Attack on Civilian Data and International Humanitarian Law

INTRODUCTION

Rapid developments in technology make it not only the biggest asset but also the biggest threat of modern times. Indeed, cyber attacks are becoming a practice with hospitals, medical units, governments and, most importantly, civilians facing its wrath. At an international level, the nature of warfare is expected to undergo a tremendous shift given the extensive usage and investments made in technology by most states today. While, inter alia, malware, phishing and hacking are the most common examples of cyber-attacks experienced on a day-to-day basis, a cyber-attack on something as sensitive as civilian data poses the next big threat.

Civilian data, within its ambit, includes important information stored by the government on its citizens in the form of a record. Such crucial information in the hands of cyber criminals or even other governments can give them an unfair advantage in times of war. This raises the important question: can an attack on civilian data give rise to an armed conflict? The law of armed conflict or International Humanitarian Law (IHL) regulates the rules of warfare, laying down what can and cannot be attacked in times of war. Grave breaches of IHL invite criminal liability under the Rome Statute, 1998. However, whether misuse of civilian data is explicitly or implicitly prohibited under IHL or not, remains a matter of great debate.

IHL ON ‘CIVILIAN DATA’

The Geneva Conventions prohibit attacks on civilians and civilian objects. Every belligerent party must distinguish military objects from civilian objects and direct their attacks only towards the former. In order to determine if data constitutes a civilian object or not, it must fall within the meaning of ‘civilian objects’ under the Geneva Conventions or its Additional Protocols (API or APII). Article 52(1) of the API defines civilian objects as “all objects which are not military objectives” and Article 52(2) defines military objectives as “limited to those objects which by their nature location, purpose or use make an effective contribution to military action . . . .” On this, the International Committee of the Red Cross (ICRC) has observed that the word ‘object’ would include ‘something presented to the sight or other sense’ implying tangibility.

Apart from the Conventions, the Tallinn Manual on the International Law Applicable to Cyber Warfare, (Tallinn Manual 1.0) is the primary authority on cyber warfare as of date. The International Group of Experts behind the compilation of the manual were faced with the task of defining what constituted military objects. Though eventually they were heavily influenced by the API and the ICRC Commentary, the discussions (p.226) witnessed a difference in opinion. There were no objections to the observations that “computers, computer networks and other tangible components of cyber infrastructure constitute objects.” However, the majority was of the view that given the implied tangibility within the meaning of the term ‘object’, data did not per se qualify as one.

A minority, however, adopted a broader, more inclusive definition of what could qualify as an object. This response aimed at maximum protection for civilians as well as adapting IHL to suit the needs of current times. ICRC’s stand concurs with this minority view. In 2015, ICRC opined (p. 43) that:

“The conclusion that this type of operation would not be prohibited by IHL in today’s ever more cyber-reliant world – either because deleting or tampering with such data would not constitute an attack in the sense of IHL or because such data would not be seen as an object that would bring into operation the prohibition of attacks on civilian objects – seems difficult to reconcile with the object and purpose of this body of norms.”  

The current position under the Tallinn Manual remains that some attacks on data can qualify as an attack on a civilian object if targeting such data could result in physical consequences. That being said, the Tallinn Manual is only a persuasive document laying down the views of experts on the matter. Ultimately it will be for the states to decide if an attack on data will constitute an attack under the Geneva Conventions or not.

POSSIBLE OUTCOMES

It will be no surprise if states are soon required to determine whether data will constitute an ‘object’ under IHL and whether an attack on civilian data will constitute an attack under the Geneva Conventions or not. State practice is therefore expected to play an important role in settling this issue. However, this question is not one that can be easily answered given the personal interests of the states involved.

First, it is impossible to construe a scenario where most states would regard the misuse of civilian data as a crime under the International Criminal Law. Civilian data, today, in the hands of respective governments act as their biggest tool in achieving their own political objectives. There are numerous instances of misuse of civilian data by governments and political parties, especially during elections, as a means to garner votes and retain their offices. This being a common practice, states will not be keen on jeopardizing their own position and therefore, opposition to including data under the ambit of ‘object’ by most states would not come forth as a surprise.

If states do refuse to recognize attacks on civilian data, the natural implication of this would be the complete exposure of civilians to virtual abuse. In this digital age, one’s personal data in the hands of others leaves little protection to a common man even if the threat is not physical. This is the reason why most jurisdictions consider personal data to fall under the private sphere of an individual and any violation of it is a violation of one’s fundamental right to privacy. Moreover, if used as a means of warfare, it leaves the citizens of a country exposed to their belligerent party. The adverse party might use the data to threaten, coerce, or torture them without even causing any physical consequences to anyone and would, therefore, clearly escape liability.

The underlying dichotomy makes it clear that whether an attack on civilian data would constitute an armed conflict under IHL is one question that does not have a direct answer. Practically, civilians cannot be left without any protection or any recourse in the event of misuse. On the other hand, states will not risk criminalizing the misuse of civilian data given their own political interests. Such a situation calls for a creative solution. This can possibly be achieved if states choose to be more cautious and selective in using and criminalizing the misuse of civilian data. In other words, states must categorize data and criminalize any attack on the most sensitive information which is likely to cause large-scale damage to its citizens. Such data should not be left lying unprotected and liability must be attracted to anyone misusing it. The benefit of this is that this will also encourage the governments to use sensitive civilian data carefully and with utmost caution.

CONCLUDING REMARKS

After reviewing the stand of IHL and experts on the attack on civilian data and the possible answers to this question, it can be concluded that this matter requires utmost attention and discussions. In the era of digitalization, cybercrime cannot be taken lightly given that apart from states, individuals and terrorist organizations, too, have access to sophisticated technology capable of causing wide-scale harm. Presently, there are little examples of misuse of data without having physical consequences, however, it is certainly not impossible to achieve. With this uncertainty lurking around, states might find it to be in their interest to not clarify their position on the subject given their ambitions. However, a situation might arise in the near future compelling states to respond and take a definitive stand, putting an end to this uncertainty. States will have to make an effort to come up with creative solutions in addressing the issue at hand.

 

Leave a Reply

Your email address will not be published. Required fields are marked *