Micro Focus is now part of OpenText. Learn more >

You are here

You are here

War in cyberspace: The rules of engagement are what matter

N4nk3r ph3193 Security researcher

Law in cyberspace isn’t the same as law in the real world. Some real-world legal frameworks don’t work as well as they could when they get extended to the Internet. The law of war, as defined by the four Geneva Conventions and the three Additional Protocols, is a good example of this.

The Geneva Conventions provide a framework under which many nations have agreed to fight wars. They specify what ways are OK to respond to an armed attack and which ways aren’t. Note that’s “armed attack,” not “act of war.” Armed attacks are what the Geneva Conventions talk about. Acts of war are what politicians talk about to score political points.

When politicians say that their country will treat a cyber-attack on it as an act of war, that’s an intentionally vague statement that doesn’t really mean anything. Treaties tell you how you can respond to armed attacks; they don’t say anything about acts of war. So the right question to ask is whether or not cyber-attacks count as armed attacks, and how cyber-attacks can be understood within the framework that existing treaties provide.

The Tallinn Manuals

Representatives from the NATO countries did a thorough review of this question and published their results in the Tallinn Manual (2013) and the Tallinn Manual 2 (2017), both named for the city in Estonia where the projects were based. (A Tallinn Manual 3 is in the works and should be published in 2026.) What the original Tallinn Manual found, roughly, was that if the effects of a cyber-attack are comparable to a conventional (“kinetic”) attack, then it counts as an armed attack and the existing law of war gives a framework for acceptable ways to respond. 

Unfortunately, this doesn’t cover most cyber-attacks. Kinetic attacks destroy things; most cyber-attacks don’t. If you’re hit by ransomware, the effects are very different from those of a cruise missile hitting one of your data centers. In one case, your computers are destroyed; in the other, they just need to have software reinstalled. And because the effects are so different, it’s not clear that the existing law of war tells governments what are and are not acceptable ways to respond to cyber-attacks unless they cause serious physical damage.

Such attacks are rare. The 2014 cyber-attack on a German steel mill is one of the few instances. The Stuxnet worm of 2010 is thought to have had the objective of damaging Iranian centrifuges, but an analysis of Iranian purchases of centrifuges over time suggests that they did not increase after Stuxnet was released. So Stuxnet might not have caused any significant physical damage. (Although it's possible that maintenance issues with the Iranian centrifuges were so serious that they hid any damage caused by Stuxnet.)

The Tallinn Manual 2 tried to extend the Tallinn Manual’s interpretation of the Geneva Conventions to attacks that are less damaging than an armed attack. It doesn’t seem to do as useful a job of this as the first Tallinn Manual did. The first manual addressed a black-and-white issue, but the second set out to examine several shades of gray, and its conclusions are just as gray: "Maybe, maybe not" is one way to put it, but you could also say “It depends" or "Possibly.” I could have told you as much without a multi-year effort involving hundreds of people from dozens of countries.

It’s not clear how useful the Tallinn Manual projects were. They might reflect a minority opinion that doesn’t really matter. Only NATO nations were involved in writing the Tallinn Manuals, so lots of countries—including China, Russia, Israel, Iran, and North Korea—that probably have significant cyber-war capabilities didn’t participate. The NATO countries may think that a particular interpretation of the Geneva Conventions is valid in cyberspace, but if their adversaries there don’t see the same rules as applying, then it’s not clear how useful the Tallinn Manuals are.

But the Tallinn Manuals might still be useful in some ways. Most countries aren’t as powerful as the NATO countries or the other countries with significant cyber-war capabilities. If a cyber adversary decides to attack them, they don’t have the ability to retaliate like the stronger countries do. The best that most countries can hope for is that the more powerful ones generally follow the rules that treaties specify. From that point of view, the Tallinn Manuals might provide a reasonable way for less powerful countries to know what they should generally expect from the more powerful ones, even if the powerful countries don’t always follow the rules.

The final frontier

More recently, there has been lots of interest in developing space forces. When President Trump created the US Space Force in 2019, it was the butt of a lot of jokes, but other NATO countries were doing the same thing at the same time. Today, the UK has the UK Space Command, and the French and the Germans have similar organizations. (All of these were probably formed as a result of the 2019 London Declaration.) It certainly looks as if lots of governments see the control of space as being important to future conflicts. It’s more than an excuse to sell “Make Space Great Again” T-shirts.

Space might be the next part of cyberspace to see significant conflicts. And although many nations have kinetic weapons that could destroy enemy satellites in Earth orbit, there are good reasons to believe that these weapons would never be used in anger. The Earth’s orbit is now full of thousands of pieces of debris from the various satellites in its orbit and the spacecraft that were used to put them there. There is so much space junk that some people think a catastrophic cascade of collisions is inevitable. This is the Kessler syndrome, named after NASA scientist Donald Kessler who in 1978 suggested that it could become a problem for future use of space if the amount of debris in orbit gets too big, possibly making low-Earth orbit unusable for thousands of years. It's a good bet that the countries that have colonized that sphere are not going to want to hasten the Kessler syndrome.

So, if kinetic attacks aren’t what battles in space will be fought with, it’s reasonable to assume that cyber-attacks will be used there instead. A satellite exploded into thousands of fragments is a hazard to space navigation, but a satellite that suddenly de-orbits isn’t.

With the possibility of war in space comes the need to define exactly what behaviors are acceptable in space warfare and which ones aren’t. The good news is that there are a couple of efforts underway to do exactly that. The bad news is that whatever they finally produce may have the same limitations that the Tallinn Manuals do.

One of these projects is the Woomera Manual. This is being led by a group representing the University of Adelaide, the University of Exeter, the University of Nebraska, and the University of New South Wales — Canberra. The other project is the Manual on International Law Applicable to Military Uses of Outer Space (MILAMOS), led by McGill University. Neither has produced anything yet that the rest of us can look at, but it will be interesting to see what they come up with.

It certainly looks as if lots of governments see space as part of the future battlefield. And if combat in space ends up being limited to cyber warfare instead of the type that would trigger the Kessler syndrome, the technology that is developed for that cyber warfare could end up being used by nation-states in conflicts that take place back on terra firma.

Rules of space combat are key

Game theory tells us that it’s probably not possible to get all nation-states to agree to not develop cyber weapons for use in space. The situation resembles that of nuclear weapons—the first state to cheat wins, so a rational government would never agree to eliminate nuclear weapons. But if we can agree to a reasonable set of rules that nations need to follow for space combat, that would probably be to everyone’s advantage.

There are good reasons for national governments to want to gain control of space. Let’s see if the Woomera Manual and MILAMOS are good steps in that direction. They might create a useful legal framework within which to confine future cyber operations.

Keep learning

Read more articles about: SecurityData Security