovereignty, the use of force, and the law of armed conflict in the cyber domain.
One of the manual’s key contributions is its clarification of when a cyber operation constitutes a use of force under Article 2(4) of the UN Charter. Rule 69 of the Tallinn Manual 2.0 stipulates that a cyber operation qualifies as a use of force if its scale and effects are comparable to those of a kinetic attack (Schmitt, 2017). This effects-based approach focuses on the consequences of an operation—such as physical damage, injury, or death—rather than the method of attack. For instance, a cyber operation that disables critical infrastructure like a power grid, leading to widespread disruption, could arguably cross this threshold. However, the manual acknowledges the ambiguity surrounding operations that cause economic or political harm without direct physical effects, a common feature of grey-zone conflicts.
Cyber Operations in Grey-Zone Conflicts: Challenges to Legal Categorisation
Grey-zone conflicts, often involving state-sponsored cyber operations, exploit the legal ambiguities between war and peace to achieve strategic objectives without triggering outright armed conflict. These operations typically include disinformation campaigns, intellectual property theft, and interference in democratic processes, as seen in the alleged Russian interference in the 2016 US presidential election (Mueller, 2019). Such actions challenge the traditional paradigms of international law, which are rooted in clear distinctions between armed conflict and peacetime activities.
The Tallinn Manual 2.0 provides some guidance in this context by addressing cyber operations that do not meet the use-of-force threshold. Under Rule 66, the manual asserts that states retain sovereignty over their cyber infrastructure, meaning that any unauthorised cyber intrusion could constitute a violation of sovereignty (Schmitt, 2017). This principle is particularly relevant to grey-zone activities, where states may conduct cyber operations to undermine another state’s autonomy without causing physical harm. For example, persistent low-level cyber intrusions into government systems, as reportedly conducted by certain states against their adversaries, might breach sovereignty even if they fall short of armed conflict.
However, the application of these rules remains problematic. Determining whether a cyber operation violates sovereignty often depends on subjective assessments of intent and impact, which are difficult to verify in the opaque cyber domain. Furthermore, the manual does not fully resolve the question of proportionality in response to such violations, leaving states with limited legal clarity on how to address grey-zone cyber threats without escalating tensions.
Limitations of the Tallinn Manual 2.0 in Addressing Grey-Zone Conflicts
While the Tallinn Manual 2.0 offers a robust starting point for interpreting international law in cyberspace, it exhibits notable limitations when applied to grey-zone conflicts. First, the manual’s focus on effects rather than intent can be problematic. Many grey-zone cyber operations are designed to avoid detectable physical damage, instead causing cumulative economic or societal harm over time. For instance, sustained cyber espionage or disinformation campaigns may destabilise a state without ever crossing the threshold of a use of force, leaving the targeted state with few legal options under the manual’s framework.
Second, the manual struggles to address the issue of attribution. Cyber operations in the grey zone are often conducted through non-state proxies or masked through technical means, making it challenging to definitively attribute responsibility to a state actor (Rid and Buchanan, 2015). Rule 15 of the Tallinn Manual 2.0 states that a state may be held responsible for cyber operations conducted by non-state actors under its control, but it provides little practical guidance on how to establish such control in a domain where anonymity is the norm (Schmitt, 2017). This gap is especially pertinent in grey-zone conflicts, where plausible deniability is a deliberate strategy.
Lastly, there is the issue of enforcement. Even when a cyber operation is identified as a violation of international law, the manual does not address the mechanisms for holding perpetrators accountable. The lack of an international consensus on cyber norms, combined with the reluctance of states to escalate tensions over intangible harms, often results in impunity for grey-zone actors. This limitation underscores the need for supplementary legal and diplomatic tools to complement the Tallinn Manual’s framework.
Conclusion
In summary, the Tallinn Manual 2.0 provides a critical foundation for applying international law to cyber operations, particularly through its effects-based approach to defining the use of force and its recognition of sovereignty in cyberspace. However, its application to grey-zone conflicts reveals significant challenges, including the difficulty of categorising non-physical harm, the problem of attribution, and the absence of enforcement mechanisms. As cyber operations continue to play a central role in modern geopolitical rivalries, these gaps highlight the urgent need for further development of international norms and legal instruments. For students and practitioners of international law, including those studying under frameworks influenced by Professor Schmitt’s expertise, the Tallinn Manual 2.0 remains an indispensable tool, yet it must be approached with an awareness of its limitations. Future efforts should focus on clarifying the legal status of grey-zone cyber activities and fostering international cooperation to ensure accountability, thereby reducing the risks of escalation in an increasingly contested domain.
References
- Mueller, R. S. (2019) Report on the Investigation into Russian Interference in the 2016 Presidential Election. U.S. Department of Justice.
- Rid, T. and Buchanan, B. (2015) Attributing Cyber Attacks. Journal of Strategic Studies, 38(1-2), pp. 4-37.
- Schmitt, M. N. (ed.) (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge University Press.
