A Case for Protecting Civilian Data Under International Humanitarian Law
Article by Harsh Srivastava,
The recent cyber feud between Israel and Iran is a cause for international concern. While the Iranian cyber attacks disrupted Israel’s railway services and water supplies, the sudden crash of Shahid Rajaee Port’s traffic control systems and mysterious fires in Iran have been attributed to Israel. The attacks have created a “tit-for-tat” precedent of targeting critical civilian infrastructure, and are a “changing point in the history of modern cyber warfare.” The series of attacks on the healthcare sectors of France, USA, and Spain during the COVID-19 pandemic has further reinforced the need to regulate cyber attacks to effectively protect civilians.
The principles of distinction and proportionality form the basis of International Humanitarian Law (IHL). While IHL recognizes that civilians may be harmed during an armed conflict, these principles ensure that civilian objects are not the direct targets of attacks and that the collateral damage to civilians is minimal. Though cyber operations target data, existing IHL regulates only cyber operations resulting in adverse physical consequences to civilians or civilian objects. This approach is insufficient as it ignores non-physical adverse consequences. Treating data as an object under IHL would render damage to certain data an essential part of proportionality and distinction analysis, regardless of the nature of consequences. This article builds upon Kubo Mačák’s argument for an evolutive interpretation of IHL that recategorizes data as an ‘object’ to ensure effective protection of civilians from cyber operations.
The focus of assessments of whether an operation amounts to an attack has shifted from the operation’s ‘instrumentality’ to its ‘consequence.’ The analytical shift has been critical in regulating cyber warfare under IHL. While the chairman of Tallinn Manual’s drafting panel agrees that non-physical attacks can result in severe consequences, the majority of the panel focused on the nature, rather than the severity, of the attack. Nevertheless, several experts within the panel disagreed, maintaining that the determining factor should be severity. Similarly, France also recently shifted its focus onto the gravity of an incident and the severity of its impact, inter alia, on the economy, civilian security, and fundamental services. Following a similar approach, whether a cyber operation amounts to a cyber attack should depend on the gravity of the incident and the degree and effect of the intrusion, physical or otherwise.
Protection of Financial Data
Economic violence, in different forms, drives and sustains modern conflicts. The economic consequences of an attack are essential to a holistic assessment of the attack’s severity. Economic rights are inseparable from human rights in the modern world, and there are arguments in favor of treating serious economic crimes as crimes against humanity.
The economic effects of targeting data may be just as, if not more severe than the physical effects of a traditional attack. For instance, attacking an empty parking lot or an unused bridge in a far-flung area will trigger IHL as these are civilian objects, even where the attack has inflicted no incidental harm to civilians. However, a cyber operation resulting in billions of dollars worth of economic loss falls outside the scope of IHL, despite the direct and significant harm such loss might have on the population. Illustratively, the Associated Press Twitter account hack which led to a $136 billion equity-market value-loss did not trigger an IHL violation.
Adopting the current approach of requiring a physical effect leads to a dichotomy where attacks with lesser consequences are regulated, but more devastating ones are not, simply because the medium of harm in the case of cyber attacks is not physical. Such an interpretation is contrary to IHL’s object and purpose of protecting civilians. In order to prevent this anomaly, along with some States, the Prosecutor of the International Criminal Court has also adopted the approach of factoring in economic damage when assessing the gravity of crimes.
Experts consider loss of data integrity, which can catalyze market-manipulation and crash the world economy, as among the most severe risks, globally. Given the modern financial market’s reliance on data and technology, its protection against cyber attacks becomes imperative. Further, given the interdependence of global financial systems, disruption in one financial market creates ripples across the globe, as seen in the 2008 Financial Crisis. Attacks on financial data can affect states and individuals not party to the hostility too. This assumes even greater significance given the $1 trillion cryptoassets market existing only in the form of data.
Doubts may arise about including cryptoassets in the proportionality and distinction analysis under IHL given their questionable legal status across the globe. However, though they may not be recognized as legal tender in some jurisdictions, most countries have not declared them illegal per se. For instance, India has not prohibited the trading of cryptoassets, though it does not recognize it as legal tender. In such countries, attacks on cryptoassets should certainly be considered while assessing the severity of attacks, and in particular, the economic damage they produce.
Moreover, even in countries that have completely prohibited cryptoassets, such as Egypt, mounting a cyber attack on civilian crypto assets should amount to an IHL violation. An analogous case is the targeting of Afghan drug-lords by NATO, which was considered to be a violation of IHL even though drug trade was illegal. While Dapo Akande made an interesting argument in favor of targeting poppy fields and drug labs, that theory was based on local Afghan law which allows for such targeting, not on IHL. Similar targeting in other states would have required the permission of those respective states. Given that there is no local law allowing for targeting of crypto assets, though they might be illegal, its targeting should be considered to violate IHL.
Thus, taking the non-physical and monetary effects of data-targeting into account for proportionality and distinction analysis is vital to protecting civilians against indiscriminate and grave damage. While there is much debate as to the extent of protection that must be afforded to such civilian data, the growing need for some protection at all it is increasingly clear, with a number of institutions working towards devising a policy in that regard.
Protection of Essential Civilian Functions
Multiple experts, organizations and States have reiterated the importance of protecting critical civilian infrastructure and essential services. To that end, certain objects and property have been afforded special protection from hostilities under IHL owing to the nature of their function or significance attached to them. While some critical civilian objects such as medical units have been afforded special protection under IHL, medical data has curiously been omitted. Expressing discontentment with this approach, ICRC stated that data belonging to objects enjoying special protection under IHL should also be protected. A number of international law experts, through the First and Second Oxford Statements, have emphasized the need for protecting medical records and research data during the COVID-19 pandemic.
A minority of Tallinn Manual drafters also concluded that “civilian data that is ‘essential’ to the well-being of the civilian population is encompassed in the notion of civilian objects and protected as such.” Further, the International Committee of the Red Cross (ICRC) opines that the object and purpose of IHL mandates the prohibition on tampering or deletion of essential civilian data–an assessment Professor Schmitt agrees with in principle.
However, even these protections would not be sufficient to effectively protect civilians and civilian data because the special status is not afforded to other critical data-sets, such as election records, tax records, law-enforcement records, social-security data, among others. The International Review of the Red Cross makes a case for developing state practice to afford special protection to “essential civilian functions or services.” However, categorizing particular activities as essential functions is difficult due to varying and dynamic interests of states.
While determining a universal threshold definition seems unachievable at this point, a focus on the severity of consequences is a good starting point. IHL should afford protection to those data sets, attacks on which would have a significant impact on critical civilian infrastructure. For instance, France has adopted the approach that attacks disabling significant parts of the country’s activities, an ecological or technological disaster, or leaving a significant number of victims constitute a significant impact on critical infrastructure. Another such example would be acts impeding the delivery of social services or hindering primary and secondary education.
Owing to the dynamic nature of armed conflicts, the definition of ‘object’ must evolve. International legal protection should be unfettered by a mere shift from paper to virtual filing. Excluding data from the IHL definition of ‘object’ would leave civilians and civilian objects vulnerable to cyber attacks, effectively relaxing IHL norms and allowing belligerents to target civilians in violation of the intransgressible principle of distinction. Moreover, damage to civilians by such attacks would not even form part of a proportionality analysis.
Considering the potential consequences of excluding data from IHL protections, and given that the object and purpose of IHL is to protect civilians from those very consequences, the need of the hour is to regulate cyberspace in order to maintain and improve the integrity of certain categories of data. To that end, experts have argued for the development of state practice where states would afford special protection to essential civilian functions under Customary International Law by declaring certain functions or objects as “digital safe havens''. ICRC has even suggested drafting complementary rules to effectively protect civilians.
Undoubtedly, gathering consensus would be an extremely difficult exercise, especially in light of Russia’s and China’s recent refusal to acknowledge the applicability of IHL to cyber warfare altogether. However, adopting an evolutive approach to read data as an object under the extant treaty law of IHL would not require us to wait for the development of state practice to afford effective protection of data. Such an interpretation is better suited to address the immediate challenges of modern cyber warfare, pending the success of alternatives.
With “Cyber Winter” coming, the need to shield civilian data with the blanket of IHL is growing imminent. Thus, IHL should account for evolutions in how we store and transmit data, the most valuable resource of the 21st century, to be successful in achieving its object and purpose of protecting civilians from the adversities of warfare.
Harsh Srivastava is a 5th year B.A., LL.B. (Hons.) student at the National Law School of India University, Bangalore.