Cyber Attack Response for Idiots and Presidents

Late last year, Wikileaks began releasing illegally obtained emails from Democratic Party operatives that U.S. intelligence agencies claim were collected at the behest of the Russian government. The Obama Administration’s response was muted and somewhat delayed, partly for political reasons, partly because it was not totally clear what had happened, and partly because of a lack of clear legal guidelines governing cybercrime clapback. Now, months after the incident and in the wake of the expulsion of 35 Russian government employees from the United States, a new international guide dictating proportional responses to acts of cyber aggression has arrived. The Tallinn Manual 2.0, an update to a volume released in 2013, provides a rubric President Obama could have used in the lead-up to the presidential election. The manual is not too little, but it is arguably too late.

The original Tallinn Manual rapidly became the definitive guide to laws concerning state actions in response to cyber “uses of force” — exceedingly rare attacks that do things like shut down critical infrastructure or damage physical equipment. David O’Brien, a senior researcher at Harvard’s Berkman Klein cyber law center, describes it as “one of the most authoritative and comprehensive texts on the application of international law to cyberwar.” Within policy circles, the tome is ubiquitous.

In the next few months, the same will likely become true of the Tallinn Manual 2.0, which provides an equally authoritative guide to reacting to the sorts of less lethal cyber attacks that occur on a regular basis — including the sorts of spear-phishing attacks that pulled in former Obama counselor John Podesta.

“There are basically two issues here,” says Dapo Akande, a professor of international law at Oxford University and part of the brain trust that helped NATO’s cyber defense center draft the Tallinn Manual 2.0. “Does the Manual deal with state-sponsored attacks? And does the Manual deal with attacks against civilian infrastructure? The answers are ‘Yes,’ and ‘Yes.’”

The first of these two challenges, that of attributing a confirmed attack to a particular state, is clearly extremely difficult. There are now guidelines for what sort of evidence might be needed to prove an attack, but the lack of clarity around Russian interference in U.S. elections has made it clear how hard it can be to reach even low standards of evidence. On the international stage, not even the U.N. really functions as an ultimate arbiter that can deem a U.S. intelligence report superior to a Russian one. Disagreement over fundamental facts remains an important issue because states tend to act on their own understandings of the truth. That means that Tallinn 2.0 is most trenchant when it’s providing states with guidance on how to react to what they believe to be confirmed, state-sponsored cyberattacks.

Where Tallinn 1.0 created a rubric for a state to respond in kind — you hack my electrical grid, I blow up your water purification plant with a missile — Tallinn 2.0 pursues a fuzzier sort of parity.

On the lowest end, there is so-called “retortion,” in which nations take unfriendly but legal actions. Obama expelling diplomats would be a good example. Still, a state-sponsored cyber attack against a major election is no small thing, and few countries would be willing to let it go for nothing more than an empty embassy or two. Thankfully, according to Akande, “a state can itself engage in unlawful acts in response to unlawful acts that it has received.”

These lawful-unlawful responses of course include direct tit-for-tat cyber attacks, as seen in the many U.S. threats to hack Russian President Vladimir Putin’s communications, but there’s no requirement for perfect proportionality. If the U.S. thinks meddling in its electoral process is roughly equivalent to, say, downing every non-essential Russian government network for a while, that would be allowable, as well.

The U.S. retaliation could also take a far different form than the attack to which it is responding — it wouldn’t even really have to be cyber in nature. Though a non-lethal cyber attack wouldn’t allow a lethal military strike in response, the U.S. could still take more conventional steps like issuing trade restrictions or asset freezes that would otherwise be illegal due to treaties.

It’s notable that these potential responses are very similar to those that were recommended to the Obama Administration by members of the media and, reportedly, by security officials. Cyber attacks like the DNC hack “look much more like espionage” than warfare), according to O’Brien, and the Tallinn Manual 2.0 is one of the first real attempts to turn the “norms” that have always governed espionage into something approaching real law.

“You have to wonder whether the Obama Administration would have reacted differently to the situation with speedier responses or different types of responses,” O’Brien wrote in an email to Inverse. “I suspect so.”

Still, it’s not totally clear that U.S. would want the Tallinn Manual 2.0 to bring contrast to the legal gray area that exists around cyber attacks and cyber espionage. “The lack of clear lines is as much a feature as it is a bug,” O’Brien explained. “Blurry lines enable espionage activities, and also prevent incidents from escalating out of control into armed conflict by providing an out.”

This is why both the original Tallinn Manual and its 2.0 sequel required long, torturous, and ultimately non-binding negotiations. As terrified as states are of a potential cyber war, nobody wants to tie their own hands, going forward. “The scale and scope of what was attempted [at the DNC] probably pushes this event towards the more extreme end of the spectrum,” O’Brien noted, but even extreme events present conflicting priorities on the international stage.

It’s important to remember, he pointed out, that the U.S. also engages in precisely this sort of cyber espionage all over the world.