Avoiding Civilian Harm during Data Breaching Cyber Operations

Getting your Trinity Audio player ready...

Introduction

Cyber operations have recently become a popular way of waging warfare and there has been a surge in the numbers of military cyberoperations conducted worldwide.¹ According to the World Cyber Warfare Statistics, cyberoperations have increased by 440% between 2008 and 2018.² States are rapidly investing in building cyber warfare capacity in order to deal with such military threats by establishing cyber forces³ and enacting independent cyber warfare policies.⁴ In only July 2021, there were 14 significant cyberoperations conducted by the military forces of various states which included ransomware attacks, hackings of accounts of political figures, and breaches of personal data of 2020 Olympic athletes, politicians, and government officials.⁵

This militarisation of cyberspace raises the question of civilian protection during cyberoperations, especially because many individuals, businesses, and governments are using cyberspace for medical, social, and governance purposes. This article analyses the threat to civilians due to data breaching cyber operations by evaluating civilian protections available under the Law of Armed Conflict (LoAC). It begins by addressing the question of LoAC’s relevance to data breaching cyber operations and then identifies various legal lacunas in the applicability and protections for civilian data under the cardinal principles of distinction and proportionality. It concludes with an emphasis on the need for clear legal regulation in this field.

The Question of Relevance

There is general consensus that the cardinal principles of LoAC apply to Cyber warfare despite LoAC lacking direct provisions regarding cyber warfare.⁶ This consensus is rooted in the Marten’s clause present in the Hague and Geneva Conventions, which says that in cases not covered by IHL, neither combatants nor civilians would be deprived of protection as they would continue to be governed by the principles of international law, including the laws of humanity and requirements of public conscience.⁷ The Tallinn Manual on the International Law Applicable to Cyber Operations 2.0 (TM) is a non-binding document that guides us on the applicability of IHL to cyber military operation. However, it does not include many provisions specifically applicable to the protection of civilian data. Therefore, it is necessary to analyse the ways in which impact on civilian data (such as, for instance, a cyber operation during an armed conflict in which large amounts of civilian data are deleted) is addressed under the LoAC.

The Definition of an Attack

Cyberattacks regulated by the LoAC must have a nexus with an ongoing armed conflict.⁸ According to Article 49(1) of the API, to constitute an attack there must be an “act of violence against the adversary, whether in offence or in defence”.⁹ Moreover, it is explicitly written, while explaining the interpretation of Article 49 of API, that attacks refer to “any land, air or sea warfare which may affect the civilian population, individual civilians or civilian objects on land”.¹⁰ This poses a limitation because key customary and treaty provisions of the LoAC are framed in terms of an ‘attack’, and they only prohibit and restrict what is recognized as an attack under the LoAC.¹¹ For instance, Article 41 54, 55, 56, and 59 of the Additional Protocol I (API) all coin the term ‘attack’ and similarly the principle of proportionality prohibits

“an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to concrete and direct military advantage anticipated”.¹²

The applicability of these cardinal provisions is anchored in the notion of an ‘attack’ which makes it important to address what qualifies as an attack before applying the LoAC to a situation. Furthermore, building on the aforementioned definition of an attack, the experts that formulated the TM defined a cyberattack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”.¹³ Operations that cause a “loss of functionality” are also considered attacks, although there was no consensus on what amounts to the “loss of functionality”.¹⁴ The difficulty here arises because data breaches may not cause any incidental loss of infrastructure or life, which makes it difficult to classify them as attacks and protect civilian data using the protections promised by the LoAC.¹⁵ An example of this is the data breaching attack that stole essential data from the U.S Customs and Border Protection Agency by an attacker called Boris Bullet Dodger.¹⁶ This attack did not cause any incidental harm, however, the data that had been stolen was essential personal data, which could cause civilian harm in later years.¹⁷

Data as an Object

The cardinal principles of distinction and proportionality protect civilian life, infrastructure and objects, which pose problems while applying the LoAC on data breaching operations. For instance, article 51(5)(b) and Article 57 of the Additional Protocol I notes that proportionality in an attack means that incidental loss of civilian life, injury or damage to civilian objects must not be excessive in relation to the concrete and direct military advantage anticipated.¹⁸ Rule 113 and 117 of the TM details the applicability of this principle to cyber operations stating that states must take in consideration both indirect and direct effects of an operation while deciding its legality under the principle of proportionality.¹⁹ Similarly, under the principle of distinction parties of an armed conflict must always distinguish between civilian and combatant population and objects.²⁰ States must only attack combatants and military equipment, while civilians and civilian objects enjoy protection from attack.²¹

However, an issue emerges when these principles are applied to data breaching operations because civilian data is not considered an object under the LoAC.²² For the principle of proportionality, this is inferred reading the commentary of Rule 113 along the glossary of the TM. According to the commentary of rule 113, disproportionate harm must not be caused to ‘cyber infrastructure’, which is defined in the glossary as “communications, storage, and computing devices upon which information systems are built and operate”.²³ For the principle of distinction, the same contention is clearly stated in Rule 100 of the TM. According to the commentary of Rule 100 in the Tallinn Manual (TM), a majority of the International Group of Experts agreed that the notion of object does not include data because of its intangible nature.²⁴ To reach this conclusion, most experts relied on the explanation of the notion given in ICRC’s commentary on the Additional Protocol of the Geneva Convention.²⁵

However, interpretations differ as to whether data should be considered a civilian object and in fact there are three different interpretations on the matter. The first is the restrictive approach adopted by the experts of the TM, which is reflected in the rules quoted above. The second approach is an over-inclusive one which argues that data qualifies as a civilian object. This is problematic in that militaries for a long time have conducted information operations to undercut support for the government or its policies especially during counter insurgencies.²⁶ Any civilian data breaches then would run counter to these cardinal principles and may be unrealistic. The International Committee of the Red Cross (ICRC) has a more appealing approach which is rooted in the severity of the consequences. This approach is explained in the section below.

The Need to Protect Civilian Data

The ICRC’s approach states that:

“While the question of whether and to what extent civilian data constitute civilian objects remains unresolved, in the ICRC’s view the assertion that deleting or tampering with such essential civilian data would not be prohibited by IHL in today’s data-reliant world seems difficult to reconcile with the object and purpose of IHL. The replacement of paper files and documents with digital files in the form of data should not decrease the protection that IHL affords to them. Excluding essential civilian data from the protection afforded by IHL to civilian objects would result in an important protection gap.”²⁷

The ICRC defines essential civilian data as, for instance, medical data, biometric data, social security data, tax records, bank accounts, companies’ client files or election lists and records.²⁸ These are offered by way of example rather than as a closed list. It also encourages states to agree on an understanding that civilian data is protected by the cardinal principles of IHL.²⁹ However, it remains a question worth deliberating whether non-essential civilian data also merits protection. For instance, data breaching attacks on Yahoo in 2013 and 2014 stole personal information like names, ages, emails, communications, pictures and passwords of over 3.5 billion individuals.³⁰ While the ICRC does offer the most appealing approach in protecting essential civilian data, it remains to be seen whether, given increasing digitization, other areas affecting the personal lives of civilians may also be brought within its ambit.

Conclusion

Where cyberspace has enabled global connectivity, it has also provided us with new ways to sort, store and transfer information over long distances.³¹ This is why governments, businesses and individuals are shifting online to improve their productivity and efficiency.³² In this world where cyber technology is growing, the benefits of cyberspace must not conceal the risks associated with its use. Threats regarding the misuse of civilian data are growing along the rising trend of cyber-attacks targeting cyberspace, especially during war. Misuse or exploitation of civilian data, especially by states or non-state militant groups exposes civilians to threats of humanitarian harm. Hence, as states grow the capacity and technology for cyber warfare, LoAC must also evolve to prevent risks of civilian exploitation and humanitarian damage in modern warfare. While the ICRC’s approach is an applaudable one in that it seeks to protect essential civilian data, as the risk and proliferation of cyberattacks increase, it may be a question for LoAC lawyers whether non-essential data should also be so protected.

Syed Qasim Abbas

Syed Qasim Abbas is a student of Law and policy at the Lahore University of Management Sciences. His primary areas of interest are International Law and Diplomacy. He also focuses on Pakistan’s policy and legislative compliance with its international obligations.