Editing Scenario 12: Cyber operations against computer data

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[File:Data2.jpg|thumb|© pinkeyes. Licensed from Shutterstock.]]
+
[[File:Data2.jpg|thumb|© pinkeyes. Lincensed from Shutterstock.]]<!-- Photo free for commercial use, no attribution required, CC0 creative commons source: https://pixabay.com/en/code-html-digital-coding-web-1076536/ -->
 
In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. The analysis in this scenario considers the lawfulness of cyber operations designed to corrupt or delete various types of datasets under the law of armed conflict. It particularly focusses on the question whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.
 
In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. The analysis in this scenario considers the lawfulness of cyber operations designed to corrupt or delete various types of datasets under the law of armed conflict. It particularly focusses on the question whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.
   
Line 14: Line 14:
   
 
=== Examples ===
 
=== Examples ===
* [[NotPetya (2017)]]
+
* [[NotPetya (mock ransomware)]] (2017)
* [[Operation Glowing Symphony (2016)]]
 
   
 
== Legal analysis ==
 
== Legal analysis ==
Line 39: Line 38:
 
'''[L8]''' Incident 3 is the most complex of the analysed operations. Ordinarily, the activities of a civilian press agency, even if operated by the government in the context of an ongoing NIAC, do not contribute towards any belligerent’s military action. Exceptionally, specific media reports might effectively contribute to the enemy’s operational picture, and as such, depriving the enemy of them might offer a definite military advantage.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 100, para 29.</ref> Accordingly, in these exceptional situations, the data containing such reports would qualify as a legitimate military objective. However, the deletion of <i>all</i> data belonging to a press agency and its replacement with the insurgents’ propaganda would most likely go beyond such a narrow goal and therefore, the cyber operation would appear to be a case of unlawful targeting of a protected civilian object.
 
'''[L8]''' Incident 3 is the most complex of the analysed operations. Ordinarily, the activities of a civilian press agency, even if operated by the government in the context of an ongoing NIAC, do not contribute towards any belligerent’s military action. Exceptionally, specific media reports might effectively contribute to the enemy’s operational picture, and as such, depriving the enemy of them might offer a definite military advantage.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 100, para 29.</ref> Accordingly, in these exceptional situations, the data containing such reports would qualify as a legitimate military objective. However, the deletion of <i>all</i> data belonging to a press agency and its replacement with the insurgents’ propaganda would most likely go beyond such a narrow goal and therefore, the cyber operation would appear to be a case of unlawful targeting of a protected civilian object.
   
'''[L9]''' However, it has been suggested that this prima facie conclusion is difficult to square with the fact that States frequently engage in psychological operations, which may include cyber operations of this kind.<ref>Michael N. Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 16–17.</ref> On that basis, the view interpreting data as an “object” under IHL has been described as “over inclusive”.<ref>Michael Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 17.</ref> Nevertheless, a possible response to such criticism is that through the longstanding, general, and unopposed practice of States, a permissive norm of customary law has emerged, which specifically permits psychological operations and dissemination of propaganda directed at the civilian population, as long as such operations do not violate any other applicable rule of IHL.<ref>For instance, it is impermissible to direct an attack against a media outlet such as a TV station merely on the basis that the outlet was used to spread propaganda. The destruction of the TV station in such circumstances would not offer the “concrete and direct” military advantage required by IHL for it to qualify as a military objective. Accordingly, attacking media outlets by reference to their propaganda purpose alone is contrary to IHL. See ICTY, [https://www.icty.org/x/file/Press/nato061300.pdf Final Report to the Prosecutor by the Committee Established to Review the NATO Bombing Campaign Against the Federal Republic of Yugoslavia] (2000) ILM 1257, para. 76.</ref> On the basis of this interpretation, the cyber operation against the data held by State A’s press agency in incident 3 qualifies as permitted under IHL, even if the starting point of the analysis is that data constitute an “object” for the purposes of IHL.
+
'''[L9]''' However, it is difficult to square this prima facie conclusion with the fact that States frequently engage in psychological operations of this kind.<ref>Michael N. Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 16–17.</ref> This may be perceived as a sign that the view interpreting data as an “object” under IHL is “over inclusive”.<ref>Michael Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 17.</ref> Nevertheless, a possible response to such criticism is that through the longstanding, general, and unopposed practice of States, a permissive norm of customary law has emerged, which specifically permits psychological operations and dissemination of propaganda directed at the civilian population, irrespective of the means through which such operations may be conducted. On the basis of this interpretation, the cyber operation against State A’s press agency in incident 3 qualifies as permitted under IHL, even if the starting point of the analysis is that data constitute an “object” for the purposes of IHL.
   
 
'''[L10]''' It must be stressed that the analysis above assumed that, in all three incidents, the data was deliberately targeted—i.e., its manipulation was the objective of the operation in question. However, there are at least two types of scenarios where the manipulation of data would be analysed differently, even if such manipulation was regarded as an “attack”. First, it may be that the target of the attack is not the data yet the operation foreseeably results in its incidental manipulation. Second, it may be that the operation in question is not a targeting operation because its objective is not the destruction or neutralization of a certain object but rather something else (for example, gaining access to a system or collecting intelligence about its weaknesses), yet the operation nevertheless foreseeably results in the incidental deletion or corruption of data. In both of these cases, whether the data qualifies as an “object” has no bearing on the permissibility of the attack under the rule of distinction. At the same time, if one takes the position that the data constitutes an “object”, the manipulation must be considered as collateral damage and will therefore have to be assessed and acted upon as the rules on precautions and proportionality require.
 
'''[L10]''' It must be stressed that the analysis above assumed that, in all three incidents, the data was deliberately targeted—i.e., its manipulation was the objective of the operation in question. However, there are at least two types of scenarios where the manipulation of data would be analysed differently, even if such manipulation was regarded as an “attack”. First, it may be that the target of the attack is not the data yet the operation foreseeably results in its incidental manipulation. Second, it may be that the operation in question is not a targeting operation because its objective is not the destruction or neutralization of a certain object but rather something else (for example, gaining access to a system or collecting intelligence about its weaknesses), yet the operation nevertheless foreseeably results in the incidental deletion or corruption of data. In both of these cases, whether the data qualifies as an “object” has no bearing on the permissibility of the attack under the rule of distinction. At the same time, if one takes the position that the data constitutes an “object”, the manipulation must be considered as collateral damage and will therefore have to be assessed and acted upon as the rules on precautions and proportionality require.
Line 94: Line 93:
 
*Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
 
*Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
 
*Michael N. Schmitt and Sean Watts, ‘[https://heinonline.org/HOL/P?h=hein.journals/tilj50&i=217 The Decline of International Humanitarian Law ''Opinio Juris'' and the Law of Cyber Warfare]’ (2015) 50 TexIntlLJ 189.
 
*Michael N. Schmitt and Sean Watts, ‘[https://heinonline.org/HOL/P?h=hein.journals/tilj50&i=217 The Decline of International Humanitarian Law ''Opinio Juris'' and the Law of Cyber Warfare]’ (2015) 50 TexIntlLJ 189.
*Silja Vöneky, ‘[http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1375 Analogy in International Law]’, in R Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008).
+
*Silja Vöneky, ‘Analogy in International Law’, in R Wolfrum (ed), ''Max Planck Encyclopedia of Public International Law'' (OUP 2008).
 
<!--
 
<!--
 
* MN Schmitt (ed), ''Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations'' (CUP 2017)
 
* MN Schmitt (ed), ''Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations'' (CUP 2017)
Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)

Template used on this page: