For Rid, such an effort seems like an interesting exercise for legal scholars, but one with little practical application today. Notably, the authors of the manual could not agree on whether even Stuxnet—the outer limit of contemporary cyberattack—constituted an act of war. Rid sees this as proof that the conversation belongs in the realm of the hypothetical. “If they cannot agree on whether the most sophisticated attack that ever happened falls within the realm of their own document, then they are basically talking about a class of events above Stuxnet, and that class is empty,” Rid said.
But the lead author of the Tallinn Manual, Michael Schmitt, chairman of the international law department at the United States Naval War College, said that despite the ambiguity of some of his group’s findings, the laws of war are still the correct framework through which to understand these attacks. With cyberattacks on the rise, some emanating from state-sponsored entities, it’s important, Schmitt said, to understand what analogies exist with conventional warfare and where the divergences occur. On Stuxnet, Schmitt said, there wasn’t enough information to determine whether the virus could be considered an “armed attack”—a technical definition found in the United Nations charter—that would give Iran the right to respond with force.
Rid says he’s found some unexpected allies elsewhere in the defense establishment—namely, among the computer engineers actually tasked with implementing cyberweapons, often by military commanders who have unreasonable expectations about what is possible. “People who work for the Pentagon have come to me exasperated that their superiors are asking for a ‘cyber tomahawk missile,’” Rid said. “They are working under a false analogy that creates unrealistic ideas about what can be done.”
Some experts in cybersecurity agree, fearing that the broad embrace of cyberwar by the military establishment means that we’ve begun focusing on offensive operations without first making ourselves secure. “We’ve been investing in exploiting systems that are already vulnerable and broken instead of figuring out how to do security engineering right and build systems that are not so susceptible to hacking,” said Gary McGraw, the author of a number of books on cybersecurity. “We need a separation of powers so that the military leaders charged with offense aren’t the same ones also charged with our defense, because there is no way they can accomplish these two missions simultaneously.”
For Rid, these are problems rooted in our misguided urge to see cyberoperations as the newest military frontier. If nothing else, he wants to make people understand that hostility in the digital realm just does not line up neatly with the long human experience of warfare and its accompanying blood and destruction.
“I grew up in Germany, and we know what war looks like in that part of the world,” Rid said. “And cyberwar is just not the same thing as bombs destroying cities. We have to respect violence—and I say this both as a German and someone who has spent a long time in Israel. Real war is just something that is absolutely horrifying. Anyone who has been to a war zone understands that and knows the difference.”
Gal Beckerman is a journalist and author. His first book, “When They Come for Us, We’ll Be Gone: The Epic Struggle to Save Soviet Jewry,” was named a best book of the year by The New Yorker and The Washington Post in 2010, and has been released in paperback.