Advising on cyber operations begins with a principle that settles a lot of confusion: cyberspace is not a legal vacuum. Existing international law applies to cyber operations just as it applies to other state conduct. So the legal advisor’s job is not to invent rules for a new domain but to apply established law, the law on the use of force and the law of armed conflict, to acts carried out by digital means. The hard part is the thresholds.
The starting premise: existing law applies
The leading academic reference, the Tallinn Manual (and its expanded successor, Tallinn Manual 2.0), was produced by an international group of experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. Its central proposition is that preexisting obligations under international law apply to the cyber domain. It is important to be precise about its status: the Manual is non-binding scholarly analysis, not a treaty, so it guides interpretation rather than imposing law on its own.
The thresholds that drive the analysis
The advice turns on classifying a cyber operation against familiar legal lines:
- Sovereignty and below-threshold acts. Many cyber incidents fall below the level of force entirely. Tallinn Manual 2.0 specifically addressed these day-to-day operations, where sovereignty, state responsibility, and other peacetime rules apply.
- The use-of-force and armed-attack thresholds (jus ad bellum). The original Manual focused on the most severe operations, those that may violate the prohibition on the use of force, or rise to an armed attack entitling a state to act in self-defense. Deciding whether a cyber act crosses these lines is the central jus ad bellum question.
- The law of armed conflict (jus in bello). When a cyber operation occurs in the context of an armed conflict, international humanitarian law applies, including its core principles governing the conduct of hostilities.
So the analysis is one of classification: where does this operation sit, below the use of force, at the use of force or armed attack, or within an armed conflict, and which body of law follows from that placement?
What the advisor actually provides
In practice the legal advisor helps decision-makers characterize a contemplated or observed cyber operation, identify the applicable framework, and understand the limits and authorities that flow from it, while flagging genuine areas of disagreement among states and experts, which in this field are real.
Consider a cyber operation that disrupts a power grid: the attorney classifies it by threshold, asking whether it amounts to a use of force, since existing international law applies to the cyber domain.
The bottom line is that cyber-warfare advising is the disciplined application of existing international law to a new medium. The premise is that the law already applies, the work is classifying the operation against the use-of-force, armed-attack, and armed-conflict thresholds, and the Tallinn Manual serves as an influential but non-binding guide to how those rules translate into cyberspace.
Frequently Asked Questions
Is there a special body of law just for cyber warfare?
Not a separate treaty regime. The prevailing view is that existing international law, including the rules on the use of force and the law of armed conflict, applies to cyber operations.
What is the Tallinn Manual?
A non-binding academic study, produced under the NATO Cooperative Cyber Defence Centre of Excellence, analyzing how international law applies to cyber operations; it guides interpretation but is not itself law.
Why do thresholds matter so much?
Because the applicable rules depend on whether a cyber operation is below the use of force, rises to a use of force or armed attack, or occurs within an armed conflict.
This article is general information about international law and cyber operations. It is not legal advice and does not create an attorney-client relationship. This is a contested and evolving area and the law can change. It describes the field in general terms only.
Sources