Editing Scenario 12: Cyber operations against computer data

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 40: Line 40:
 
'''[L8]''' Incident 3 is the most complex of the analysed operations. Ordinarily, the activities of a civilian press agency, even if operated by the government in the context of an ongoing NIAC, do not contribute towards any belligerent’s military action. Exceptionally, specific media reports might effectively contribute to the enemy’s operational picture, and as such, depriving the enemy of them might offer a definite military advantage.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 100, para 29.</ref> Accordingly, in these exceptional situations, the data containing such reports would qualify as a legitimate military objective. However, the deletion of <i>all</i> data belonging to a press agency and its replacement with the insurgents’ propaganda would most likely go beyond such a narrow goal and therefore, the cyber operation would appear to be a case of unlawful targeting of a protected civilian object.
 
'''[L8]''' Incident 3 is the most complex of the analysed operations. Ordinarily, the activities of a civilian press agency, even if operated by the government in the context of an ongoing NIAC, do not contribute towards any belligerent’s military action. Exceptionally, specific media reports might effectively contribute to the enemy’s operational picture, and as such, depriving the enemy of them might offer a definite military advantage.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 100, para 29.</ref> Accordingly, in these exceptional situations, the data containing such reports would qualify as a legitimate military objective. However, the deletion of <i>all</i> data belonging to a press agency and its replacement with the insurgents’ propaganda would most likely go beyond such a narrow goal and therefore, the cyber operation would appear to be a case of unlawful targeting of a protected civilian object.
  
'''[L9]''' However, it has been suggested that this prima facie conclusion is difficult to square with the fact that States frequently engage in psychological operations, which may include cyber operations of this kind.<ref>Michael N. Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 16–17.</ref> On that basis, the view interpreting data as an “object” under IHL has been described as “over inclusive”.<ref>Michael Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 17.</ref> Nevertheless, a possible response to such criticism is that through the longstanding, general, and unopposed practice of States, a permissive norm of customary law has emerged, which specifically permits psychological operations and dissemination of propaganda directed at the civilian population, as long as such operations do not violate any other applicable rule of IHL.<ref>For instance, it is impermissible to direct an attack against a media outlet such as a TV station merely on the basis that the outlet was used to spread propaganda. The destruction of the TV station in such circumstances would not offer the “concrete and direct” military advantage required by IHL for it to qualify as a military objective. Accordingly, attacking media outlets by reference to their propaganda purpose alone is contrary to IHL. See ICTY, [https://www.icty.org/x/file/Press/nato061300.pdf Final Report to the Prosecutor by the Committee Established to Review the NATO Bombing Campaign Against the Federal Republic of Yugoslavia] (2000) ILM 1257, para. 76.</ref> On the basis of this interpretation, the cyber operation against the data held by State A’s press agency in incident 3 qualifies as permitted under IHL, even if the starting point of the analysis is that data constitute an “object” for the purposes of IHL.
+
'''[L9]''' However, it is difficult to square this prima facie conclusion with the fact that States frequently engage in psychological operations of this kind.<ref>Michael N. Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 16–17.</ref> This may be perceived as a sign that the view interpreting data as an “object” under IHL is “over inclusive”.<ref>Michael Schmitt, ‘[https://puc.overheid.nl/mrt/doc/PUC_248137_11/ International Cyber Norms: Reflections on the Path Ahead]’ (2018) 111 Netherlands’ Military Law Review 12, 17.</ref> Nevertheless, a possible response to such criticism is that through the longstanding, general, and unopposed practice of States, a permissive norm of customary law has emerged, which specifically permits psychological operations and dissemination of propaganda directed at the civilian population, irrespective of the means through which such operations may be conducted. On the basis of this interpretation, the cyber operation against State A’s press agency in incident 3 qualifies as permitted under IHL, even if the starting point of the analysis is that data constitute an “object” for the purposes of IHL.
  
 
'''[L10]''' It must be stressed that the analysis above assumed that, in all three incidents, the data was deliberately targeted—i.e., its manipulation was the objective of the operation in question. However, there are at least two types of scenarios where the manipulation of data would be analysed differently, even if such manipulation was regarded as an “attack”. First, it may be that the target of the attack is not the data yet the operation foreseeably results in its incidental manipulation. Second, it may be that the operation in question is not a targeting operation because its objective is not the destruction or neutralization of a certain object but rather something else (for example, gaining access to a system or collecting intelligence about its weaknesses), yet the operation nevertheless foreseeably results in the incidental deletion or corruption of data. In both of these cases, whether the data qualifies as an “object” has no bearing on the permissibility of the attack under the rule of distinction. At the same time, if one takes the position that the data constitutes an “object”, the manipulation must be considered as collateral damage and will therefore have to be assessed and acted upon as the rules on precautions and proportionality require.
 
'''[L10]''' It must be stressed that the analysis above assumed that, in all three incidents, the data was deliberately targeted—i.e., its manipulation was the objective of the operation in question. However, there are at least two types of scenarios where the manipulation of data would be analysed differently, even if such manipulation was regarded as an “attack”. First, it may be that the target of the attack is not the data yet the operation foreseeably results in its incidental manipulation. Second, it may be that the operation in question is not a targeting operation because its objective is not the destruction or neutralization of a certain object but rather something else (for example, gaining access to a system or collecting intelligence about its weaknesses), yet the operation nevertheless foreseeably results in the incidental deletion or corruption of data. In both of these cases, whether the data qualifies as an “object” has no bearing on the permissibility of the attack under the rule of distinction. At the same time, if one takes the position that the data constitutes an “object”, the manipulation must be considered as collateral damage and will therefore have to be assessed and acted upon as the rules on precautions and proportionality require.

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)

Template used on this page: