Protecting Data in the Age of Cyber Warfare

U.L.B Nipuni
U.L.B Nipuni is an Attorney-at-Law of Sri Lanka currently serving as a Consultant/Lecturer at the National Institute of Business Management. She is a double degree holder in LLB Hons (UK)and BA (Special) in International Relations, University of Colombo. Due to her passion on war studies, she engages in research related studies mainly linked to International Humanitarian Law and International Human Rights Law.

With the advancement of science and technology, many aspects of the human community are changing rapidly. Among these, one can very intelligibly and visibly notice the changes in modern day warfare. States no longer deploy its troops to partake in armed conflicts; rather they comfortably plan mass attacks that are launched in cyber space by targeting data stored in computers. Amidst an obvious paradigm shift in kinetic warfare as such, the question of protection of data in armed conflicts still grapples with conceptual confusions and definitional obscurities concerning the notion of data itself leading to nebulous laws in cyber warfare. Until and unless there is a clear-cut understanding of which aspect of data has to be protected from adversarial cyberspace attacks, it is going to be a colossal task for humanitarian law to provide any protection for data in an armed conflict leading to sporadic patterns of damage and casualties. When data is not duly protected during an armed conflict, it can cause grave paralysis to day-to-day civilian activities such as public infrastructure and other services essential to humans. It is of absolute importance that the States and international bodies prepare themselves and prepare robust legal frameworks that would generate strong preventive measures against cyber threats and attacks that could harm civilian lives. 


Modern day States and belligerents can cause more harm to civilians by directing attacks on data, than destruction of physical objects through military operations ever did. For instance, by launching a ransomware operation against a hospital, adversaries can collapse entire civilian medical facilities by withholding their data. Through digital blackmailing, adversaries can threaten to leak sensitive data of civilians and attack their morals. One might wonder how can attacking certain data, stored in the most rudimentary form i.e. in the form of binary system, cause such vast destructions? The simplest answer is that the modern technological world relies heavily on data and its storage in computers, and any distortion can cause severe disruptions to civilians and their well-being. 

When trying to untangle the dilemma of as to why International Humanitarian Law has not been able to yet provide a cogent legal framework for protection of data in armed conflicts, one can notice several reasons. One such reason runs to the very root of this problem; majority of scholars are still struggling with the wrong type of data that should be protected. According to scholars such a Dinniss, IHL should target to protect operational level data rather than content level data which are intelligible to humans like texts in a document. 

The rationale behind this is that operational level data enables hardware its functionality and ability to perform the tasks that are required. So, when these data are targeted through cyber-attacks, it can severely affect the smooth functioning of the adversary States. Furthermore, adversarial cyber operations that target the availability or the integrity of operational level data will also result in loss of functionality of the system. According to scholars like Schmitt, this is the exact objective of attackers as they do not intend to affect the data per se in a cyber-attack

Finally, the Achilles’ heel of IHL is the lack a cogent legal framework to govern protection of data in armed conflict because it still has not been given the “object-quality”. According to the cornerstone of IHL by virtue of Article 52 (2) of the Additional Protocol I; the principle of distinction only protects tangible objects during an armed conflict. As per the prevailing general agreement between the experts of the area, things that are not considered “objects” under the principle of distinction during an adversarial military cyber operation are not protected under this principle; hence leaving intangible data vulnerable during armed conflict. This stance is even backed by the 1987 ICRC Commentary that only gives priority to the protection of objects that are tangible and visible. 

The answer to this problem lies in the teleological consideration. When looking at the purpose of the principle of distinction, it is clear that it strives to enhance the protection of the victims during an armed conflict. In the light of this, a restrictive literal interpretation of data would result in a protection gap of IHL, and many targets whose physical equivalents are protected under IHL could be attacked as long as the effects of the attack remain in cyberspace.  For instance, if an adversarial cyber-attack is launched against a water treatment facility, the State in question would have to shut down its water systems leading to civilian activities, such as agriculture, being severely damaged.  In this sense, it is justifiable to state that data also deserves to be qualified as a civilian object that is protected under IHL. Furthermore, a consensus has to be reached on what amounts to an “attack” in cyber warfare, since existing IHL does not consider “cyber-attacks” to be significant unless they cause any physical harm to the lives and property of the civilians. 

Having a cogent legal anchoring for the protection of data in cyber warfare is important for various reasons. In the midst of ever-changing warfare dynamics, kinetic warfare is now slowly reaching its own obsolescence for fortunate or unfortunate reasons. Hence, there is a higher probability that any State or belligerent group, whether strong in its military capacity or not, could launch adversary cyber-attacks on its enemies. Moreover, as IHL is built utilizing the experiences of the world wars, it only provides baseline protection against the outcomes of kinetic warfare. In light of such limitations of IHL, the States and international organizations will only bear the capability of easing the effects of cyber-attacks in a form of delayed responses. Finally, it also vital to note that the harm to civilians could nonetheless be significant even when it is not physical in nature. As cyber warfare has the prospects of eroding the distinction between peace and war times, by adversarial attacks being launched during the former, IHL experts must gather to weave a stronger set of IHL rules for the protection of data in armed conflict, in order to evade the sporadic and unprecedented horrors of cyber warfare.  



This Essay is part of the series “Contemporary Challenges and Developments in International Humanitarian Law”, published in collaboration with the Association of Young International Criminal Lawyers.

Back to expert analysis