Washington D.C., April 24, 2019 – The Tallinn Manual 2.0 is the second edition of NATO’s Cooperative Cyber Defence Centre of Excellence’s analysis on the application of international law to cyberspace. The analysis rests on the idea that cyber operations do not occur in a legal vacuum, and preexisting obligations under international law apply equally to the cyber domain. As such, the Tallinn Manual 2.0 is broken into four parts with twenty chapters total, each examining a different area of existing international law. The first section deals with general legal principles, while the latter three sections address specific specialized legal regimes. Consistent with its premise, the Tallinn Manual 2.0 cites over a century’s worth of treaties and case law, extending the premises of international law principles and regimes to their applications in cyberspace. Presented below is a list of the cases and treaties cited by the Tallinn Manual 2.0, listed in order of appearance by chapter, which serves as both a reference guide for the manual itself, as well as to illustrate the diversity of law which governs cyber activities.
Part 1: General International Law and Cyberspace
1: Sovereignty
This chapter addresses the foundational legal principle of sovereignty. While cyberspace is often portrayed as a borderless “global common,” the Tallinn Manual 2.0 uses existing definitions of sovereignty and international precedence to delineate state sovereignty over cyber infrastructure, actors, and activities, and the attendant legal rights and responsibilities implied by sovereign cyberspace.
- Island of Palmas arbitral award
- Nicaragua judgment
- Corfu Channel judgment
- Wimbledon judgment
- Lotus judgment
- Kosovo advisory opinion
- Law of the Sea Convention
- Chicago Convention
2: Due diligence
“Due diligence” refers to the general international legal principle that states must exercise due diligence in ensuring that territory and objects over which they have sovereignty are not used to harm other states. This elaborates on the legal rights and responsibilities implied by sovereign cyberspace.
- Lotus judgment
- Island of Palmas
- Corfu Channel judgment
- Tehran Hostages judgment
- Nicaragua judgment
- Nuclear Weapons advisory opinion
- Genocide Convention
- Genocide judgment
- Trail Smelter arbitral award
- Armed Activities judgment
3: Jurisdiction
This chapter outlines state jurisdiction over cyber infrastructure, actors, and activities for both territorial and extraterritorial jurisdiction. Much as the first chapter delineates sovereign responsibility in a “borderless” domain, this chapter applies the definitions of jurisdiction in international law to the cyber domain.
- Lotus judgment
- Barcelona Traction judgment
- Arab Convention on Information Technology Offences
- Arrest Warrant judgment
- Law of the Sea Convention
- Vienna Convention on the Law of Treaties
- Rome Statute
- ICTY Statute
- ICTR Statute
- Certain Questions of Mutual Assistance judgment
4: Law of international responsibility
This chapter is divided into four sections. The first three deal with the responsibilities of states under customary international law, while the final section deals with the responsibilities of international organizations. Largely, this chapter deals with a state’s responsibility not to conduct internationally harmful cyber activities against other states. It addresses the questions of which states’ harmful actions can be legally attributed, what countermeasures are acceptable, and what are the obligations of states which do conduct internationally harmful acts.
- Hague Convention IV
- Additional Protocol I
- Oil Platforms judgment
- Application of the Convention on the Prevention and Punishment of the Crime of Genocide
- Tehran Hostages judgment
- Nicaragua judgment
- Wimbledon judgment
- Factory at Chorzow judgment
- Rainbow Warrior arbitral award
- Kosovo advisory opinion
- Lotus judgment
- Genocide Convention
- Genocide judgment
- Vienna Convention on the Law of Treaties
- Armed Activities judgment
- Vienna Convention on Diplomatic Relations
- Russian Indemnity arbitral award
- Nuclear Weapons advisory opinion
- Sempra v. Argentina arbitral award
- Air Services arbitral award
- Barcelona Traction judgment
- Furundzija judgment
- Namibia judgment
- Archer Daniels arbitral award
- Geneva Convention IV
- ICCPR
- Vienna Convention on Consular Relations
- Corfu Channel judgment
- Wall advisory opinion
- LG&E Energy Corp. v. Argentina decision on liability
- CMS v. Argentina arbitral award
- Barcelona Traction judgment
- Immunity of a Special Rapporteur advisory opinion
5: Cyber operations not per se regulated by international law
This chapter, as the title may imply, does not cite international law. It addresses primarily the questions of the legality of peacetime cyber espionage and the standing of actions by nonstate actors. As neither of these questions is addressed within the scope of international law, the Tallinn Manual 2.0 instead draws on other sources.
- No relevant case law citations.
Part 2: Specialised regimes of international law and cyberspace
6: International Human Rights Law
It is generally accepted that many of the human rights enjoyed by individuals offline also exist online. This chapter elaborates on this extension, pulling on the body of existing international human rights law to articulate online human rights and the obligations of states to those rights.
- Nuclear Weapons advisory opinion
- Wall advisory opinion
- ICCPR
- ACHR
- ECHR
- Genocide judgment
- United Nations Safety Convention
- Optional Protocol to the United Nations Safety Convention
- Armed Activities judgment
- Al-Skeini judgment
- ICESCR
- CERD
- CEDAW
- CRC
- Genocide Convention
- CRC Optional Protocol
- Ahmadou Sadio Diallo judgment
7: Diplomatic and consular law
The foundations of diplomatic and consular law are the inviolability of the physical premises of a diplomatic mission, its correspondence, and the immunity afforded to diplomatic personnel. This chapter extends that principle into the cyber domain. In a similar vein, this chapter discusses the extension of the obligations of diplomatic missions to refrain from activities inconsistent with their diplomatic function or incompatible with the laws and regulations of the host state in the cyber domain.
- Tehran Hostages judgment
- Vienna Convention on Diplomatic Relations
- Vienna Convention on Consular Relations
- Rome Statute
- Convention on Jurisdictional Immunities
- Nicaragua judgment
8: Law of the Sea
This chapter largely addresses a gamut of questions regarding the conduct of cyber operations on the seas, both the high seas and in exclusive economic zones, as defined by the Law of the Sea Convention. It extends both peacetime and wartime principles derived from the Convention to the cyber domain.
9: Air Law
Aircraft can serve as both a target of and platform for cyber operations. This chapter uses principles primarily derived from the Chicago Convention to clarify legal questions related to both roles, as well as the conduct of cyber activities in international airspace.
10: Space Law
This chapter overviews the application of the treaties governing states’ use of outer space to cyber operations. Much like the chapter overviewing Air Law, the Tallinn Manual 2.0 treats space, particularly satellites and other space objects, as both a platform and target for cyberattacks. It also details the state’s responsibility under the existing regime to supervise the activities of nonstate actors and state liability for the outcomes of cyber operations involving space objects.
11: International Telecommunication Law
States have preexisting obligations regarding the exchange of international telecommunications under the ITU Constitution and ITU regulations. This chapter extends those obligations to include cyber infrastructure for international telecommunications and details the implications of that extension.
- ITU Constitution
- ITU 1988 International Telecommunications Regulations
- ITU 2012 International Telecommunications Regulations
Part 3: International peace and security and cyber activities
12: Peaceful Settlement
This chapter is a brief discussion of the principle of peaceful settlement, which requires states to settle international disputes through peaceful means. This principle holds true for disputes involving cyber activities.
13: Prohibition of Intervention
States and the United Nations are expected not to intervene in the internal or external affairs of other states under international law. The Tallinn Manual 2.0 acknowledges that cyberspace creates new opportunities for states to intervene in others' affairs, but declares that international law prohibits this cyber intervention as much as any other kind.
14: The use of force
This chapter addresses questions relating to uses of force through cyber means. It defines when cyber operations constitute uses of force and iterates that the general international legal principle prohibiting the threat or use of force would cover such operations. The chapter is broken into two sections, with the second section addressing the interaction between the body of international law covering self-defense and its relation to cyber uses of force.
- Nuclear Weapons advisory opinion
- Nicaragua judgment
- Lotus judgment
- Oil Platforms judgment
- Wall advisory opinion
- Armed Activities judgment
- Nuremburg Tribunal judgment
15: Collective security
The United Nations Charter empowers the UN Security Council to determine the existence of threats to the peace and make recommendations or take measures to restore international peace and security. This chapter discusses the application of those powers in two senses. First, it addresses the UNSC’s right to determine that a cyber operation constitutes a threat to the peace. Second, it addresses the power of the UNSC to authorize cyber operations as a measure to restore international peace.
- Tadic decision on the defence motion for interlocutory appeal
- UN Safety Convention
- Optional Protocol to the UN Safety Convention
- Rome Statute
Part 4: The law of cyber armed conflict
16: The law of armed conflict generally
This chapter focuses on the general applicability of the laws of armed conflict to cyber operations. These applications hold true for cyber operations conducted as a part of larger-scale conflict as well as conflicts limited to cyber operations. It also outlines the applicability of the Geneva Conventions to cyber operations and individual criminal responsibility for cyber operations under international law.
- Geneva Convention I
- Geneva Convention II
- Geneva Convention III
- Geneva Convention IV
- Hague Convention IV
- Additional Protocol I
- Tadic, Appeals Chamber judgment
- Genocide judgment
- Lubanga judgment
- Tehran Hostages judgment
- Rome Statute
- Tadic, decision on the defence motion for interlocutory appeal
- Milosevic decision on motion
- Furundzija judgment
- Delalic judgment
- Haradinaj judgment
- Mrksic judgment
- Hadzihasanovic judgment
- Limaj judgment
- Akayesu judgment
- Additional Protocol II
- Krstic judgment
- ICTY Statute
- ICTR Statute
- Sierra Leone Statute
- Cultural Property Convention
17: Conduct of hostilities
This chapter is broken into nine sections: participation in armed conflict; attacks generally; attacks against persons; attacks against objects; means and methods of warfare; conduct of attacks; precautions; perfidy and improper use; and blockades and zones. It applies the body of customary international law governing hostilities to the use of cyber operations in warfare.
- Geneva Convention I
- Geneva Convention II
- Geneva Convention III
- Geneva Convention IV
- Additional Protocol I
- Tadic decision on the defence motion for interlocutory appeal
- Nuclear Weapons advisory opinion
- Galic Trial Chamber judgment
- St Petersburg Declaration
- Rome Statute
- Mines Protocol
- Vienna Convention on the Law of Treaties
- Delalic judgment
- Conventional Weapons Convention
- Amended Mines Protocol
- Martic judgment
- Hague Convention XIII
18: Certain persons, objects, and activities
The law of armed conflict sets out several specific classes of persons, objects, and activities that are provided special protections. Following from the general applicability of the law of armed conflict to cyber operations, these classes retain their protections against cyber operations as a part of armed conflict. This chapter is broken into ten sections: medical and religious personnel and medical units, transports, and material; children; journalists; installations containing dangerous forces; objects indispensable to the survival of the civilian population; cultural property; the natural environment; collective punishment; and humanitarian assistance.
- Geneva Convention I
- Geneva Convention II
- Geneva Convention III
- Geneva Convention IV
- Rome Statute
- Additional Protocol I and II
- Lubanga judgment
- CRC Optional Protocol
- Akayesu judgment
- Cultural Property Convention
- Environmental Modification Convention
19: Occupation
Despite the existence of sovereign cyberspace, there is no legal notion of occupation of cyberspace. However, international law does recognize the applicability of international law governing the obligations of states occupying physical territory to the cyber domain. Occupying powers have both the right to use cyber means to accomplish their responsibilities, and the responsibility to respect and protect protected persons in occupied territories from the harmful effects of cyber operations.
- Geneva Convention I
- Geneva Convention II
- Geneva Convention III
- Geneva Convention IV
- Armed Activities judgment
- Wall advisory opinion
- Additional Protocol I
20: Neutrality
The law of neutrality in international armed conflict regulates the relationship between parties of an armed conflict and states not party to the conflict. These regulations largely exist to protect neutral states, safeguard their rights, and protect the parties to the conflict against action or inaction benefiting their enemies. This chapter applies these principles to the cyber domain, protecting the cyber infrastructure of neutral parties and protecting the parties to the conflict from actions or inactions from neutral parties in the cyber domain.