with Aaron Schaffer

Top international legal experts are beginning work on a five-year project to hammer out what’s in and out of bounds in international cyber conflict.

The result will be the third version of a NATO-sponsored document called the “Tallinn Manual on the International Law Applicable to Cyber Operations.” The manual isn’t legally binding, but government lawyers in the United States and elsewhere are increasingly pointing to it as they debate which offensive hacks are legally defensible and when it’s appropriate to retaliate.

This will be the first update since 2017 and the authors aim to incorporate vast changes in how nations treat hacking, brought on by a string of major attacks including Russian interference in the 2016 election and criminal ransomware attacks that have threatened economic security and public safety. 

The authors hope their work can set clearer boundaries and reduce the chances of escalating and destabilizing hacking contests – especially between nations with the most advanced cyber skills, such as the United States, Russia and China

“I'm not naive. I get that the law will be violated... But at least having rules of the game would add some stability,” Michael Schmitt, director of the Tallinn Manual project and a law professor at the U.S. Naval War College, told me. 

As the manual has evolved, cyber conflict has grown increasingly dangerous and costly. 

But the idea there are some rules of the road in cyberspace and red lines that nations shouldn’t cross has gained a lot of purchase. 

Before Schmitt and his colleagues started compiling the first volume in 2009, cyberspace was widely viewed as a lawless Wild West where only might made right. By the time the second volume came out in 2017, experts generally agreed that international law exists in cyberspace just as it does on land and at sea — even as nations and experts argued about the details.  

As the authors begin work on the third edition due out in 2026 the Biden administration is pushing for far stricter hacking rules.

After meeting with Russian President Vladimir Putin in Geneva last week, President Biden called for a broad agreement that declares critical infrastructure such as pipelines, airports and water systems are out of bounds from cyberattacks. He threatened to punch back in cyberspace and elsewhere if Russia doesn’t comply. 

Biden also threatened consequences if Russia doesn’t rein in criminal hackers that operate on its territory, including groups that locked up computers and held them for ransom at Colonial Pipeline and the meat processor JBS.

The Kremlin has a long history of testing global hacking norms. 

But its hackers tend to stop just short of brazenly violating widely established rules. 

So, if the United States and its allies can make clearer exactly where they believe the lines are drawn and what the consequences will be for crossing those lines, it might result in less aggressive Russian hacking, Schmitt said.

The Tallinn Manual’s goal is essentially to watch what those nations say and do and write up what the consensus seems to be. 

The Russians find that gray zone and that's where they operate,” he said. “So, to the extent we can clarify not only which rules apply in cyberspace, but how they apply, then we deny adversaries who might exploit that uncertainty to their advantage.” 

For example, there’s no evidence that Russian hackers changed votes during the 2016 election, which most international legal experts say would have been a clear violation of international law. Instead, they launched social media influence operations and released embarrassing hacked information from the Hillary Clinton campaign — which didn’t definitively violate any established cyber rules at the time. 

“I understand that many folks say there are certain countries that simply don't abide by international law. They don't care. I haven't seen those countries yet,” Schmitt told me.

Schmitt is writing the first draft of the manual with two colleagues. 

They’re Liis Vihul and Marko Milanovic, cyber law experts from Estonia and the United Kingdom, respectively. 

It will then be vetted and revised by a group of 20 cyber experts from various nations. The group also will send the draft to lawyers for dozens of different national governments to offer comments before they finalize it. 

The manual is named for the capital of Estonia, which houses NATO’s Cooperative Cyber Defense Centre of Excellence. Tallinn was one of the first national victims of a cyberattack in 2007. 

During the attack, hackers generally believed to be tied to the Russian government overwhelmed the Estonian Parliament, banks, newspapers and broadcasters with so much Web traffic that they couldn’t operate. 

The attack was prompted by the Estonian government’s removal of Soviet-era war memorials. Since the attacks, Estonia has become a leader in cyber defense and policy. 

The keys

Some companies are getting tax deductions for paying off ransomware hackers.

The deductions are similar to ones companies take for traditional crimes such as robbery and embezzlement, but officials fear the tax incentive is making paying ransoms more common, the Associated Press's Alan Suderman and Marcy Gordon report. Although the FBI urges businesses not to pay ransoms, the IRS doesn’t offer any formal guidance on the payments.

The deduction does have its limits. Companies can’t deduct payments made by cyber insurers.

“It seems a little incongruous to me,” said Rep. John Katko (N.Y.), the House Homeland Security Committee’s top Republican.

The IRS is aware of the issue and is looking into it, spokesperson Robyn Walker said.

A business executive pushing one of the most bizarre election conspiracy theories also falsely claimed she owned a $30 million mansion.

The baseless theory claims hackers connected with an Italian defense contractor used military satellites to change votes in the 2020 contest. Two companies that promoted it are led by Michele Roosevelt Edwards, Jon Swaine and Emma Brown report

Former White House chief of staff Mark Meadows used documents from Edwards’s companies to try to convince acting attorney general Jeffrey Rosen to investigate the conspiracy theory in December.

Edwards has a history of making false claims. When an Icelandic television station interviewed her at a mansion in Warrenton, Va., on the day after the election, Edwards repeatedly said that the property was hers.

That surprised the widow of David B. Ford, whose company owns the mansion. “She’s in my house,” she said after seeing the interview. “How is she in my house?” Read the rest of the wild tale here

An SEC cybersecurity settlement is a “wake-up call” for companies, lawyers say.

The $490,000 settlement between the Securities and Exchange Commission and the title insurance company First American signals new risks for companies that don't keeping their top executives sufficiently abreast of cybersecurity dangers, Reuters’s Alison Frankel writes.

Top executives at the company were not aware that an internal team had pinpointed a vulnerability in its computer systems months before a journalist approached them about the same vulnerability in 2019, according to the settlement. The vulnerability could have given criminal hackers access to 800 million documents, many of which were sensitive.

The settlement, however, may be too small to get other companies to ensure that their executives are in the loop about such vulnerabilities. “It’s a win for the SEC, and for First America[n], but it’s hardly justice,” former federal prosecutor Mark Rasch told journalist Brian Krebs, who first reported on the breach. “It’s a paltry fine, and it involves no admission of guilt by First American.”

Hill happenings

Securing the ballot

Global Cyberspace

Cyber Insecurity

Chat room

Rendition Infosec's Jake Williams offered cautionary words for people who are apparently using profane and inappropriate passwords: 

Some context:

Daybook

  • Rep. Gerald E. Connolly (D-Va.) discusses IT and cybersecurity issues at a MITRE event today at 10 a.m.
  • The R Street Institute hosts an event on the implementation of President Biden’s cybersecurity executive order today at 3:15 p.m.
  • Bob Kolasky, the director of the National Risk Management Center, discusses supply chain cybersecurity at a Billington Cybersecurity event on Tuesday at 9 a.m.
  • The Senate Armed Services Committee’s cyber panel holds a hearing on ransomware on Wednesday at 2 p.m.
  • Columbia University hosts a virtual screening of the film Colossus: The Forbin Project and panel discussion as part of a hacking-focused film festival on Tuesday at 6 p.m.
  • The House Small Business Committee holds a hearing on CMMC cybersecurity implementation on Thursday at 10 a.m.
  • Cybersecurity and Infrastructure Security Agency officials discuss ransomware at an Infosec webinar on Thursday at noon.

Secure log off