Russian Cyber Attacks and the Status of Data in International Humanitarian Law
About the author: Maria Oliveira (J.D. candidate, 2024) is a Contributor to Travaux. She received her Bachelor of Arts in History from the University of Connecticut in 2021 and is interested in international and comparative law. In her free time, she enjoys playing piano and baking pies.
“Cyber attacks” by Christiaan Colen available here.
The ongoing war in Ukraine is bringing cyberspace, the new frontier of 21st century warfare, and its implications for International Humanitarian Law (IHL) into the forefront. Even before Russia’s invasion, Ukraine has been no stranger to Russian cyber attacks. It has been described as a “test ground” for Russian cyber attacks, including election interference, power grid disruptions, malware, and disinformation campaigns. For example, the Russians are alleged to be behind NotPetya, a destructive malware set off against Ukrainian public and private sectors in 2017. This wiper attack that irreversibly encrypted data spread globally, affecting international corporations and causing more than $10 billion in global economic losses. Mere days before Russia invaded Ukraine, Microsoft detected a new malware, FoxBlade, targeting Ukraine’s government and financial institutions. Microsoft announced that it worked with the Ukrainian government to stop the malware and expressed concern about how Russian attacks on civilian digital institutions violate the Geneva Conventions.
Understanding how cyber operations fit into the IHL framework as set forth in the Geneva Conventions and its Additional Protocols must be a critical part of the international response to Russian aggression. One aspect in particular that Russian tactics highlight is whether the Conventions may be interpreted to prohibit the indiscriminate targeting of civilian data. I argue that data should be considered an object for the purposes of IHL so that civilian data of all types has a baseline level of protection under the principle of distinction.
“Objects” and the Principle of Distinction
Civilians and their property are protected in IHL under the principle of distinction. The principle of distinction requires that parties to an armed conflict must distinguish between military persons/objects and civilian persons/objects. Only military objectives (i.e., military persons or objects), may be targets of an attack. Cyberspace pushes the boundaries of what we consider to be “objects,” because it encompasses intangible things where their destruction would nonetheless have tangible ramifications.
A widely accepted principle is that a cyber operation that causes the types of damage that traditional kinetic means (i.e., through use of motion and energy) could have achieved constitutes a cyber attack, and thus is subject to IHL and to the same principle of distinction that regulates targeting in kinetic attacks. The Tallinn Manual 2.0, an authoritative research initiative that provides guidance on how current International Law applies to cyberspace, articulates the principle as follows: “A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
But what happens when the target of the operation is not the computer hardware itself, but the intangible data stored therein—such as the Russian wiper attacks targeting data held by civilian institutions? Per the Tallinn Manual’s definition, a cyber operation that targets data is only a cyber attack if data is considered an “object.” This question is much more controversial.
The Textualist Position
The majority of the authors of the Tallinn Manual take the textualist position that data is not an object. They point to the Commentary of the International Committee of the Red Cross (ICRC), which elaborates on and gives interpretation guidance for the Geneva Conventions and their Additional Protocols. The ICRC’s Commentary says that an object is something that is “visible and tangible.” Because data is intangible and does not fall within the “ordinary meaning” of “object,” cyber operations intent on destroying data do not qualify as attacks subject to the traditional principles of IHL.
This does not mean the majority believes that such operations aren’t subject to any restrictions. They instead offer additional rules that can protect specific types of civilian data. For example, Tallinn Manual 2.0 Rule 132 states that “Personal medical data required for the treatment of patients is likewise protected from alteration, deletion, or any other act by cyber means that would negatively affect their care, regardless of whether the act amounts to a cyber attack.”
Although such rules disallow certain disastrous results, they do not get to the root of the problem, and still leave vulnerable types of civilian data that, while perhaps not as immediately critical as medical data, are still critical to civilians’ livelihoods and wellbeing. Permanent deletion of data such as banking and tax information, social services data, email communications, and social media accounts would have severe consequences for civilians, and thus are also worthy of protection from indiscriminate targeting.
The Analogist Position
Some scholars and a minority of the Tallinn Manual authors support an analogist approach, saying that looking at the plain meaning of “object,” and other words such as “tangible” and “intangible,” is not enough. The analogists posit that by requiring objects to be “visible and tangible,” the authors of the ICRC Commentary were trying to exclude abstract notions—such as goals, aspirations, or civilian morale—in being legitimate targets. Because the authors were not imagining cyber warfare at the time of writing the Commentary, it makes more sense to determine whether data is more similar to the “visual and tangible” things they had in mind, or the abstract notions they were trying to exclude.
While it is true that data is generally thought to be an intangible thing, surely it is not as intangible as a person’s aims, thoughts, or psychological state of mind. Data is much more similar to a bridge than to a population’s morale, in that it is something that can be directly measured and observed, not an abstract idea that can only be evaluated subjectively.
A Functional Approach
Another way to frame this issue is to look at data for what it really is: information. Computers contain data in the same way that books and films and other physical media contain information. Consider an operation to target and burn up the financial workbooks of a swath of civilian businesses to ruin the local economy. That would be illegal because it is physically targeting civilian objects. But from a functional perspective, the physical workbooks are just vessels. Their value lies not in their physical nature, rather in the information they contain. It just so happens that in order to destroy the information, the physical medium must be taken down with it. We are at a point technologically where critical information can be destroyed without impacting the physical medium. It should not matter if an operation targets the financial information in a physical book, or the financial information in a Microsoft Excel sheet. The impact is the same. Whether physical, kinetic damage occurs is completely arbitrary.
International consensus on whether data can be considered an object has not yet matured. In addition to the disagreements among the authors of the Tallinn Manual, there is disagreement among the small number of states that have issued position papers on the topic. States such as Israel and Denmark take the textualist position that data is not an object because it is not tangible. Romania and Norway take the analogist position that data is an object because it acts like one, while France takes a middle-of-the-road approach.
Although the question of data’s status as an object is presently unresolved, the war in Ukraine is demonstrating that it can not be left unresolved for long. Russia has already demonstrated that it has no problem indiscriminately targeting civilians and civilian objects in kinetic warfare, and it has directed cyber attacks at civilians before the war. There is no reason to think Russia would not implement indiscriminate cyber attacks in bello, and when it does, there is no reason why operations targeting civilian data should not be subject to the same principle of distinction that physical objects already enjoy. The easiest way to ensure these protections is to adopt an interpretation of “object” that encompasses cyber data.