The Most Uncomfortable Room in Tallinn
For four days in late May, the Estonian capital hosted what has become the closest thing international cyber law has to a supreme court. Nearly 800 participants from 50 countries — lawyers, generals, engineers, policymakers — gathered at CyCon 2026, NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) annual conference, under the banner 'Securing Tomorrow.' The 21 peer-reviewed papers and associated debates produced some of the sharpest legal and doctrinal thinking on record. The dominant question was not abstract: when a civilian sits at a laptop and launches DDoS attacks on behalf of a government at war, are they a protected non-combatant or a legitimate military target?
The answer, under existing international humanitarian law (IHL), is: it depends — and the conditions that determine it are poorly understood by the vast majority of the hundreds of thousands of people who have done exactly that.
The Civilian Volunteer Problem
On February 26, 2022, two days after Russia's full-scale invasion, Ukrainian Minister of Digital Transformation Mykhailo Fedorov called for volunteers to join the IT Army of Ukraine — a Telegram-coordinated hacktivist force that swelled to over 300,000 subscribers and became one of the most operationally novel features of the conflict. Those volunteers are legally classified as civilians. IHL, codified most relevantly in the 1977 Additional Protocol I to the Geneva Conventions, grants civilians immunity from attack — but only so long as they refrain from 'direct participation in hostilities' (DPH).
The DPH doctrine requires meeting three cumulative thresholds: a threshold of harm (the act must adversely affect military operations), direct causation (a clear causal link between the act and the harm), and belligerent nexus (the act must be specifically designed to support a belligerent party). CyCon 2026's legal track drilled into exactly which cyber operations cross all three. The conclusion, as the Lieber Institute at West Point has previously documented, is that many IT Army operations — particularly DDoS attacks on commercial or civilian-adjacent infrastructure — likely fall short. But more sophisticated operations that impair military command-and-control do not.
The risk to volunteers is concrete. A civilian who crosses the DPH threshold loses protection 'for such time as' they directly participate — a window that IHL has never clearly defined for cyber operations, where a person could be 'participating' by maintaining persistent access to a system days before an action executes. For volunteers in third countries, the exposure is compounded: national cybercrime laws may apply regardless of Ukraine's defensive posture, and prisoner-of-war status is unavailable to anyone not formally integrated into an armed force.
To be fair to IHL proponents: the civilian protection framework exists precisely because total warfare is catastrophic. Eroding the principle of distinction — the rule separating combatants from non-combatants — makes everyone less safe, not more. The concern that governments will routinely use civilian volunteers as an outsourced, deniable offensive layer, then claim those volunteers retain civilian protections, is legitimate. The ICRC has repeatedly flagged that recruiting civilian hackers into state-directed operations creates systemic risk for the civilians involved.
But the law is visibly lagging. Ukraine has acknowledged the gap and is drafting legislation to formally incorporate IT Army members into armed forces reserves — converting them to combatants with full Geneva protections, but also with the obligations that come with combatant status. This is the right direction: not abandoning civilian protection, but offering clear legal pathways for volunteers who are genuinely fighting alongside a state. NATO CCDCOE's Tallinn Manual 3.0, now in its fifth year of development, is working to address precisely these ambiguities. The process cannot move fast enough.
Ukraine's Cloud as Operational Doctrine
A second thread running through CyCon 2026 was less legally fraught but equally strategic: Ukraine's cloud migration as a wartime resilience model. A new CCDCOE policy brief released alongside the conference documented that more than 85 percent of surveyed Ukrainian organisations rely heavily on US-based technology providers — a dependence that, while critical to survival, raises legitimate questions about digital sovereignty and single-point-of-failure risk.
What the Ukraine experience demonstrated is that informal networks — ad hoc partnerships between IT staff, government ministries, and multinational technology firms — frequently proved more effective than formal coordination channels during a crisis. Infrastructure that had been migrated to distributed cloud environments before or during the early weeks of invasion was significantly more resilient to missile strikes than on-premises systems. Ukraine, in other words, ran the world's first large-scale empirical test of cloud-first critical infrastructure doctrine under kinetic warfare conditions — and the cloud largely passed.
The implication for NATO allies is not that everyone should hand over infrastructure to US hyperscalers. It is that pre-crisis partnership frameworks matter, that non-state actors must be formally integrated into cyber resilience planning before a crisis, and that digital sovereignty concerns need to be resolved through multilateral agreements rather than ad hoc emergency decisions.
From Securing Tomorrow to Unified Response
The most doctrinally significant signal from Tallinn came not from the 2026 proceedings themselves but from what CCDCOE announced next: CyCon 2027 will be themed 'Unified Response.' The shift from 'Securing Tomorrow' — a capability-building frame — to a collective-action frame is deliberate. As CCDCOE Director Tõnis Saar put it, 'Cyber power alone cannot yet seize terrain or physically cross a river. Its value lies in shaping the environment so that other forces can.'
That framing, while analytically correct, implies a doctrinal question that 'Unified Response' will need to address: unified by whom, on what authority, and under what legal framework? The barriers to collective cyber action — jurisdictional complexity, classification constraints, attribution politics, and the absence of a binding multilateral treaty — are precisely what the CyCon 2027 call for papers highlights as the hardest problems.
None of this argues against collective action. It argues for building the legal and institutional infrastructure now, while the norms are still being written, rather than improvising them under fire as Ukraine has had to do. Tallinn, for another year, remains the right place to be having that conversation.