image for blogpost on avoiding civilian harm during data breaching cyber operations

Avoiding Civilian Harm during Data Breaching Cyber Operations

Getting your Trinity Audio player ready...

Introduction

Cyber operations have recently become a popular way of waging warfare and there has been a surge in the numbers of military cyberoperations conducted worldwide.1Centre for Strategic & International Studies, “Significant Cyber Incidents”, available at: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents accessed July 27, 2021 According to the World Cyber Warfare Statistics, cyberoperations have increased by 440% between 2008 and 2018.2Nikolina Cvettićanin, “The largest battlefield in history – 30 Cyber warfare statistics”, available at: https://dataprot.net/statistics/cyber-warfare-statistics/ accessed July 27, 2021 States are rapidly investing in building cyber warfare capacity in order to deal with such military threats by establishing cyber forces3David Barno & Nora Bensahel, “Why United States needs and independent cyber force”, available at https://warontherocks.com/2021/05/why-the-united-states-needs-an-independent-cyber-force/ accessed July 27, 2021 and enacting independent cyber warfare policies.4Nick Beecroft, “The west should not be complacent about China’s Cyber Policy” available at: https://carnegieendowment.org/2021/07/06/west-should-not-be-complacent-about-china-s-cyber-capabilities-pub-84884 accessed July 27, 2021 In only July 2021, there were 14 significant cyberoperations conducted by the military forces of various states which included ransomware attacks, hackings of accounts of political figures, and breaches of personal data of 2020 Olympic athletes, politicians, and government officials.5Centre for Strategic & International Studies, “Significant Cyber Incidents”, available at: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents accessed July 27, 2021

This militarisation of cyberspace raises the question of civilian protection during cyberoperations, especially because many individuals, businesses, and governments are using cyberspace for medical, social, and governance purposes. This article analyses the threat to civilians due to data breaching cyber operations by evaluating civilian protections available under the Law of Armed Conflict (LoAC). It begins by addressing the question of LoAC’s relevance to data breaching cyber operations and then identifies various legal lacunas in the applicability and protections for civilian data under the cardinal principles of distinction and proportionality. It concludes with an emphasis on the need for clear legal regulation in this field.

The Question of Relevance

There is general consensus that the cardinal principles of LoAC apply to Cyber warfare despite LoAC lacking direct provisions regarding cyber warfare.6Michael N. Schmitt, “Wired Warfare 3.0: Protecting the Civilian Population during cyber operations” available at: https://international-review.icrc.org/articles/wired-warfare-30-protecting-civilian-population-during-cyber-operations accessed July 27, 2021 This consensus is rooted in the Marten’s clause present in the Hague and Geneva Conventions, which says that in cases not covered by IHL, neither combatants nor civilians would be deprived of protection as they would continue to be governed by the principles of international law, including the laws of humanity and requirements of public conscience.7Rupert Ticehurst, “The Martens Clause and the Laws of the Armed Conflict”, available at: https://www.icrc.org/en/doc/resources/documents/article/other/57jnhy.htm accessed July 27, 2021 The Tallinn Manual on the International Law Applicable to Cyber Operations 2.0 (TM) is a non-binding document that guides us on the applicability of IHL to cyber military operation. However, it does not include many provisions specifically applicable to the protection of civilian data. Therefore, it is necessary to analyse the ways in which impact on civilian data (such as, for instance, a cyber operation during an armed conflict in which large amounts of civilian data are deleted) is addressed under the LoAC.

The Definition of an Attack

Cyberattacks regulated by the LoAC must have a nexus with an ongoing armed conflict.8 Michael N. Schmitt, “Tallinn Manual Volume 2 page 375-376”, available at: https://books.google.com/books?hl=en&lr=&id=n9wcDgAAQBAJ&oi=fnd&pg=PR12&dq=related:89Cy9csgLxmkHM:scholar.google.com/&ots=MGRZAEdleY&sig=O1k2EJdBMBjsFnxhgvDjAaYYKCw accessed July 27, 2021 According to Article 49(1) of the API, to constitute an attack there must be an “act of violence against the adversary, whether in offence or in defence”.9ICRC, “Treaties States Parties and Commentaries”, available at: https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/ART/470-750062?OpenDocument accessed July 27, 2021 Moreover, it is explicitly written, while explaining the interpretation of Article 49 of API, that attacks refer to “any land, air or sea warfare which may affect the civilian population, individual civilians or civilian objects on land”.10International Committee of Red Cross, “Treaties, States Parties and Commentaries”, available at: https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/ART/470-750062?OpenDocument accessed July 27, 2021 This poses a limitation because key customary and treaty provisions of the LoAC are framed in terms of an ‘attack’, and they only prohibit and restrict what is recognized as an attack under the LoAC.11Michael N. Schmitt, “Wired Warfare 3.0: Protecting the Civilian Population during cyber operations” available at: https://international-review.icrc.org/articles/wired-warfare-30-protecting-civilian-population-during-cyber-operations accessed July 27, 2021 For instance, Article 41 54, 55, 56, and 59 of the Additional Protocol I (API) all coin the term ‘attack’ and similarly the principle of proportionality prohibits

“an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to concrete and direct military advantage anticipated”.12 ICRC, “IHL Database Customary IHL”, available at: https://ihl-databases.icrc.org/customary-ihl/eng/docs/v1_rul_rule14 accessed July 27, 2021

The applicability of these cardinal provisions is anchored in the notion of an ‘attack’ which makes it important to address what qualifies as an attack before applying the LoAC to a situation. Furthermore, building on the aforementioned definition of an attack, the experts that formulated the TM defined a cyberattack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”.13Michael N. Schmitt, “Tallinn Manual Volume 2 page 564”, available at: https://books.google.com/books?hl=en&lr=&id=n9wcDgAAQBAJ&oi=fnd&pg=PR12&dq=related:89Cy9csgLxmkHM:scholar.google.com/&ots=MGRZAEdleY&sig=O1k2EJdBMBjsFnxhgvDjAaYYKCw accessed July 27, 2021 Operations that cause a “loss of functionality” are also considered attacks, although there was no consensus on what amounts to the “loss of functionality”.14Ibid The difficulty here arises because data breaches may not cause any incidental loss of infrastructure or life, which makes it difficult to classify them as attacks and protect civilian data using the protections promised by the LoAC.15Michael N. Schmitt, “Wired Warfare 3.0: Protecting the Civilian Population during cyber operations” available at: https://international-review.icrc.org/articles/wired-warfare-30-protecting-civilian-population-during-cyber-operations accessed July 27, 2021 An example of this is the data breaching attack that stole essential data from the U.S Customs and Border Protection Agency by an attacker called Boris Bullet Dodger.16Scott Ikeda, “US Customs and border protection data breach result of supply chain attack”, available at https://www.cpomagazine.com/cyber-security/u-s-customs-and-border-protection-data-breach-result-of-supply-chain-attack/ accessed July 27, 2021 This attack did not cause any incidental harm, however, the data that had been stolen was essential personal data, which could cause civilian harm in later years.17Josh Fruhlinger, “What is a cyberattack, recent examples show disturbing trends” available at: https://www.csoonline.com/article/3237324/what-is-a-cyber-attack-recent-examples-show-disturbing-trends.html

Data as an Object

The cardinal principles of distinction and proportionality protect civilian life, infrastructure and objects, which pose problems while applying the LoAC on data breaching operations. For instance, article 51(5)(b) and Article 57 of the Additional Protocol I notes that proportionality in an attack means that incidental loss of civilian life, injury or damage to civilian objects must not be excessive in relation to the concrete and direct military advantage anticipated.18IHL Database, “Customary IHL – Rule 14, available at https://ihl-databases.icrc.org/customary-ihl/eng/docs/v1_rul_rule14 accessed July 27, 2021 Rule 113 and 117 of the TM details the applicability of this principle to cyber operations stating that states must take in consideration both indirect and direct effects of an operation while deciding its legality under the principle of proportionality.19Michael N. Schmitt, “Tallinn Manual Volume 2 page 470-475, 481”, available at: https://books.google.com/books?hl=en&lr=&id=n9wcDgAAQBAJ&oi=fnd&pg=PR12&dq=related:89Cy9csgLxmkHM:scholar.google.com/&ots=MGRZAEdleY&sig=O1k2EJdBMBjsFnxhgvDjAaYYKCw accessed July 27, 2021; Similarly, under the principle of distinction parties of an armed conflict must always distinguish between civilian and combatant population and objects.20Distinction, “How does law protect the in war”, available at: https://casebook.icrc.org/glossary/distinction accessed July 27, 2021 States must only attack combatants and military equipment, while civilians and civilian objects enjoy protection from attack.21Ibid

However, an issue emerges when these principles are applied to data breaching operations because civilian data is not considered an object under the LoAC.22Ibid For the principle of proportionality, this is inferred reading the commentary of Rule 113 along the glossary of the TM. According to the commentary of rule 113, disproportionate harm must not be caused to ‘cyber infrastructure’, which is defined in the glossary as “communications, storage, and computing devices upon which information systems are built and operate”.23Michael N. Schmitt, “Tallinn Manual Volume 2 page 564”, available at: https://books.google.com/books?hl=en&lr=&id=n9wcDgAAQBAJ&oi=fnd&pg=PR12&dq=related:89Cy9csgLxmkHM:scholar.google.com/&ots=MGRZAEdleY&sig=O1k2EJdBMBjsFnxhgvDjAaYYKCw accessed July 27, 2021 For the principle of distinction, the same contention is clearly stated in Rule 100 of the TM. According to the commentary of Rule 100 in the Tallinn Manual (TM), a majority of the International Group of Experts agreed that the notion of object does not include data because of its intangible nature.24Michael N. Schmitt, “Tallinn Manual Volume 2 page 435- 444”, available at: https://books.google.com/books?hl=en&lr=&id=n9wcDgAAQBAJ&oi=fnd&pg=PR12&dq=related:89Cy9csgLxmkHM:scholar.google.com/&ots=MGRZAEdleY&sig=O1k2EJdBMBjsFnxhgvDjAaYYKCw accessed July 27, 2021 To reach this conclusion, most experts relied on the explanation of the notion given in ICRC’s commentary on the Additional Protocol of the Geneva Convention.25Ibid

However, interpretations differ as to whether data should be considered a civilian object and in fact there are three different interpretations on the matter. The first is the restrictive approach adopted by the experts of the TM, which is reflected in the rules quoted above. The second approach is an over-inclusive one which argues that data qualifies as a civilian object. This is problematic in that militaries for a long time have conducted information operations to undercut support for the government or its policies especially during counter insurgencies.26Josh Fruhlinger, “What is a cyberattack, recent examples show disturbing trends” available at: https://www.csoonline.com/article/3237324/what-is-a-cyber-attack-recent-examples-show-disturbing-trends.html Any civilian data breaches then would run counter to these cardinal principles and may be unrealistic. The International Committee of the Red Cross (ICRC) has a more appealing approach which is rooted in the severity of the consequences. This approach is explained in the section below.

The Need to Protect Civilian Data

The ICRC’s approach states that:

“While the question of whether and to what extent civilian data constitute civilian objects remains unresolved, in the ICRC’s view the assertion that deleting or tampering with such essential civilian data would not be prohibited by IHL in today’s data-reliant world seems difficult to reconcile with the object and purpose of IHL. The replacement of paper files and documents with digital files in the form of data should not decrease the protection that IHL affords to them. Excluding essential civilian data from the protection afforded by IHL to civilian objects would result in an important protection gap.”27ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper Submitted to the ‘Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security’ and the ‘Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, November 2019, page 7

The ICRC defines essential civilian data as, for instance, medical data, biometric data, social security data, tax records, bank accounts, companies’ client files or election lists and records.28Ibid These are offered by way of example rather than as a closed list. It also encourages states to agree on an understanding that civilian data is protected by the cardinal principles of IHL.29Ibid However, it remains a question worth deliberating whether non-essential civilian data also merits protection. For instance, data breaching attacks on Yahoo in 2013 and 2014 stole personal information like names, ages, emails, communications, pictures and passwords of over 3.5 billion individuals.30Michael Hall and Dan Swinhoe, “The 15 biggest data breaches of the 21st Century”, available at: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html accessed July 27, 2021 While the ICRC does offer the most appealing approach in protecting essential civilian data, it remains to be seen whether, given increasing digitization, other areas affecting the personal lives of civilians may also be brought within its ambit.

Conclusion

Where cyberspace has enabled global connectivity, it has also provided us with new ways to sort, store and transfer information over long distances.31Technopedia, “What is Cyberspace”, available at: https://www.techopedia.com/definition/2493/cyberspace accessed July 27, 2021 This is why governments, businesses and individuals are shifting online to improve their productivity and efficiency.32Melissa J. Doak, “Working in Cyberspace”, available at: https://careers.stateuniversity.com/pages/858/Working-in-Cyberspace.html accessed July 27, 2021 In this world where cyber technology is growing, the benefits of cyberspace must not conceal the risks associated with its use. Threats regarding the misuse of civilian data are growing along the rising trend of cyber-attacks targeting cyberspace, especially during war. Misuse or exploitation of civilian data, especially by states or non-state militant groups exposes civilians to threats of humanitarian harm. Hence, as states grow the capacity and technology for cyber warfare, LoAC must also evolve to prevent risks of civilian exploitation and humanitarian damage in modern warfare. While the ICRC’s approach is an applaudable one in that it seeks to protect essential civilian data, as the risk and proliferation of cyberattacks increase, it may be a question for LoAC lawyers whether non-essential data should also be so protected.

Disclaimer

The opinions expressed in the articles on the Diplomacy, Law & Policy (DLP) Forum are those of the authors. They do not purport to reflect the opinions or views of the DLP Forum, its editorial team, or its affiliated organizations. Moreover, the articles are based upon information the authors consider reliable, but neither the DLP Forum nor its affiliates warrant its completeness or accuracy, and it should not be relied upon as such.

The DLP Forum hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of its content, which is provided as is, and without warranties.

The articles may contain links to other websites or content belonging to or originating from third parties or links to websites and features in banners or other advertising. Such external links are not investigated, monitored, or checked for accuracy, adequacy, validity, reliability, availability or completeness by us and we do not warrant, endorse, guarantee, or assume responsibility for the accuracy or reliability of this information.

Syed Qasim Abbas

Syed Qasim Abbas is a student of Law and policy at the Lahore University of Management Sciences. His primary areas of interest are International Law and Diplomacy. He also focuses on Pakistan’s policy and legislative compliance with its international obligations.