There are many more proposed rules, of course, but one gets the gist. Alas, the entire project, although laudable, suffers from a conceptual difficulty: The Tallinn Manual, in seeking to map the rules developed for kinetic warfare onto cyberspace, winds up making impossible demands.
To take a simple example, it is inconceivable that a state could develop a malware package that would recognize when it had jumped from military to civilian systems and stop automatically at the boundary. It isn’t just that the behavior of software is unpredictable. The behavior of individuals is unpredictable. Country A launches a cyber-attack on a military laboratory in Country B, where a researcher, unknowing, takes his infected smartphone home and syncs it to his personal laptop — and, just like that, the infection is in the wild.
Yes, the creators of malware of this sophistication often try to retain control (because of a concern over detection, not legal niceties). But this is harder than it sounds. Flame and Mask, for example, enabled operators to wipe their presence from infected machines. But the attempt shut them off was only partly successful.
In the end, the rules of cyberwar will likely be very different from the rules governing kinetic wars. Battles will be fought in the shadows, often by untraceable perpetrators. There will be suspicions and accusations but very few acknowledgments. Absent massive damage or loss of life, there will never be war- crimes trials.
But there will be retaliation. Escalation is inevitable. If we go after their centrifuges, one day they’ll go after our power grid. No government is going to stop. That’s why the Obama administration’s approach, if harsh, is probably the most pragmatic: In the future, our only real protection will be to fight in cyberspace better than our adversaries.