M: +61 2 5114 5268
Data can be a military objective. The challenge is to differentiate targetable data from non-targetable data used in espionage and influence operations.
Data is ubiquitous as a capability and an enabler in military operations. As data becomes ever more fundamental to the military, the question of whether data can be made the target of attack under the law of armed conflict is gaining traction as both a legal and an operational issue.
The applicable law is in 1977 Additional Protocol I to the Geneva Conventions of 1949, Article 52(2):
Attacks shall be limited strictly to military objectives. In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralisation, in the circumstances ruling at the time, offers a definite military advantage.
There are at least three approaches to this question, each with different consequences.
The first approach is that data is not an object for military attack. This is the approach adopted by the Tallinn Manual 2.0:
…the majority of the International Group of Experts agreed that the law of armed conflict notion of “object” is not to be interpreted as including data, at least in the current state of the law. In the view of these experts, data is intangible and [does not fall] … within the “ordinary meaning” of the term object… therefore, an attack on data per se does not qualify as an attack.
This approach hinges around the conclusion that data is not ‘visible and tangible’ and thus cannot be described as an object. And because it cannot be an object, it can thus not be characterised as a military objective.
This approach offers two possible characterisation of data. The first is that data is simply ‘outside’ or ‘unknown’ to the law of armed conflict. Consequently, as data is not a concept within or regulated by this law, it is fair game during armed conflict. This is because operations against data would not be definable in any circumstance as an ‘attack’, because the law defines ‘attacks’ as being against objects. If data is not even an object, then none of the rules limit dealing with data.
Alternatively, it can be simply asserted that whilst data is not an object, the general trajectory of the law of armed conflict – represented in, for example, API article 58 (parties “shall direct their operations only against military objectives”) – is that it must be treated as akin to a civilian object and not be attacked.
Heather Harrison Dinniss argues that it is necessary to differentiate between ‘content’ level data (such as the text of this post) and ‘operational’ type data, which is the ‘soul of the machine’ or ‘code’. This distinction is important, because if we can be specific about what purpose a piece of data serves, then we may be able to distinguish between code, component, system and network. If we get to this point, then we can make more nuanced assessments as to what precisely in the ‘box’ it is that is the military objective.
The fidelity of this approach – if it is in fact achievable – is that the law of armed conflict would no longer define ‘the box’ as a whole as a military objective because military data in it is inseparable from the box. If we can identify the military objective data, then we will better understand what is still civilian within the box, by contrast to seeing the presence of military data inseparably making the whole box a military objective.
This is the argument of Kubo Macak, and to some extent the International Committee of the Red Cross, and is the view I personally hold. An example of data as military objective by its very nature, for example, might be a digital weapons log. Targeting that data will affect the operability of the weapons system and secure for the party the requisite ‘definite military advantage’. Also, given that data can be weaponised – for example, where it is the ‘1’s and ‘0’s that are the key component in information deception operation with kinetic effects – then how can the data not be classified as a military objective?
The challenge here is ‘dual use’ civilian data that may become a military objective by its location, purpose or use. An example might be a commercial database being used by the adversary to kinetically target state military force members and their families. If you deprive the adversary of its use by neutralising the data, it will reduce their capacity to conduct hostilities and in turn make an effective contribution to prosecution of the conflict against that adversary.
Quite apart from reflecting what the law says, this approach to data as a potential military objective also serves the core humanitarian purpose of reducing the effects of conflict on the civilian population by protecting from attack all objects, including data, that are not military objectives.
The challenge, consequently, is not to ask whether data can be a military objective; for many, this is already the state of the law, whilst for others this outcome is an almost inevitable legal future. As data-mining, data manipulation, data deception and data destruction become more pervasive operational options we now need to be asking more nuanced legal and doctrinal questions about how and when ‘targetable’ data is to be differentiated from non-targetable employment of data in espionage and influence operations. Indeed, the issue of data as a military objective may in fact be one of those rare cases where an evident law of armed conflict interpretation actually leads rather than follows the parallel evolution of the same question as a matter of policy and operational practice.
Robert McLaughlin is Professor of Military and Security Law at the Australian Defence Force Academy, University of New South Wales Canberra. He is Director of the Australian Centre for the Study of Armed Conflict and Society.
This article was originally published by Australian Outlook, the official blog for the Australian Institute of International Affairs. Read the original article here.