Scenario 12: Cyber operations against computer data

In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. Analysis in this scenario considers the lawfulness of cyber operations designed to corrupt or delete various types of datasets under the law of armed conflict. It particularly focusses on the question whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.

Keywords
Computer data, distinction, international humanitarian law, military objectives, object, targeting

Facts
State A is involved in a non-international armed conflict against organized armed group G based in its territory. In addition to kinetic hostilities between the two belligerent parties, armed group G conducts a series of cyber operations as part of its military efforts (these are referred to below as incidents 1, 2, and 3):
 * 1) Armed group G conducts a cyber operation against the computer network at State A’s central military command. The operation results in the deletion or corruption of all data stored in the network, which contained the identity, location, physical condition, staffing, and battle readiness of State A’s warships and military aircraft.
 * 2) Armed group G conducts a cyber operation against State A’s central registry office, a governmental authority maintaining digital records on all State A’s citizens concerning non-military purposes, including census taking, the provision of social benefits, voting, and taxation. The operation results in the deletion of all data held by the office.
 * 3) Armed group G conducts a cyber operation against State A’s main press agency. As a result of the operation, all data on the servers of the press agency are deleted and its websites are populated instead with videos and texts calling on the supporters of the regime to resign and defect to the insurgents’ side.

Examples

 * NotPetya (mock ransomware) (2017)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis first considers whether the definition of military objectives under IHL applies to the situation described in the scenario. It then examines whether computer data qualifies as an “object” under IHL and whether operations against data must therefore be assessed with reference to the elements of that definition. The analysis outlines the two main approaches to that question and notes the extent to which the law is unsettled.

Cyber operations during armed conflicts and the legal definition of military objectives
The present scenario takes place in the context of a NIAC between State A’s governmental forces and organized armed group G. However, as far as the definition of military objectives is concerned, the same analysis would apply also in an IAC, for the reasons detailed above. The definition applies in principle also to cyber operations executed in the context of the armed conflict to which State A and armed group G are parties. However, the central legal issue in this scenario lies in the question whether the destruction of the specific types of data in incidents 1–3 would be lawful under IHL. This turns predominantly on the question whether the lawfulness of cyber operations against data during an armed conflict must be assessed vis-à-vis the elements of the definition of military objectives.

Qualification of data as a military objective under IHL
Incidents in this scenario serve to highlight the differences between the two main approaches described above. For those who hold the view that data are not an “object” for the purposes of IHL, there is little difference between all three incidents. According to that view, because data is not an object, cyber operations directed against the data are not governed by the IHL rules regulating attacks, including the definition of military objectives. Consequently, for those who hold this view, the deleting or corrupting any of the three datasets would be lawful under IHL. In other words, none of the operations conducted by armed group G in incidents 1–3 would amount to a violation of IHL. It should be noted that, particularly with regard to incident 2, this interpretation may amount to condoning an operation that would be “extraordinarily disruptive to civilian life”, so much so that if the same effect was brought about through kinetic means, it would qualify as a war crime in IACs and possibly also in NIACs.

On the second view, according to which data may be an “object” under IHL, the lawfulness of the relevant operations would have to be assessed with reference to the elements of the definition of military objectives. In this regard, incident 1 would likely qualify as lawful under IHL. This is because datasets stored in a military network and consisting of information on military assets belonging to the adversary are inherently military in nature. In addition, these datasets “contribute to the execution of the enemy’s operations or otherwise directly support the military activities of the enemy”. As such, they make an effective contribution to the adversary’s military action by their nature, fulfilling the first prong of the definition under Article 52(2) AP I.

By denying the governmental armed forces immediate access to the information about their own military assets, the insurgents impede the military action of the government. State A’s armed forces will likely have to allocate resources towards the restoration of the lost information, thus potentially creating a window of opportunity for the rebels. Should this be the case “in the circumstances ruling at the time”, as prescribed by Article 52(2) AP I, the second prong of the definition under that provision would also be met.

By contrast, the cyber operation at the basis of incident 2 would likely be prohibited under IHL. This is because datasets used and kept for strictly non-military purposes only would normally not be considered as making an effective contribution to military action. As such, they would not qualify as military objectives under IHL and they would therefore have to be seen as civilian objects, which are protected from being attacked during armed conflict. As noted, this analysis fosters the protection of essential civilian datasets and, consequently, it aligns with the object and purpose of the relevant legal norms.

Incident 3 is the most complex of the analysed operations. Ordinarily, the activities of a civilian press agency, even if operated by the government in the context of an ongoing NIAC, do not contribute towards any belligerent’s military action. Exceptionally, specific media reports might effectively contribute to the enemy’s operational picture, and as such, depriving the enemy of them might offer a definite military advantage. Accordingly, in these exceptional situations, the data containing such reports would qualify as a legitimate military objective. However, the deletion of all data belonging to a press agency and its replacement with the insurgents’ propaganda would most likely go beyond such a narrow goal and therefore, the cyber operation would appear to be a case of unlawful targeting of a protected civilian object.

However, it is difficult to square this prima facie conclusion with the fact that States frequently engage in psychological operations of this kind. This may be perceived as a sign that the view interpreting data as an “object” under IHL is “over inclusive”. Nevertheless, a better view is that through the longstanding, general, and unopposed practice of States, a permissive norm of customary law has emerged, which specifically permits psychological operations and dissemination of propaganda directed at the civilian population, irrespective of the means through which such operations may be conducted. On the basis of this interpretation, the cyber operation against State A’s press agency in incident 3 qualifies as permitted under IHL, even if the starting point of the analysis is that data constitute an “object” for the purposes of IHL.

In sum, the law is unsettled as to the qualification of computer data under the targeting rules of IHL. Accordingly, States’ views aligning with one or the other of the approaches detailed above are needed in order to facilitate legal certainty in this area. In the meantime, the following table serves to highlight the points of difference between the two dominant interpretive approaches:

Checklist

 * Does the situation qualify as either an international armed conflict or a non-international armed conflict?
 * Does the client consider data to qualify as an “object” for the purposes of IHL?
 * Does the cyber operation target military datasets only?
 * Does the cyber operation target essential civilian datasets?
 * Does the cyber operation target non-essential civilian datasets?

Bibliography and further reading

 * [TBC]

Contributions

 * Scenario by: Taťána Jančárková & Kubo Mačák
 * Analysis by: Kubo Mačák
 * Reviewed by: Reviewer245, Reviewer715, and Reviewer354