The final version of a NATO document expected to shape cyber warfare policies among Western nations was published last week, clarifying when and how countries can legally conduct online aggression against one another.
Edited and published by the Cooperative Cyber Defence Centre of Excellence (CCDCOE) set up in Estonia, in 2008, the Tallinn Manual on the International Law Applicable to Cyber Warfare is available for free from Cambridge University Press.
A first draft was published in August last year, and is available online.
Twenty legal experts worked on the manual for three years, compiling 95 black-letter rules that address various topics such as sovereignty, the criteria to check before going to cyber war against a foe, state responsibility and international humanitarian law.
Spanning 215 pages, the Tallinn Manual makes it clear that a full-scale war can be triggered by network-borne attacks on computer systems and that civilian activists that participate in those are considered legitimate targets.
However, the manual specifically rules out state-sponsored attacks on critical civilian infrastructure. Nuclear power plants, hospitals, dams and similar are all out of bounds for cyber war, the manual states.
The CCDCOE is careful to note that the manual "is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity."
As such, the manual does not reflect official NATO doctrine.
Estonia was selected by NATO as the home for the CCDCOE after suffering large-scale online attacks originating from Russia in 2007 that targeted the country's government, financial institutions and media.
Full text of the Tallinn Manual on The International Law Applicable to Cyber Warfare below.