Plans are underway to update a putative Geneva convention for cyberwar, put together by experts in international law and backed by an Estonian-based NATO-run military think tank.

The Tallinn Manual 2.0 is on track for publication in the second half of 2016, following a drafting conference of legal experts in the Estonian capital this week. The original manual provided a handbook on how principles of international law could be applied to conflict in cyberspace, which military strategists consider to be the fifth dimension of warfare (land, air, sea and space being the other four).

The original Tallinn Manual on the International Law Applicable to Cyber Warfare ruled that the Stuxnet worm may have been "armed attack", as previously reported. Victims of similar future attacks would be legally clear to retaliate proportionately in the immediate aftermath of an assault as an act of self-defence, in order to frustrate follow-up assaults.

If a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the assault have effectively have joined hostilities as combatants. Furthermore hackers-for-hire are like mercenaries who "do not enjoy combat immunity or prisoner of war status,” the first edition of the Tallinn Manual rules.

Tallinn Manual 2.0 will expand the scope of the original manual to incorporate so-called peacetime international law, addressing incidents that states frequently face, such as human rights law, a particularly tawny subject. “The most difficult material proved to be international human rights law governing activities in cyberspace,” said Liis Vihul, managing editor of the Tallinn Manual and legal researcher at the Tallinn-based the NATO Cooperative Cyber Defence Centre of Excellence.

More specifically whether or not international human rights norms apply to activity such as the collection of metadata by the likes of the NSA and doubtless many of the more capable international signals intelligence agencies was debated by legal experts. “If the answer is yes, we then have to examine whether the state has actually violated the individual’s rights,” Vihul explained. “For instance, assuming the collection of metadata implicates human rights norms, under what circumstances is a state authorised to engage in such activities?”

Other topics up for debate on the draft included sections on diplomatic law, the responsibility of international organisations, international telecommunications law, and peace operations.

The Tallinn Manual 2.0, like its predecessor, aims to offer guidance on applying existing international norms to the cyberspace. Its rules and associated commentaries based on the consensus of an international group of legal experts.

“Our focus has to be practical – how existing international laws, treaties and norms regulate activities in cyberspace,” explained Professor Michael Schmitt, director of the Tallinn Manual project. “We do not hope to replace state legal advisers, but to offer a tool to give their clients good guidance. That is best accomplished by laying out all the legal options for them.”

The Tallinn Manual process is funded, hosted and facilitated by the NATO Cooperative Cyber Defence Centre of Excellence. The final Tallinn Manual international group of experts meeting is scheduled for March 2016.

More details on the Tallinn Manual 2.0 process and a short video featuring interviews with participants can be found here. ®