Scenario 12: Cyber operations against computer data
In the context of an armed conflict, one belligerent conducts a series of cyber operations against the datasets associated with the other belligerent. These include data used for military purposes, essential civilian datasets, and data serving the enemy’s propaganda. Analysis in this scenario considers the lawfulness of destruction of various types of datasets under the law of armed conflict. It particularly focusses on the question whether data qualifies as an “object” for the purposes of the law of armed conflict and whether, as such, it comes within the definition of a military objective.
Computer data, military objectives, distinction, object, targeting
State A is involved in a non-international armed conflict against organized armed group G based in its territory. In addition to kinetic hostilities between the two belligerent parties, armed group G conducts a series of cyber operations as part of its military efforts:
- Armed group G conducts a cyber operation against the computer network at State A’s central military command. The operation results in the destruction of all data stored in the network, which contained the identity, location, physical condition, staffing, and battle readiness of State A’s warships and military aircrafts.
- Armed group G conducts a cyber operation against State A’s central registry office, a governmental authority maintaining digital records on all State A’s citizens concerning non-military purposes, including census taking, the provision of social benefits, voting, and taxation. The operation results in the destruction of all data held by the office.
- Armed group G conducts a cyber operation against State A’s main press agency. As a result of the operation, all data on the servers of the press agency are destroyed and its websites are populated instead with videos and texts calling on the supporters of the regime to resign and defect to the insurgents’ side.
Cyber operations during armed conflicts and the legal definition of military objectives
|principle of distinction, one of the foundational precepts of IHL, requires that the parties to an armed conflict must at all times distinguish between civilian objects and military objectives and may, accordingly, only direct their operations against military objectives. The customary definition of military objectives is found in Article 52(2) of Additional Protocol I:
In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.
Thus, to qualify as a military objective, an object must cumulatively meet the two criteria set forth in the abovementioned rule, which must be determined on a case-by-case basis. In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it must be presumed to remain protected as a civilian object.
The formal scope of application of the Protocol is limited to international armed conflicts (IACs). However, an identical definition of military objectives is found in treaties applicable in non-international armed conflicts (NIACs). Moreover, certain non-party States to the Protocol accept the customary nature of the definition. Accordingly, the ICRC has characterized the definition of military objectives as a norm of customary international humanitarian law applicable in both IACs and NIACs.
Relevant rules of IHL apply to kinetic operations as well as to cyber operations. However, the application of those rules in specific circumstances may pose novel challenges. This is because the rules governing targeting developed with physical operations in mind, and it is not always clear what their application to cyber operations entails. For example, there is some disagreement on what types of acts amount to “attacks” in the context of cyber operations, in particular when the operation in question is limited to the manipulation of data. Nevertheless, even those operations that might not qualify as “attacks” under IHL may still only be directed against military objectives, as required by the principle of distinction. Further, due to the interconnectedness of civilian and military networks as well as in-built redundancies, it may be challenging to apply the definition of military objectives to those parts of cyber infrastructure that simultaneously serve civilian and military purposes (also referred to as “dual-use objects”).
Publicly available national positions that address this issue include: (2019), (2021), (2012).
The present scenario takes place in the context of a NIAC between State A’s governmental forces and organized armed group G. However, as far as the definition of military objectives is concerned, the same analysis would apply also in an IAC, for the reasons detailed above. The definition applies in principle also to cyber operations executed in the context of the armed conflict to which State A and armed group G are parties. However, the central legal issue in this scenario lies in the question whether the destruction of the specific types of data in incidents 1–3 would be lawful under IHL. This turns predominantly on the question whether cyber operations against data during an armed conflict must be justified vis-à-vis the definition of military objectives.
Qualification of data as a military objective under IHL
|Data as an object under IHL|
| Conversely, if data does not qualify as an “object”, civilian datasets would enjoy significantly more limited protection in times of armed conflict.
Two main views have emerged in this regard. One view, held by the majority of experts involved in the Tallinn Manual process, is that the ordinary meaning of the term “object” cannot be interpreted as including data because objects are material, visible and tangible. Proponents of this view place particular importance on the meaning that the drafters of the definition of military objectives would have ascribed to the word “object” at the time, and they reject that this meaning has evolved since then. Accordingly, cyber operations against data would not fall within the ambit of the relevant rules of IHL unless the operation in question resulted in some physical effect and/or a loss of functionality of the target system or network. Some States, including Denmark, Chile, or Israel, also subscribe to this view.
By contrast, others have argued that either all or some types of data should be considered as “objects” under IHL. One view, taken by several States – including Finland, Germany, Norway, and Romania – is that the protection of civilian objects extends to civilian data. This implies that all data constitutes an “object” for the purposes of IHL. This interpretation is supported by the “modern meaning” of the notion of objects in today’s society as well as by the object and purpose of the relevant IHL rules. It has also been described as consistent with the traditional understanding of the notion of “object” under IHL, which is broader than the ordinary meaning of the word and also encompasses locations and animals. According to this view, cyber operations against data are subject to the IHL rules on the conduct of hostilities.
For its part, the ICRC has stated that “data have become an essential component of the digital domain and a cornerstone of life in many societies” and thus “in the ICRC’s view, the conclusion that deleting or tampering with essential civilian data would not be prohibited by IHL in today’s ever more data-reliant world seems difficult to reconcile with the object and purpose” of IHL. In this regard, it has also highlighted the importance “for States to agree on an understanding that civilian data is protected” by the IHL rules governing the conduct of hostilities.
Publicly available national positions that address this issue include: (2021), (2020), (2019), (2021), (2020), (2021), (2021).
Incidents in this scenario serve to highlight the differences between the two main approaches described above.
For those who hold the view that data are not an “object” for the purposes of IHL, there is little difference between all three incidents. According to that view, because data is not an object, attacks against the relevant datasets do not need to be justified by reference to the definition of military objectives. Consequently, for those who hold this view, the destruction of all three datasets would be lawful under IHL. In other words, none of the operations conducted by armed group G in incidents 1–3 would amount to a violation of IHL. It should be noted that, particularly with regard to incident 2, this interpretation amounts to condoning an operation that is “extraordinarily disruptive to civilian life”, so much so that if the same effect was brought about through kinetic means, it would qualify as a war crime in IACs and possibly also in NIACs.
On the second view, according to which data may be an “object” under IHL, the lawfulness of the relevant operations would have to be assessed with reference to the requirements imposed by the definition of military objectives. In this regard, incident 1 would likely qualify as lawful under IHL. This is because datasets stored in a military network and consisting of information on military assets belonging to the adversary are inherently military in nature. In addition, these datasets “contribute to the execution of the enemy’s operations or otherwise directly support the military activities of the enemy”. As such, they make an effective contribution to the adversary’s military action by their nature, fulfilling the first prong of the definition under Article 52(2) AP I.
By denying the governmental armed forces immediate access to the information about their own military assets, the insurgents impede the military action of the government. State A’s armed forces will likely have to allocate resources towards the restoration of the lost information, thus potentially creating a window of opportunity for the rebels. Should this be the case “in the circumstances ruling at the time”, as prescribed by Article 52(2) AP I, the second prong of the definition under that provision would also be met.
By contrast, the cyber operation at the basis of incident 2 would likely be prohibited under IHL. This is because datasets used and kept for strictly non-military purposes only cannot be described as making an effective contribution to military action. As such, they do not qualify as military objectives under IHL and they must therefore be seen as civilian objects, which are protected from being attacked during armed conflict. As noted, this analysis fosters the protection of essential civilian datasets and, consequently, it aligns with the object and purpose of the relevant legal norms.
Incident 3 is the most complex of the analysed operations. Ordinarily, the activities of a civilian press agency, even if operated by the government in the context of an ongoing NIAC, do not contribute towards any belligerent’s military action. Exceptionally, specific media reports might effectively contribute to the enemy’s operational picture, and as such, depriving the enemy of them might offer a definite military advantage. Accordingly, in these exceptional situations, the data containing such reports would qualify as a legitimate military objective. However, the deletion of all data belonging to a press agency and its replacement with the insurgents’ propaganda would most likely go beyond such a narrow goal and therefore, the cyber operation would appear to be a case of unlawful targeting of a protected civilian object.
However, it is difficult to square this prima facie conclusion with the fact that States frequently engage in psychological operations of this kind. This may be perceived as a sign that the view interpreting data as an “object” under IHL is “over inclusive”. Nevertheless, a better view is that through the longstanding, general, and unopposed practice of States, a permissive norm of customary law has emerged, which specifically permits psychological operations and dissemination of propaganda directed at the civilian population, irrespective of the means through which such operations may be conducted. On the basis of this interpretation, the cyber operation against State A’s press agency in incident 3 qualifies as permitted under IHL, even if the starting point of the analysis is that data constitute an “object” for the purposes of IHL.
In sum, the law is unsettled as to the qualification of computer data under the targeting rules of IHL. Accordingly, States’ views aligning with one or the other of the approaches detailed above are needed in order to facilitate legal certainty in this area. In the meantime, the following table serves to highlight the points of difference between the two dominant interpretive approaches:
|Data ≠ object||Data = object|
|Incident 1 (cyber operations against military datasets)||Because data is not an “object” for the purposes of IHL, it does not need to fulfil the criteria of a military objective for an operation against it to be lawful under IHL. Accordingly, all of these cyber operations are permissible under IHL.||Permissible insofar as the dataset fulfils both prongs of the definition of military objectives|
|Incident 2 (cyber operations against essential civilian datasets)||Prohibited due to the non-military character and use of the datasets in question|
|Incident 3 (cyber operations against non-essential civilian datasets)||Prohibited due to the non-military character and use of the datasets in question unless justified under the customary exception for psychological operations and propaganda|
Notes and references
- ↑ Art 48 AP I; ICRC CIHL Study, rule 7.
- ↑ See Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987), 635 para 2018; International Law Association Study Group on the Conduct of Hostilities in the 21st Century, ‘The Conduct of Hostilities and International Humanitarian Law: Challenges of 21st Century Warfare’ (2017) 93 International Law Studies 322, 327–328.
- ↑ Art 52(3) AP I; on the customary nature of this rule, see ICRC CIHL Study, commentary to rule 10, 35–36. In the cyber context, see e.g., the national positions of France (Ministry of Defense of France, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 14); and Germany (Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8).
- ↑ Art 1 AP I.
- ↑ See, e.g., Amended Protocol II to the CCW, Article 2(6); Second Protocol to the Hague Convention for the Protection of Cultural Property, Article 1(f).
- ↑ See, e.g., Brian Egan, Legal Adviser, Department of State, “Remarks to the American Society of International Law: International Law, Legal Diplomacy, and the Counter-ISIL Campaign” (1 April 2016), 242 (“In particular, I’d like to spend a few minutes walking through some of the targeting rules that the United States regards as customary international law applicable to all parties in a NIAC: … Insofar as objects are concerned, military objectives are those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.”).
- ↑ ICRC CIHL Study, rule 8. See also Tallinn Manual 2.0., commentary to rule 100, para 1.
- ↑ Tallinn Manual 2.0, rule 80 (“Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.”).
- ↑ See William H Boothby, The Law of Targeting (OUP 2012) 387–88.
- ↑ Cf Art 49(1) AP I (defining “attacks” as “acts of violence against the adversary, whether in offence or in defence”).
- ↑ See, e.g., William H Boothby, The Law of Targeting (OUP 2012) 384–87; Noam Lubell, ‘Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?’ (2013) 89 Int’l L Studies 252, 254–74; Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 180–81; Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (3rd edn, CUP 2016) 3.
- ↑ Art 48 AP I (“the Parties to the conflict ... shall direct their operations only against military objectives”). It should be noted that it is not universally accepted that the reference to “operations” in Article 48 reflects customary international law. See, e.g., Noam Neuman, ‘Challenges in the Interpretation and Application of the Principle of Distinction During Ground Operations in Urban Areas’ (2018) 51 VJTL 807, 821 fn 44.
- ↑ See Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 321–322.
- ↑ See Kubo Mačák, ‘Unblurring the lines: military cyber operations and international law’ (2021) 6(3) Journal of Cyber Policy 411, 421–422.
- ↑ On the protection afforded by IHL to certain categories of data (such as medical data or data of humanitarian organizations) irrespective of their qualification as “objects”, see e.g. Kubo Mačák and Laurent Gisel, ‘Grammar: Rules in a Cyber Conflict’, in Patryk Pawlak and François Delerue (eds), Cyber Defence in the European Union (EUISS 2022) 67.
- ↑ Tallinn Manual 2.0, commentary to rule 100, paras 5–6 (noting that the majority of experts considered that due to it being intangible, data does not fall within the ordinary meaning of the term object, which is “something visible and tangible”) (internal quotation marks deleted); but see Michael N Schmitt, ‘The Notion of ‘Objects’ during Cyber Operations: A Riposte in Defence of Interpretive and Applicative Precision’ (2015) 48 IsrLR 81, 93 (noting that although the “visible and tangible” criterion influenced the Tallinn Manual experts’ deliberations, it was not dispositive).
- ↑ See, e.g., Michael N Schmitt, ‘The Notion of ‘Objects’ during Cyber Operations: A Riposte in Defence of Interpretive and Applicative Precision’ (2015) 48 IsrLR 81, 93; Ori Pomson, ‘“Objects”? The Legal Status of Computer Data under International Humanitarian Law’ (2023) __ Journal of Conflict and Security Law __ (forthcoming).
- ↑ Tallinn Manual 2.0, commentary to rule 100, para 6.
- ↑ Ministry of Defence of Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 292.
- ↑ Chile, Response submitted by Chile to the OAS Inter-American Juridical Committee Questionnaire (14 January 2020), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 36.
- ↑ Roy Schondorf, ‘Israel’s perspective on key legal and practical issues concerning the application of international law to cyber operations’ (2021) 97 International Law Studies, 401.
- ↑ See, e.g., Heather A Harrison Dinniss, ‘The Nature of Objects: Targeting Networks and the Challenge of Defining Cyber Military Objectives’ (2015) 48 IsrLR 39; Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55; Robert McLaughlin, ‘Data as a Military Objective’, Australian Institute of International Affairs (20 September 2018); Tim McCormack, ‘International Humanitarian Law and the Targeting of Data’ (2018) 94 International Law Studies 222.
- ↑ Finland, ‘International Law and cyberspace: Finland’s national positions’ (2020) 7.
- ↑ Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 8.
- ↑ Norway, Manual i krigens folkerett, (2013) para 9.58.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 78.
- ↑ See also the national position of France, according to which “content data” are protected under the principle of distinction, leaving aside the issue of whether other types of data (such as code) formally qualify as objects or not. Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019) 14.
- ↑ Kubo Mačák, ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’ (2015) 48 IsrLR 55, 80; see also Robert McLaughlin, ‘Data as a Military Objective’, Australian Institute of International Affairs (20 September 2018).
- ↑ Laurent Gisel, Tilman Rodenhäuser and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’ (2020) 102(913) International Review of the Red Cross 287, 319.
- ↑ ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts (2019) 28. The ICRC has highlighted medical data, tax records, bank accounts, social security and biometric data as essential civilian data and an ‘essential component of digitalized societies’. See ICRC, ‘International Humanitarian Law and Cyber Operations during Armed Conflicts’ ICRC position paper (November 2019) 8.
- ↑ ICRC, ‘International Humanitarian Law and Cyber Operations during Armed Conflicts’ ICRC position paper (November 2019) 8.
- ↑ MN Schmitt, ‘International Cyber Norms: Reflections on the Path Ahead’ (2018) 111 Netherlands’ Military Law Review 12, 17.
- ↑ See Rome Statute, Art. 8(2)(b)(ii).
- ↑ Cf. N Zamir, ‘Distinction Matters: Rethinking the Protection of Civilian Objects in Non-International Armed Conflicts’ (2015) 48 Isr Law Rev 111, 117–18.
- ↑ Tallinn Manual 2.0, commentary to rule 100, para. 15.
- ↑ Tallinn Manual 2.0, commentary to rule 100, para. 29.
- ↑ MN Schmitt, ‘International Cyber Norms: Reflections on the Path Ahead’ (2018) 111 Netherlands’ Military Law Review 12, 16–17.
- ↑ MN Schmitt, ‘International Cyber Norms: Reflections on the Path Ahead’ (2018) 111 Netherlands’ Military Law Review 12, 17.
- ↑ Cf. MN Schmitt and S Watts, ‘The Decline of International Humanitarian Law Opinio Juris and the Law of Cyber Warfare’ (2015) 50 Texas ILJ 189, 230–31 (arguing that States should commit to clear views on IHL regulation of cyber operations); K Mačák, ‘From Cyber Norms to Cyber Rules: Re-engaging States as Law-makers’ (2017) 30 Leiden JIL 877, 896 (arguing that States should be more forthcoming in expressing opinions on the interpretation of existing international law to cyber issues).
Bibliography and further reading
- Scenario by: Taťána Jančárková & Kubo Mačák
- Analysis by: Kubo Mačák
- Reviewed by: [TBC]