A Policy Approach for Addressing the “Cyber Attacks” and “Data as an Object” Debates
Among the issues examined at this week’s International Society of Military Law and the Law of War’s annual Silent Leges Inter Arma? (In Times of War, the Law Falls Silent?) Conference in Bruges, Belgium, is the protection of civilians against digital threats during armed conflict. The subject raises many questions about how the law of armed conflict (LOAC) governs cyber operations. They range widely from questions regarding the initiation of armed conflict by cyber operations standing alone to those dealing with cyber targeting, such as how to assess the proportionality of incidental cyber effects or factor cyber capabilities into precautions in attack feasibility determinations. Lethal autonomous weapons systems and artificial intelligence-enabled warfare further complicate matters.
However, two issues have occupied center stage since the LOAC community began to seriously consider cyber operations following their use during the international armed conflict between Georgia and Russia in 2008. They are both definitional in character. The first is how to understand the LOAC notion of “attack” in the cyber context, for the answer dictates whether its rules on attacks apply. The second is whether data is an “object,” as that term is used in LOAC. The answer to that question determines whether the prohibition on attacking civilian objects applies when directing cyber operations at data (as distinct from hardware). The just-released International Committee of the Red Cross 2024 Challenges Report highlights both issues and appropriately so.
In this post, I explain the significance of the two issues and indicate where States are coming down on them. We are seeing the unfortunate crystallization of competing camps over each. Convinced that this disagreement among States can pose unnecessary risks to civilians and impair interoperability among States that operate together in ad hoc coalitions or alliances, I offer two policy proposals designed to temper some of the normative misalignment. They are proposals, with some minor adjustments, that I have discussed in greater detail before. Yet, the gap between the camps has only widened since then, thereby meriting their reconsideration before it becomes impassable.
The Issues
Cyber Attacks
Distinction is the foundational principle governing the conduct of hostilities during an armed conflict. It is operationalized in a series of rules that set forth obligations, prohibitions, and restrictions regarding “attacks,” a term of art in LOAC. Among the most significant are the bans on attacking civilians and civilian objects, the rule forbidding indiscriminate attacks, the proportionality rule, and the requirement to take feasible precautions in attack to minimize certain forms of civilian harm.
These rules only bear on cyber operations that qualify as an “attack.” In this regard, Additional Protocol I to the 1949 Geneva Conventions, in Article 49, defines attacks as “acts of violence against the enemy, whether in offence or defence.” The International Groups of Experts (IGE) that drafted the two Tallinn Manuals agreed that this treaty definition reflects customary international law (subsequent cites are to Tallinn Manual 2.0). The IGE also concluded that despite the reference to “acts” of violence, the definition, properly understood, encompassed operations that have violent “consequences” (Tallinn Manual 2.0, rule 92, commentary). This was a pivotal observation in the cyber context because cyber operations are not violent themselves; they are merely communications to cyber infrastructure.
Accordingly, Tallinn Manual 2.0’s Rule 92 defined a cyber attack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” Because Tallinn Manual rules required IGE unanimity, Rule 92 reflected the only interpretation of the term attack in the cyber context with which all the experts could agree.
Therefore, the definition adopted by the IGE is deceptively ambiguous. A majority of the experts, including me, would go further. We advocated an approach by which a cyber operation resulting in a “loss of functionality” of cyber infrastructure qualified as an attack. For us, if a system did not work, it was “damaged,” thereby qualifying the operation against it as an attack. Disagreement arose, however, over the concept’s scope. For instance, some would limit qualification based on a loss of functionality to situations in which the cyber infrastructure concerned requires replacement or physical repair. Others would go further, for instance, by treating a cyber operation that seriously impairs functionality, even temporarily, as an attack subject to the LOAC conduct of hostilities rules.
But it must be emphasized that States and States alone make international law and, more importantly, authoritatively interpret it in the cyber context; we were merely offering our analysis to States for their consideration. Unfortunately, States, like the IGE, have been unable to reach a consensus on the matter.
Two competing camps that mirror those of the IGE have emerged. The more restrictive one would limit the treatment of a cyber operation as an attack to situations in which physical consequences manifest. For example, Denmark is of the view that “a cyber operation may be considered an attack in the context of an armed conflict where it produces effects akin to those of a kinetic attack. Consequently, a cyber operation will constitute an attack if it can be reasonably expected to cause injury, death, or physical damage to individuals or objects.” The Danish Military Manual explains that “temporary inoperability” does not suffice, offering the example a “digital ‘freeze’ of a communication control system.”
Israel is of the same mind. During an event hosted by the U.S. Naval War College, its Deputy Attorney General observed that “an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects, beyond de minimis. … [M]ere loss or impairment of functionality to infrastructure would be insufficient.” However, he caveated this conclusion with the sensible observation that “when an act causing the loss of functionality is a link in the chain of the expected physical damage, that act may amount to an attack.” In other words, if the “knock-on” effects of a cyber operation are physical in character, Israel would consider the operation an attack. No State disagrees with the caveat.
This year, the Czech Republic took the same position, noting that the effects of a cyber operation must be “comparable to those conducted by conventional means or methods of warfare to be considered an attack, for instance if a cyber operation is designed or reasonably expected to cause injury or death to persons or damage or destruction to objects during an armed conflict.” A number of other States are in accord.
A second group of States has adopted the loss of functionality approach championed by a majority of the Tallinn Manual 2.0 experts. France was the first to do so, stating in a 2019 Ministry of the Armies document that a cyber operation is an attack “where the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not.” However, it distinguished between types of functionality loss. By the French approach, a cyber operation that causes permanent loss of functionality always qualifies as an attack, whereas one generating temporary or reversible effects does so only if it necessitates repair, replacement of parts, reinstallation of network software, and the like. This distinction rules out temporary denial of service operations standing alone.
Other States agree in whole or in part. For instance, Italy considers the “disruption in the functioning of critical infrastructure” to be an attack, although it has not opined on the loss of functionality of other cyber infrastructure. Costa Rica takes an expansive approach by which “disabling – temporary or permanent, reversible or not – of the targeted computer, system or network” suffices to qualify a cyber operation as an attack. And Germany has stated that “the occurrence of physical damage, injury or death to persons or damage or destruction to objects comparable to effects of conventional weapons is not required for an attack,” while cautioning that “the mere intrusion into foreign networks and the copying of data does not constitute an attack under IHL.”
Ireland’s position on the matter is especially interesting. In its opinion, the notion of attack “extends to cyber operations expected to cause loss of functionality to networks or electronic systems.” To justify this stance, it explains that to
interpret the term otherwise would mean that a cyber-operation that is directed at making a civilian network (such as electricity, banking, or communications) dysfunctional, or is expected to cause such effect incidentally, might not be covered by essential [international humanitarian law] rules protecting civilians and civilian objects, and would not be consistent with the object and purpose of the Geneva Conventions and their Additional Protocols.
The problem is that both approaches are problematic. On the one hand, limiting qualification as an attack to those cyber operations causing physical damage or injury would leave some that could dramatically disrupt civilian life beyond LOAC’s reach. For instance, a cyber operation that disrupted the delivery of social services or education would not be prohibited unless the cyber infrastructure upon which those functions rely was physically damaged during the operation, which is unlikely in most cases. On the other hand, the expansive approach based on a loss of functionality takes many military cyber operations, like psychological operations directed at the enemy State’s media, off the table. This is unacceptable to some States, for psyops directed at other than military forces have long been a part of warfare. No middle ground appears to be emerging between these extremes.
Data as an Object
The second issue revolves around the question of whether data qualifies as an “object.” Most significant in this regard is the LOAC rule prohibiting attacks on civilian objects. If data is an object, as that term is understood in LOAC, a cyber operation intended to alter or destroy it would amount to an attack on a civilian object and, therefore, be unlawful. Beyond that, harm to civilian data during a lawful cyber attack on a military objective (such as dual-use cyber infrastructure) would have to be factored into the requisite proportionality analysis, and the attacker would be required to assess whether feasible means of minimizing harm to the data (without sacrificing military advantage) existed.
This is an important issue because there are many situations in which a party to a conflict might wish to target data, as distinct from the cyber infrastructure with which it is related. To cite a few examples, a party might want to embed deep fakes into a national news broadcast to affect civilian morale, delete tax records to complicate financing of the war effort, or alter or delete civilian transportation data to create civilian chaos to undercut support for the war.
As with the definition of attack, the Tallinn Manual IGE discussed the matter in great depth. Again, it was unable to achieve consensus. As explained in the commentary to Rule 100, most of the experts believed that the LOAC notion of “object” does not, at least in the present state of the law, include data. They based this view on the fact that data is intangible and, therefore, does not fall within the plain meaning of the term object. However, along the lines of the aforementioned Israeli caveat in the attack context, these experts emphasized that if a cyber operation against data nevertheless generates effects on cyber infrastructure that would qualify the operation as an “attack” (itself an unsettled issue), the targeting rules would come into play on that basis.
A minority of the experts took the opposite approach. In their opinion, the majority’s approach was inconsistent with the object and purpose of the LOAC rules that protect civilian objects, particularly the principle that the civilian population should enjoy general protection from the effects of hostilities. They pointed out that by the majority approach, “even the deletion of essential civilian datasets such as social security data, tax records, and bank accounts would potentially escape the regulatory reach of the law of armed conflict.” For them, the severity of the consequences of a cyber operation targeting data is what should matter. Accordingly, these experts concluded that “at a minimum, civilian data that is ‘essential’ to the well-being of the civilian population is encompassed in the notion of civilian objects and protected as such.”
As should be apparent, the two approaches pose the same dilemma as the division over the meaning of attack. On the one hand, the first view leaves open the possibility of massive disruption of civilian life by cyber means, a risk that is growing exponentially as societies increasingly depend on cyberspace and, accordingly, the data cyber activities rely upon. However, the second view means taking many cyber operations off the table, either because they are directed at civilian databases (e.g., psyops) or due to the operation of the proportionality rule.
States are struggling over the matter. A sampling of State positions illustrates this divide. Not unexpectedly, those States taking a restrictive view of attacks tend to do the same vis-à-vis treatment of data as an object. For instance, in the same presentation in which he discussed the meaning of attack, Israel’s Deputy Attorney General stated that “only tangible things can constitute objects.” Similarly, the Danish Military Manual provides that “data do not in general constitute an object.”
Conversely, Costa Rica predictably “endorses the view that civilian data constitute civilian objects under [international humanitarian law] and must be protected accordingly.” Germany has similarly opined that an operation qualifies as an attack if it causes harmful effects on “information that is stored, processed or transmitted,” which necessarily includes data. For its part, France observed back in 2019 that “[g]iven the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction.” Interestingly, France limits its position to content data, which is data containing information such as records. It does not treat process data, which is data upon which the functionality of cyber infrastructure depends, as an object. By this approach, during an operation against process data, the applicability of targeting rules would depend on whether the operation generated the requisite attack effects on associated cyber infrastructure.
Two Policy Proposals
These are not insignificant debates; they determine when a State may lawfully pull the cyber trigger. Unfortunately, I see little hope of States resolving either in the foreseeable future.
The debates must be placed in an operational context. States that have adopted the broad approaches to defining attacks and objects have taken some cyber operations off the table for their own forces. Whether or not theirs is the correct view as a matter of law, they have made a sovereign choice, so they can hardly complain of limitations on their cyber operations. The real challenge is alleviating the impact of cyber operations conducted by States that have adopted restrictive approaches to the two issues. Even if their positions are correct in law (reasonable minds differ), there is no denying the potential risk they pose for civilians.
Perhaps an answer lies in adopting policies that extend greater protection to the civilian population without unduly restricting military operations. I offer two for consideration by States when they conclude that 1) LOAC does not prohibit a cyber operation because it is not an attack, 2) civilian data may be targeted because it is not an object, or 3) the alteration or destruction of civilian data need not be considered in proportionality and precautions in attack assessments during an attack on a military objective because data is not a civilian object. In my estimation, they are militarily sensible.
Proposal One
By the first, States would, as a matter of policy, commit to refraining from conducting cyber operations against civilian infrastructure or data that would interfere with certain “essential civilian functions or services.” In other words, the functions and services concerned would be entitled to policy-driven “special protection,” much as LOAC extends special protection to, for example, medical functions and humanitarian assistance. Note that the protection is accorded to functions or services rather than particular cyber infrastructure. Accordingly, the policy would prohibit any cyber operation that degrades them, irrespective of how the degradation manifested.
The policy’s challenge lies in identifying civilian functions or services that qualify as essential. Functions or services that contribute even indirectly to the enemy’s military wherewithal or staying power, such as media broadcasts supporting the government, would not (although they would be encompassed in the second proposal). Yet, certain civilian functions are unambiguously essential. Examples include the delivery of social services for the disabled, poor, and elderly; primary and secondary education; and the integrity of financial institution data and systems serving the civilian population. Functions or services that contribute to the well-being of the civilian population over the long term, especially during recovery from armed conflict, would be especially likely to qualify as essential. For example, there should be no intentional interference with university teaching and research unrelated to military operations. Of course, since the proposal involves adopting a policy, the States concerned would have to identify essential civilian functions and services; collaboration between them would be highly beneficial.
Proposal Two
The second proposal is that States adopt a policy of refraining from conducting cyber operations when the expected concrete negative effects on individual civilians or the civilian population are excessive relative to the concrete benefit related to the conflict that is anticipated to be gained through the operation. This policy would apply when the party concerned believes the operation under consideration is not an attack. It is designed to minimize negative effects on the civilian population when doing so is militarily sensible, and the law itself does not reach those effects, at least not in the opinion of the State concerned.
As should be apparent, the proposal is based on the LOAC rule of proportionality that applies during attacks on military objectives. However, there are differences. To begin with, it would apply to cyber operations directed against not only military objectives but also civilians and civilian objects. Of particular importance in this regard is that the policy would govern cyber operations against dual-use military objectives. Thus, the civilian use of the dual-use target would factor into the policy’s assessment, which is not always the case when applying the proportionality rule.
Further differentiating the policy from the proportionality rule, the operations encompassed by the policy need not qualify as an attack, and there would be no limitation on consideration of collateral damage to the types of harm enumerated in the proportionality rule (“incidental loss of civilian life, injury to civilians, damage to civilian objects”). It applies to all “negative” effects. Thus, for instance, a State that has adopted the policy would consider the impact of a temporary denial of service operation having no physical consequences, as in the case of an operation that interfered with the ability of civilians to access funds in their bank accounts.
However, there are guardrails to prevent the proposed policy from being overly inclusive. For example, the reference to “concrete” effects and “concrete” benefits is meant to exclude purely speculative ones. Additionally, note that the policy is permissive in that it allows a State that has adopted it to factor in benefits to the conflict generally, which is broader than the proportionality rule’s limitation to “concrete and direct military advantage.” All that is required is a nexus to the conflict, whether direct or indirect. Accordingly, benefits at the tactical, operational, and strategic levels of war may be considered, whereas the rule of proportionality is generally limited to tactical and operational levels of war and military advantages. And only concrete negative effects for civilians and the civilian population need to be considered by the party mounting a cyber operation; effects on objects are not factored into the policy unless they affect civilians.
Finally, note the adoption of the term “excessive” from the LOAC rule of proportionality. I use it to denote that the policy would not be a so-called balancing test in which an operation’s adverse effects need only slightly outweigh its benefits to trigger the policy. Instead, excessive is meant to denote a “significant imbalance” (see Harvard AMW Manual, rule 14).
Concluding Thoughts
It is unfortunate that these key elements of the law governing cyber targeting remain unsettled, for cyber operations have become an entrenched element of modern warfare, one that not only affects the course of battle but also presents serious risks for the civilian population. States are taking these issues on, but sadly, they are coming to different conclusions. Indeed, it seems the gap between the restrictive and permissive camps is widening.
The modest policy proposals set forth above are meant to ease some of the effects on the civilian population of cyber operations that are not reached by LOAC, at least not in the eyes of the party conducting them. They are designed to reflect the military necessity – humanitarian considerations balancing that infuses the rules of LOAC. Accordingly, I have attempted to craft them to be palatable to commanders in the field.
Finally, I want to emphasize, particularly for State legal advisers in and out of uniform, that I proffer the proposals only as voluntary policy recommendations. They are outlined in very broad-brush strokes, for I intend them only to serve as the starting point for internal and external discussions on how to shape cyber operations in the face of disagreement over the law. Should they prove convincing, it remains for States to develop them more fully.
***
Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy at West Point. He is also Professor of Public International Law at the University of Reading and Professor Emeritus and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College.
Photo credit: U.S. Army Cyber Command