“Attacking” Electrons: Data as an Object in the Law of Armed Conflict

Photo courtesy of cyberwar.news

As the prevalence and importance of data in society grows, and the lines between civilian and military information technology infrastructure continue to blur, such systems and the data residing on them will become increasingly important in future armed conflict. As with every development of warfighting technology throughout history, the weaponization of cyberspace will require a new understanding of how laws written to address traditional kinetic operations causing physical injuries and damage apply. Perhaps the most unique aspect of cyber operations is its ability to cause a wide range of consequences. Some are easily analyzed within the traditional framework, especially those cyber operations that cause physical damage, injury, or destruction to tangible objects in the real world.

The most well-known example of this type of operation was the Stuxnet attack on Iran’s Natanz nuclear enrichment facility in 2010. That attack caused the physical destruction of thousands of centrifuges by manipulating control systems, causing the delicate equipment to spin itself apart.[1] Such cyber effects are well accepted as attacks under traditional understandings of the law of armed conflict (LOAC).

The harder question for practitioners is how to treat cyber operations that do not result in effects that are easily analogous to traditional kinetic strikes. Cyber operations are uniquely suited to cause widespread operational and strategic effects without directly harming a single person or damaging a real object. As recent events have shown, cyber operations can have enormous political, economic, and social consequences that harm some of the most important interests of states, but do not fit neatly into kinetic definitions of attacks.

For example, the integrity of the U.S. political system was called into question by cyber theft of harmful information from key components of the Democratic Party.[2] Similarly, cyber attacks can cause system-level damage to financial and economic systems that would be prohibitively difficult by traditional kinetic means. Physically bombing an individual bank, or several banks, would have limited effect on the financial and economic viability of a state, but a cyber attack that erased the debt records of an entire country or shut down a stock market could have catastrophic consequences for the entire system. “A cyber operation targeting civilian cyber infrastructure . . . without physical effects could be far more detrimental than one causing limited damage.”[3]

At the core of this dilemma is the LOAC definition of attack. The fundamental aspects of LOAC rules regarding targeting, which some would argue are also the core tenets of LOAC writ large, are all couched in terms of “attacks.” “[A]ttacks against civilians and civilian objects are prohibited, indiscriminate attacks are forbidden, parties to the conflict must take precautions to minimize civilian harm when planning and conducting attacks, a defender must take precautions to protect the civilian population against the effects of attacks, and so forth.”[4] Before any of these rules can be applied to cyber operations, it must first be determined what constitutes an attack in the cyber domain. Given the breadth of consequences that can flow from a cyber operation, this is no easy question to answer.

One of the central problems is the status of data under LOAC. LOAC principles governing the means and methods of warfare have evolved to define objects as tangible and visible things in the real world that could be destroyed or damaged through military action.[5] Such tangible objects that serve a valid military purpose may be lawfully targeted. Likewise, damage was understood to mean actual, physical damage such as would be caused by bombs, bullets, and the traditional means and methods of warfare.[6]

Consequently, cyber operations that only delete or detrimentally alter data, such as the attacks on political and economic systems described above, cannot be defined as an attack because the target does not fall within the category of object. The incongruous result is that operations that can have far-reaching and severe consequences to national survival and independence are not governed by fundamental LOAC rules that seek to limit the suffering of war. Accordingly, prohibitions on targeting civilian objects, indiscriminate attacks, and causing excessive collateral damage would not apply.

Data as an object. Photo courtesy of ecoblender.org.

In order to adequately account for the intangibility, but frequently vital importance, of certain data and the severe effects that attacks on data may result in, the traditional definition of objects must be expanded. Data should be understood as an object under the law of armed conflict since certain kinds of data are so vital that alteration or deletion would have grave and dangerous effects, equal to or exceeding traditional physical effects, on state actors.

Similarly, the traditional understanding of damage in tangible, kinetic terms is rendered incongruous as a result of advances in technology and modern reliance on networks and data. From the target state’s perspective, it makes little difference if its systems no longer work because they were physically destroyed or had their intangible data corrupted by cyberattack. Either way, they do not work and are no longer able to accomplish any vital purpose they may have served.

However, redefining the concept of object in LOAC to include intangible data does not come without drawbacks. Notably, such a paradigm risks stretching the universe of attacks under LOAC beyond its usefulness and fostering conflict and escalation because formerly permitted activities now rise to the level of attack. If any manipulation or deletion of data is an attack, the threshold for application of LOAC is lowered. In the extreme, such innocuous actions as deleting a social media post or account, small scale distributed denial of service (DDoS) attacks, and information and psychological operations in cyberspace could be considered attacks. “International humanitarian law is a careful balancing of humanitarian concerns with military necessity; simply styling data as an object would throw this balance out of kilter, by barring operations that today are considered lawful in both their cyber and traditional guises.”[7]

The International Group of Experts responsible for the Tallinn Manual on the International Law Applicable to Cyber Warfare stopped short of fully embracing data as an object, while still attempting to account for its uniquely important role in much of the modern world. Instead of redefining objects to include data, they embraced an interpretation of damage to include loss of functionality.[8] Under this test, even where no physical damage or destruction results from a cyber operation, it is still properly classified as an attack when it sufficiently inhibits the functionality of a system. Disagreement arose among the experts over the degree of impairment required to constitute loss of functionality, but the fundamental interpretation represents a successful compromise between accounting for the unique aspects of data as a target and an overly broad application of LOAC.

However, even this approach has its own limitations. The test focuses solely on the functionality of cyber infrastructure itself, which includes the computers, servers, and networks on which a given system depends. The debate among Tallinn Manual experts on the degree of harm required turned on factors like whether or not physical components of this infrastructure had to be replaced or if simply reinstalling software or operating systems would restore functionality. It does not adequately address the value of potentially altered or deleted data that is resident on the system itself.

In nightmare cyber scenarios such as crashing the stock market or corrupting the software that controls the power grid, it is the data impacted by the loss of functionality that poses the gravest threat, not the malfunctioning of the control systems themselves. Instead of merely focusing on the functionality of the cyber infrastructure, a better approach is needed to account for the real consequences of the attack — the valuable data on which these institutions are based. Classifying data as an object that may be the target of an attack is better suited to regulating conflict in this realm given the vital role that data plays in the modern international system. Further refinement will be necessary to overcome the risk of lowering the threshold of attack too far, but it is better to construct a regime that can help prevent a cyber catastrophe than to avoid the issue because it might be unreasonably interpreted by future actors.

[1] See generally Andrew C. Foltz, Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate, 67 Joint Force Quarterly 40 (2012); Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (2014).

[2] See Eric Lipton, David E. Sanger & Scott Shane, The Perfect Weapon: How Russian Cyberpower Invaded the U.S., N.Y. Times, Dec. 13, 2016, https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0 (describing the alleged Russian cyber intrusion into the Democratic National Committee during the 2016 presidential election)

[3] Michael Schmitt, The Law of Cyber Targeting, 68 Naval War College Rev. 11, 16 (2015).

[4] Id.

[5] Michael N. Schmitt, Rewired Warfare: Rethinking the Law of Cyber Attack, 96 Int’l Rev. Red Cross 189, 200 (2014).

[6] Id. at 202.

[7] Schmitt, The Law of Cyber Targeting, supra note 3, at 17.

[8] Tallinn Manual on the International Law Applicable to Cyber Warfare 108–09 (Michael N. Schmitt ed., Cambridge University Press 2013).