Published by The Lawfare Institute
in Cooperation With
Big data looms large in today’s world. Much of the tech sector regards the building up of large sets of searchable data as part (sometimes the greater part) of its business model. Surveillance-oriented states, of which China is the foremost example, use big data to guide and bolster monitoring of their own people as well as potential foreign threats. Many other states are not far behind in the surveillance arms race, notwithstanding the attempts of the European Union to put its metaphorical finger in the dike. Finally, ChatGPT has revived popular interest in artificial intelligence (AI), which uses big data as a means of optimizing the training and algorithm design on which it depends, as a cultural, economic, and social phenomenon.
If big data is growing in significance, might it join territory, people, and property as objects of international conflict, including armed conflict? So far it has not been front and center in Russia’s invasion of Ukraine, the war that currently consumes much of our attention. But future conflicts could certainly feature attacks on big data. China and Taiwan, for example, both have sophisticated technological infrastructures that encompass big data and AI capabilities. The risk that they might find themselves at war in the near future is larger than anyone would like. What, then, might the law of war have to say about big data? More generally, if existing law does not meet our needs, how might new international law address the issue?
In a recent essay, part of an edited volume on “The Future Law of Armed Conflict,” I argue that big data is a resource and therefore a potential target in an armed conflict. I address two issues: Under the law governing the legality of war (jus ad bellum), what kinds of attacks on big data might justify an armed response, touching off a bilateral (or multilateral) armed conflict (a war)? And within an existing armed conflict, what are the rules (jus in bello, also known as international humanitarian law, or IHL) governing such attacks?
The distinction is meaningful. If cyber operations rise to the level of an armed attack, then the targeted state has, according to Article 51 of the U.N. Charter, an “inherent right” to respond with armed force. Moreover, the target need not confine its response to a symmetrical cyber operation. Once attacked, a state may use all forms of armed force in response, albeit subject to the restrictions imposed by IHL. If the state regards, say, a takedown of its financial system as an armed attack, it may respond with missiles.
Most of the work on cyber operations, including quasi-official documents such as the Tallinn Manuals (sponsored by NATO but drafted by independent experts) as well as government statements and private scholarship, has focused on IHL. If, for example, a database, existing intangibly in the cloud or on someone’s server, qualifies as an “object” under IHL, then any action that disrupts its functioning must fall within the limits set by that body of law. These include the principles of distinction (between legitimate military and illegitimate civilian targets), proportionality, necessity, and the avoidance of unnecessary suffering. But as Rule 100, comment 6, of the most recent Tallinn Manual concludes, data as an intangible asset is not an “object.” On this view, destruction of the data, as distinguished from harm to tangible things, does not have to comply with IHL. In other words, according to the Tallinn Manual, IHL does not regulate cyber operations that disable data, big or small, as long as the physical places where the data resides remain undamaged and the disabling does not produce direct physical consequences (say the crashing of an airplane or the bursting of a dam).
Since the publication of the first Tallinn Manual in 2013 and the second in 2017, an increasing number of states and experts have signaled a willingness to regard intangible data as an “object” subject to IHL. France’s Army Ministry, for example, indicated in 2019 that IHL would apply to “malicious action carried out via cyberspace and intended to cause damage (in terms of availability, integrity or confidentiality).” France and others apparently believe that cyber actions in an armed conflict that cause economic injury, even without physical harm, must comply with the principles of distinction, proportionality, necessity, and the avoidance of unnecessary suffering. At the same time, the French statement limits this claim to IHL and argues that a cyberattack does not automatically trigger the self-defense right to respond with force outside of an ongoing armed conflict. Instead, France asserts that only an “armed attack” (a term of art under Article 51) justifies a military response and that “a cyberattack could be categorized as an armed attack if it caused substantial loss of life or considerable physical or economic damage.” It illustrates this contention by referring to “consequences liable to paralyse whole swathes of a country’s activity, trigger technological or ecological disasters and claim numerous victims.” In other words, IHL regulates cyberattacks conducted as part of an ongoing war, but, absent a preexisting armed conflict, a state’s right to respond with violence to a cyberattack applies only if that operation produces an outcome of the sort that regular (kinetic) force brings about. An action that “merely” disables a data source without immediate physical consequences cannot trigger an armed conflict.
Does this separation of IHL from the law governing armed retaliation make sense? Conceptually, the distinction is defensible. The two bodies of law have different texts, customs, and purposes. IHL has a kind of fatalism about it, as it comes into play only as part of an armed conflict. The law governing the initiation of armed conflicts, by contrast, expresses a kind of idealism, that law can hold back terrible things. Justifications of the use of force outside of an existing war mean more war and thus a failure of this idealism. The international community might aspire to a legal system that tries to minimize the occasions of war while also seeking to make otherwise justified wars as humane as possible.
But aspiring to a thing does not make it so. In a world where big data takes on greater importance and becomes more consequential, it will be easier to regard the disabling of data resources as an outrage. If the harmful potential of cyberattacks—triggering an economic collapse or taking a hospital out of commission—justifies legal regulation within war, why don’t such harms also justify armed retaliation outside an armed conflict so as to deter them going forward? If we’re able to get past the barrier of immateriality in IHL, why not recognize that immaterial acts with profound social and economic consequences should justify an armed response? Why should the wiping out of vast wealth stored in the cloud not count as a causa belli if a conventional armed incursion, however slight, would?
When faced with a legal conundrum, international lawyers often recommend that we make new law to provide a solution—for example, a treaty expressly stating that IHL applies to databases while clarifying when a cyber operation would qualify as an armed attack. Proposing a new treaty, however, seems as useful as, in the classic joke about economic reasoning, assuming the existence of a can opener on a desert island. Much of IHL (even with many existing treaties) and almost all of the law of jus ad bellum (aside from the U.N. Charter) rest on international custom, largely because the fears and interests of states are too disparate to support codified, one-size-fits-all rules. A recent issue of the International Review of the Red Cross has as its premise that new law-of-war treaties will remain out of reach for the foreseeable future. If Geneva has lost hope, who remains?
The alternative approach is for states to walk and talk in a way that raises reasonable expectations on the part of the relevant audience, here those states that conceivably might resort to violence in the course of international disputes. This expectations in effect would become customary international law. The question becomes how to pitch this behavior and talk to best regulate threats to big data.
One way is to stay the course. Without clearly and fully explaining their views, an increasing number of states have indicated that they agree with the French position that distinguishes how IHL regulates actions that compromise big data from how the rules of justified violent response to an armed attack apply to cyberattacks. The international community might hope that this stance can survive in a changing world where big data gains in significance and value. I wonder, though, if the facts change, shouldn’t we reassess our views?
The alternative, which I describe in my book chapter, involves what one might call legal stove-piping. Rather than trying to fit cyberattacks into a broader legal framework, whether IHL or the law of justified armed response, we might instead treat cyber operations as sui generis and try to develop consistent state practice and expressed views regarding acceptable conduct.
A law specific to cyber operations might make several reasonable distinctions. It could affirm current law that treats espionage operations as unregulated by international law while subject to stringent sanctions under national law. It might treat cyber operations with direct effects in the material world as equivalent to kinetic actions. It might treat cyber operations that render big data inaccessible or dysfunctional, whether as through ransomware or simply by incapacitation, as triggering a power to respond in kind, rather than a right to resort to arms.
Establishing a discrete body of rules constraining cyber operations, within war or without, will require a mixture of talk and action by influential actors, starting with a single powerful state with strong interest in big data. I assume that this international norm entrepreneur would be the United States, although in theory other cyber powers could lead the way. The state would articulate the rules it will observe, act accordingly, and respond consistently to states that transgress its rules. It would have to act reasonably, including, as my colleague Kristen Eichensehr observes, laying out an acceptable case for attribution when it sanctions other states for particular operations. If the rules it advocates seem generally useful rather than selfish, the other cyber powers might eventually acquiesce.
My recent scholarship, including my forthcoming book, “The World Crisis and International Law,” argues that norm-entrepreneurial states behaving in this fashion hold out a greater hope for managing threats to the international system than would the creation of yet more international structures grounded in formal international agreements. The world faces profound challenges, including extant and imminent wars, proliferation of weapons of mass destruction, growing economic inequality, social turmoil, and resulting nationalist populism, climate change, pandemics, crisis-driven migration, the pollution of cyberspace, and growing surveillance, not just the increasing scale of cyber operations. Yet deep distrust and anxiety around the world make formal cooperation to address these challenges unattainable, no matter how dire the consequences of inaction. The program I suggest for big data might serve as a workable response in these other areas as well.