1. Introduction
The cyber operations mounted during the Russia–Ukraine and Palestine–Israel conflicts of 2014 have demonstrated the continued necessity for clarification as to how international law is to be interpreted and applied with respect to activities in cyberspace.Footnote 1 Unfortunately, the few statements that states have issued on the matter lack the granularity required to be operationally meaningful.Footnote 2
State reticence to stake out positions with regard to cyber operations has become chronic. The cyber operations conducted against Estonia in 2007 and mounted during the international armed conflict between Georgia and Russia the following year revealed a distinct lack of forethought on the part of the international law community in general, and states in particular, as to how international law – especially the jus ad bellum (law governing the resort to force by states) and jus in bello (international humanitarian law or IHL) – governs activities in cyberspace.Footnote 3 In response to this lacuna, the NATO Cooperative Cyber Defence Centre of Excellence, which is based in Tallinn (Estonia), commissioned a three-year research project to examine the law of cyber conflict. The project drew together an ‘International Group of Experts’ (IGE) which consisted of 16 renowned international law academics and practitioners working in their personal capacity (numerous experts were then serving as senior legal advisers for their governments). A team of technical advisers assisted them and observers from NATO, the United States Cyber Command and the International Committee of the Red Cross (ICRC) participated actively during the deliberations. The work of the IGE was subsequently peer reviewed by 13 international law specialists and fine-tuned based on their recommendations. In 2013, Cambridge University Press published the final product as the Tallinn Manual on the International Law Applicable to Cyber Warfare.Footnote 4 I served as Director of the effort.
The Tallinn Manual consists of 95 ‘rules’ adopted unanimously by the IGE. Each rule expressed the IGE's opinion regarding the state of customary international law (including that reflected in key treaties such as the UN Charter) as of July 2012, the date of the meeting at which it adopted the final draft. The requirement for unanimity meant that the rules reflected the lowest common normative denominator. Some of the experts would have gone further, but the project's process and goals demanded a conservative approach. Consequently, the IGE sought only to identify lex lata; the group never intentionally roamed into the realm of lex ferenda.
Accompanying each of the rules is commentary that identifies its legal basis, explains its normative content, addresses practical implications thereof in the cyber context, and sets forth differing views on the scope or interpretation of the rule. The members of the IGE – all of whom had experience in advising governments, militaries or the ICRC – were acutely sensitive to the fact that they were exploring virgin territory. They therefore endeavoured to capture fully and fairly every reasonable competing perspective for consideration by the Manual's primary audience – those serving in positions requiring them to render legal advice on cyber conflict, particularly states' legal advisers. The IGE believed this approach would prove most useful to these individuals as their respective states and organisations attempted to resolve unsettled matters through the adoption of legal positions and policies, issuance of expressions of opinio juris and promulgation of practical guidance such as rules of engagement.
The sine qua non of the Tallinn Manual process was agreement on the applicability of the jus ad bellum and jus in bello to cyber operations. Consensus was quickly achieved on this point, one that appears to be widely accepted today.Footnote 5 With regard to IHL, the experts accordingly concurred that the extant law governed cyber weapons and cyber operations;Footnote 6 the issue was not whether IHL applied, but how. Sorting out the ways in which IHL pertained in the cyber context was obviously no easy task. Differences of opinion within the IGE were common. Thus, the commentary carefully sets out the majority and minority positions, as well as those of which the IGE was aware but were not harboured by any of the experts.Footnote 7
The reaction of the international legal community to the Tallinn Manual, especially state legal advisers, has been favourable. Today it is widely used in ministries of defence and foreign affairs. With respect to its IHL provisions, only two issues have generated noteworthy debate – the meaning of the term ‘attack’, a topic addressed in passing below, and the IHL notion of ‘objects’, the focus of this article. Both have been the subject of debate behind closed doors during governmental discussions and in open discourse throughout academia. The question with respect to the latter is whether ‘data’ constitutes an object such that the IHL protection afforded to civilian objects extends to it.Footnote 8
Significant in this regard was a conference sponsored by the ICRC and the Hebrew University of Jerusalem in November 2013 at which Mr Kubo Mačák of Exeter University and Dr Heather Harrison Dinniss of the Swedish National Defence College took issue with aspects of the Tallinn Manual's examination of whether data could be considered an ‘object’, as that term is understood in IHL. I spoke on the same panel and defended the IGE's work. Their presentations have matured into the articles that appear in this volume of the Israel Law Review. Its editors have graciously allowed me to offer a riposte. Before turning to their articles, allow me to offer a few procedural comments.
First, the precise contours of customary IHL are both indistinct and, occasionally, controversial.Footnote 9 There was nevertheless concurrence within the IGE that those aspects of Additional Protocol I to the 1949 Geneva Conventions addressing the conduct of hostilities – particularly the principles and rules surrounding attacks such as distinction,Footnote 10 proportionalityFootnote 11 and precautions in attackFootnote 12 – generally reflect customary international law norms binding on non-parties.Footnote 13 Therefore, my analysis in this article of the relevant provisions of Additional Protocol I applies fully to their customary law counterparts.
Second, the views set forth in this article are entirely my own and are not intended to reflect those of any other member of the IGE. To the extent that I explain how the IGE came to its conclusions, the discussion is based on my recollection of the sessions that took place over the three-year period during which the Tallinn Manual came to life.
Third, like the IGE, I will slavishly adhere to the lex lata. I have set out elsewhere my views on where the law might be headed,Footnote 14 but in this article I merely comment on the state of the law as of July 2012. Although I believe the law on the notion of objects will evolve with some rapidity, speculation is not my purpose here. I do realise that the majority's interpretation of objects leads to undesirable results in the sense that it opens the door to cyber operations against data that could have a significant negative impact on the civilian population. However, an all-inclusive treatment of data as an object would, as will be explained, be over-inclusive. Until states determine the appropriate balance, it would be precipitate to extend the meaning of objects to this degree.
Finally, my contribution to the Israel Law Review must not be interpreted as criticism of Mr Mačák or Dr Harrison Dinniss. Both are brilliant scholars and, as an aside, dear friends. However, their contributions cannot go unanswered for it is the very process of intellectual give and take that will not only preserve IHL, but allow it to evolve in positive directions.Footnote 15 Thus, I offer these thoughts in the spirit of constructive and amiable dialogue between colleagues.
2. The Relevant Text
In order to grasp the discussion that follows, it is useful to quote the relevant text from the Tallinn Manual. The fulcrum of debate is rule 37, which provides: ‘Civilian objects shall not be made the object of cyber attacks. Computers, computer networks, and cyber infrastructure may be made the object of attack if they are military objectives’.Footnote 16 This rule derives from Article 52(1) of Additional Protocol 1: ‘Civilian objects shall not be the object of attack or of reprisals. Civilian objects are all objects which are not military objectives as defined in paragraph 2’.Footnote 17 The first sentence of Article 52(2) similarly provides that ‘[a]ttacks shall be strictly limited to military objectives’. The ICRC's Commentary on the Additional Protocols explains that the sentence was intended to confirm the previous principle.Footnote 18 Therefore, the operative prohibition is found in Article 52(1) and not, as is often incorrectly asserted, Article 52(2).
Article 52(2) serves to define the term ‘civilian’ as used in Article 52(1) by negative reference to the concept of military objective, an approach adopted in the Tallinn Manual.Footnote 19 According to Rule 38,Footnote 20
Military objectives are those objects which by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Military objectives may include computers, computer networks, and cyber infrastructure.
The definition in the first extracted sentence is a nearly verbatim adaptation of that found in Article 52(2), except that the Additional Protocol rendering begins with the introductory clause ‘[i]n so far as objects are concerned’.Footnote 21 As will become clear, both Mr Mačák and Dr Harrison Dinniss attribute to that clause significance in the context of data that I do not.
Neither takes issue with the Rule 38 definition of military objectives proper. Their concern focuses instead on the following brief section of the commentary to Rule 38 addressing the question of whether data is an object.Footnote 22
The majority of the International Group of Experts agreed that the law of armed conflict notion of object should not be interpreted as including data. Data is intangible and therefore neither falls within the ‘ordinary meaning’ of the term objectFootnote 23 nor comports with the explanation of it offered in the ICRC Additional Protocols Commentary. Nevertheless, as noted in the Commentary to Rule 30, a cyber operation targeting data may, in the view of the majority of the Experts, sometimes qualify as an attack when the operation affects the functionality of computers or other cyber systems. A minority of the Experts was of the opinion that, for the purposes of targeting, data per se should be regarded as an object. In their view, failure to do so would mean that even the deletion of extremely valuable and important civilian datasets would potentially escape the regulatory reach of the law of armed conflict, thereby contradicting the customary premise of that law that the civilian population shall enjoy general protection from the effects of hostilities, as reflected in Article 48 of Additional Protocol I. For these Experts, the key factor, based on the underlying object and purpose of Article 52 of Additional Protocol I, is one of severity, not nature of harm. The majority characterized this position as de lege ferenda.
The reference to the ICRC Commentary built on an earlier observation in the Tallinn Manual commentary that ‘[t]he meaning of the term “object” is essential to understanding this and other Rules found in the Manual. An “object” is characterized in the ICRC Additional Protocol Commentary as something “visible and tangible”’.Footnote 24
As will become apparent, critics of the majority approach sometimes conflate the legal meaning of the term ‘attack’ as used in Rule 37 and that of ‘object’ – the issue at hand with regard to data. The meaning of attack is central to the conduct of hostilities in cyberspace because the IGE took the position that only cyber operations that qualify as attacks in the IHL sense are subject to the Tallinn Manual rules that make reference to ‘attacks’. Accordingly, the IGE took care to employ the term ‘cyber attack’ in its rules and commentary only when a ‘cyber operation’ satisfied its definition of the term contained in Rule 30: ‘A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’.Footnote 25
The commentary accompanying Rule 30 elaborates on the relationship between the notion of attack and operations against data.Footnote 26
Although the Rule is limited to operations against individuals or physical objects, the limitation should not be understood as excluding cyber operations against data (which are non-physical entities) from the ambit of the term attack. Whenever an attack on data results in the injury or death of individuals or damage or destruction of physical objects, those individuals or objects constitute the ‘object of attack’ and the operation therefore qualifies as an attack. Further, as discussed below, an operation against data upon which the functionality of physical objects relies can sometimes constitute an attack.
Some members of the IGE expressed unease with the apparent exclusion of cyber operations targeting (as distinct from ‘attacking’) data that might be detrimental to the civilian population, but not destructive or injurious. Various views surfaced on the issue, as explained in the commentary.Footnote 27
Within the International Group of Experts, there was extensive discussion about whether interference by cyber means with the functionality of an object constitutes damage or destruction for the purposes of this Rule. Although some Experts were of the opinion that it does not, the majority of them were of the view that interference with functionality qualifies as damage if restoration of functionality requires replacement of physical components. Consider a cyber operation that is directed against the computer-based control system of an electrical distribution grid. The operation causes the grid to cease operating. In order to restore distribution, either the control system or vital components thereof must be replaced. The cyber operation is an attack. Those Experts taking this position were split over the issue of whether the ‘damage’ requirement is met in situations where functionality can be restored by reinstalling the operating system.
A few Experts went so far as to suggest that interference with functionality that necessitates data restoration, while not requiring physical replacement of components or reinstallation of the operating system, qualifies as an attack. For these Experts, it is immaterial how an object is disabled; the object's loss of usability constitutes the requisite damage.
The International Group of Experts discussed the characterization of a cyber operation that does not cause the type of damage set forth above, but which results in large-scale adverse consequences, such as blocking email communications throughout the country (as distinct from damaging the system on which transmission relies). The majority of the Experts took the position that, although there might be logic in characterizing such activities as an attack, the law of armed conflict does not presently extend this far. A minority took the position that should an armed conflict involving such cyber operations break out, the international community would generally regard them as attack. All Experts agreed, however, that relevant provisions of the law of armed conflict that address situations other than attack, such as the prohibition on collective punishment (Rule 85), apply to these operations.
It should be noted that a cyber operation might not result in the requisite harm to the object of the operation, but cause foreseeable collateral damage at the level set forth in this Rule. Such an operation amounts to an attack to which the relevant law of armed conflict applies, particularly that regarding proportionality (Rule 51).
A brief comment is merited before replying to the two articles. Both Dr Harrison Dinniss and Mr Mačák sometimes speak of a Tallinn Manual position. The only such positions are with respect to the rules themselves (because they required unanimity) or in those instances when the commentary offers but a single interpretation of a rule. Styling other aspects of the Manual as such risks attributing views to members of the IGE who did not hold them and, in some cases, vigorously disputed them. In fact, what both authors do is to contest a majority position. That said, it happens to be my position, so let me turn to their points.
3. A Reply to Mr Mačák
Mr Mačák begins by pointing to the ‘[i]n so far as objects are concerned’ introductory clause in the definition of military objective in Article 52(2), drawing the conclusion that the Tallinn Manual commentary's exclusion of the clause seems to limit the term to objects, and is therefore inconsistent with state practice. This is not the case. The commentary expressly notes that the limitation is solely for the Manual's own purposes and was adopted simply because the analysis used to determine when individuals are targetable differs from that which applies to objects.Footnote 28 In fact, I accept the ICRC Commentary's observation that ‘[i]t should be noted that the definition is limited to objects but it is clear that members of the armed forces are military objectives …’.Footnote 29 However, the relevant question is not whether the IHL term ‘military objectives’ includes items other than objects (which it does), but instead whether data constitutes an object as that term appears in Article 52(1), its customary law equivalent, and the Tallinn Manual's derivative Rule 37.
This minor deviation complete, Mr Mačák turns to the issue at hand – data. He points to the following single sentence in the commentary apparently to conclude that the majority based its exclusion of data as an object on an essentially textual analysis: ‘Data is intangible and therefore neither falls within the “ordinary meaning” of the term object nor comports with the explanation of it offered in the ICRC Additional Protocols Commentary’Footnote 30 (which characterises an object as an entity that is ‘visible and tangible’). As he notes, the sole supporting footnote to the sentence in the Tallinn Manual commentary cites Article 31(1) of the Vienna Convention on the Law of Treaties.Footnote 31 In a footnote of his own, Mr Mačák observes that Article 31 also ‘endorses the contextual (or systematic) method, and the teleological (or functional) method’.
This was a point that the IGE fully understood. Indeed, its citation of Article 31(1) suffices to encompass all three methods of interpretation: ‘A treaty shall be interpreted in good faith in accordance with the ordinary meaning [textual] to be given to the terms of the treaty in their context [contextual] and in the light of its object and purpose [teleological]’.Footnote 32 In fact, the IGE regularly took context and object and purpose into consideration. For instance, the term ‘cyber context’ appears in the Manual 50 times, while ‘object and purpose’ does so on eight occasions. Moreover, the reference to the ICRC Commentary's ‘visible and tangible’ text comports with the invitation in Article 32 of the Vienna Convention to consider ‘supplementary means of interpretation, including the preparatory work of the treaty and the circumstances of its conclusion, in order to confirm the meaning resulting from the application of Article 31, or to determine the meaning when the interpretation of a treaty provision according to Article 31’ remains ‘ambiguous or obscure’.Footnote 33
Mr Mačák next addresses whether the minority view set forth in the Tallinn Manual's commentary is, as characterised by the majority, a position de lege ferenda. As his starting point, he opines that I (and the Tallinn Manual) take the position that ‘a putative interpretation of the law would be rejected as merely de lege ferenda if it was not grounded in relevant state practice and opinio juris’, and asserts that it is ‘not an appropriate standard for the interpretation of international law’. That is not my position. On the contrary, I agree that such an approach would be inappropriate, as would, to my knowledge, every member of the IGE.
To take a simple but telling example, Article 36 of Additional Protocol I requires a review of new weapons, means and methods of warfare.Footnote 34 Since they are new, there is little state practice and seldom much opinio juris against which to gauge their lawfulness. This does not preclude the interpretation of existing norms in light of the new weapon's intended use in order to comply with the Article 36 review requirement. Had my position been that state practice and opinio juris must attend any novel interpretation or application of IHL, the Tallinn Manual project itself would have been stillborn. Negligible state practice was available vis-à-vis the vast majority of the rules we crafted or the often differing interpretations thereof found in the commentary. That state practice which did exist was often classified and therefore inaccessible to most members of the IGE. Although the group was operating in this relative vacuum of state practice and opinio juris, it nevertheless was able to agree unanimously on the text of a wide array of rules.
This is not to say that the IGE operated precipitously. On the contrary, it took a very conservative approach. As noted in the introduction to the Manual, ‘because State cyber practice and publicly available expressions of opinio juris are sparse, it is sometimes difficult to definitively conclude that any cyber-specific customary international law norm exists’.Footnote 35 In no case did the IGE conclude that a cyber-unique customary law norm – that is, a ‘new’ norm – had crystallised. This being so, Mr Mačák's use of the United Kingdom's assertion that a norm permitting humanitarian intervention had emerged is a non sequitur, except as an illustration that the line between lex lata and lex ferenda is horribly indistinct. This very truism lay at the heart of the IGE's conservatism, as evidenced not only by its insistence on including every reasonable interpretive viewpoint in the commentary, but also by its intentionally broad articulation of the unanimously agreed upon rules.
Rather than propounding new norms, the entire project focused on the interpretation of established norms. In this regard, all members of the IGE agreed that context mattered. Like Mr Mačák, we rejected the premise reflected in Sir Gerald Fitzmaurice's ‘principle of contemporaneity’ that international law can be somehow trapped in time.Footnote 36 The fact that states participating in the drafting of a relevant treaty failed to contemplate cyber operations was never an insurmountable obstacle to interpreting and applying its provisions.
To be fair, members of the IGE approached the task at hand from a variety of interpretive perspectives. Some were traditional positivists, while others – like myself (a New Havenist ‘light’) – leaned towards a policy-oriented approach. Yet, the group concurred that to retain valence, IHL has to be interpreted in light of the environment in which it is to be applied. Doing so with sensitivity to the object and purpose of IHL in general, and its individual principles and rules in particular, was similarly deemed crucial. In our view, IHL's dominant object and purpose is to delicately balance military necessity and humanitarian concerns.Footnote 37 Since the balance is continuously influenced by contemporary reality and values, interpretation shifts – and appropriately so – over time.Footnote 38
Whenever the degree of uncertainty regarding interpretation and application in a particular situation proved significant, the IGE applied a rebuttable presumption in favour of not finding lex lata. In our view, it was for states, rather than the IGE, to make the interpretive leap. We were fearful that charges of going too far in particular instances would undermine the credibility, and therefore the utility, of the entire work. In any event, our decision to cite all reasonable interpretive stances in the commentary relieved us of the need to make such leaps.
Broadly speaking, three interpretive and applicative situations presented themselves. At one end of the spectrum lay those cases in which the advent of cyber warfare posed no interpretive dilemma. For instance, all members of the IGE agreed that a lethal or physically injurious cyber operation is an ‘attack’ in IHL terms and that one directed at civilians who are not directly participating in the hostilities is unlawful.Footnote 39 The fact that there have been no known civilian casualties resulting from cyber operations during an armed conflict did not detain the group in arriving at this conclusion. In the IGE's opinion, Rule 37's prohibition of such cyber operations is clearly lex lata despite the absence of practice or state expressions of concurrence in the interpretation; it is consistent with the plain text of the IHL norm and analogous previous practice with respect to other new methods and means of warfare. What is more, the rule in no way skews the contemporary balance between military necessity and humanitarian considerations.
This simple illustration (there are many more) illustrates the inaccuracy of Mr Mačák's contention that the IGE, or at least the majority thereof, was of the view that equating ‘the absence of relevant state practice and opinio juris in support of a certain interpretation with the incorrectness of such interpretation under lex lata would be a step too far’. We did not, again to use his words, ‘substitute the dearth of state practice for proper treaty interpretation’. On the contrary, it was our willingness to find lex lata when state practice and/or opinio juris were absent that we feared would draw criticism.
Mr Mačák seems to suggest that the majority was erratic in this regard, citing its position on organised armed groups in contradistinction to the aforementioned cautious approach to data as an object. The notion of ‘organised armed group’ is a crucial one in IHL. The existence of a non-international armed conflict depends on hostilities at a particular level of intensity between an organised armed group and a state, or between two or more such groups.Footnote 40 Furthermore, members of an organised armed group are targetable by different criteria from individuals who, although civilians, have directly participated in hostilities.Footnote 41
The majority of the IGE (note that the composition of ‘the majority’ varied from case to case) concluded that ‘the failure of members of the group physically to meet does not alone preclude it from having the requisite degree of organization’.Footnote 42 This conclusion was neither ungrounded nor radical. There is widespread practice of treating online groups as a single entity, both during peacetime and armed conflict, as recently exemplified by Anonymous and the Syrian Electronic Army respectively. Moreover, the majority, among whom I number myself, was restrained in qualifying online groups as organised. We excluded collections of individuals acting collaboratively (as in the case of many of the cyber attacks against Estonia in 2007 and Georgia in 2008), as distinct from cooperatively. The example used in the commentary was similarly narrow: ‘a distinct online group with a leadership structure that coordinates its activities by, for instance, allocating specified cyber targets among themselves, sharing attack tools, conducting cyber vulnerability assessments, and doing cyber damage assessment to determine whether “reattack” is required’.Footnote 43 The majority went on to question whether such a group could satisfy the purported criterion of being capable of implementing and enforcing IHL.Footnote 44 Furthermore, even if ‘organised’, the practical impact of the majority's position is tempered by the fact that the group in question would still have to be ‘armed’Footnote 45 and, in the case of classification of the conflict as a non-international armed conflict, engage in activities crossing the requisite level of intensity.Footnote 46 The IGE's restraint in this case accords with that which the majority took in the case of data.
At the opposite end of the spectrum were circumstances so remote from those self-evidently encompassed by an existing norm that its application in the cyber context could not be justified through contextual interpretation and/or by its object and purpose. In such cases, either a new norm or a dramatically new interpretation of the existing norm would have to emerge to address such situations. The former requires sufficient state practice and opinio juris to say the norm has crystallised, whereas the latter would only take hold once general acceptance as to the purported interpretation has coalesced. As an example, it has long been understood that the mere causation of civilian inconvenience does not qualify a military operation as an attack, nor does civilian inconvenience play into proportionality assessments or trigger the requirement to take precautions in attack to avoid collateral damage.Footnote 47 Thus, a cyber operation directed against a dual military/civilian use server that results in temporary interference with civilian email communications would not, on that basis alone, require consideration of that effect. Any assertion to the contrary plainly represents lex ferenda, at least for the present.
Between these two extremes lie situations in which: (i) the contextual applicability of a norm is not self-evident; (ii) there is some state practice and/or opinio juris, but not enough to definitively conclude that a new norm has emerged; or (iii) it is unclear that a particular interpretation in the cyber context is now generally accepted by states. In light of the relative paucity of practice or opinio juris, the issue of data fell into this category, as reflected in the differences of opinion within the IGE over its treatment.
Mr Mačák attributes excessive impermeability to the majority position, but it is more accurate to say that its adherents found themselves unable to comfortably aver that an interpretation by which the term ‘object’ includes data is manifestly self-evident. Therefore, its members agreed that state practice, opinio juris, or some other indication that the view had attained traction among states was needed before interpreting it as such vis-à-vis the prohibition on attacking objects, the rule of proportionality and the requirement to take precautions in attack. This position did not mean that members of the majority believed data should not be protected, or that it would not be so protected in the future. It simply signalled fidelity to our commitment to express lex lata, and no more, in the Tallinn Manual.
In this regard, the definition of objects in the ICRC Commentary as something ‘visible and tangible’ did inform the majority's deliberations. However, despite the concern of both authors, at no point (on any issue) did the IGE deem itself bound by the ICRC Commentary. Albeit highly respected and influential (and extremely useful in our work), the Commentary is not binding as a matter of law. Additionally, it was produced well before computers came of age on the battlefield and, therefore, did not preclude reasonable contextual application of the respective Additional Protocol principles and rules to cyber operations.
Mr Mačák correctly notes that the visible and tangible reference was proffered to differentiate those objects meant to be protected by Article 52(1) of the Protocol from the general aims, goals or purposes of a military operation. For example, a strike on an electrical grid supplying energy to enemy forces, an object that qualifies as a military objective, must be distinguished from the desire to disrupt enemy command and control, which is the goal of the operation but not a military objective in the IHL sense. This is a distinction the IGE did not miss, but that did not detract from the fact that those who drafted the Article understood objects as those entities that were visible and tangible and used these characteristics to limit the Article's reach. The drafting history also includes a discussion of objects that references ‘inanimate objects’, which would further support this conclusion.Footnote 48 The point is that although the ‘visible and tangible’ comment influenced the IGE's deliberations (as well it should haveFootnote 49), it was not dispositive.
In the majority's view, a more influential factor was that certain military operations directed at civilian populations are currently commonplace.Footnote 50 For instance, psychological operations are often designed to influence the attitudes and behaviour of the enemy's civilian population. This can be done, for example, by jamming the enemy civilian leadership's public television transmissions. No one would argue that such operations were attacks on a civilian object.
If those same messages were posted online, deleting or altering the video file could disrupt their use. The consequences of treating the file as an object would be significant, for the data would qualify as a civilian object; it would make no effective contribution to military action and its destruction would not offer a definite military advantage.Footnote 51 Moreover, the operation would qualify as an attack because a civilian object would be damaged (altered) or deleted (destroyed). Thus, the operation would amount to an unlawful attack on a civilian object. It did not seem congruent to countenance the jamming, but disallow a cyber operation with the same impact on the civilian population solely on the basis that data was affected.
In light of such outcomes, the majority was unprepared to treat data as an object, at least until evidence surfaces that states are willing, or even likely, to adopt the position. Although its members were acutely aware that the destruction of some civilian data could generate serious consequences, they were not ready to confidently claim that the military necessity/humanitarian considerations balance had been so transformed by this reality that a new interpretation of data was required. Reduced to basics, the majority believed the simple extension of the notion of objects to data would be, at least at present, overbroad. The closest the IGE came to this position was acceptance of the premise that if harm to data has a physically destructive or injurious consequence, it qualifies as an ‘attack’ and would be encompassed in the prohibition on attacking civilian objects, the proportionality rule and the precautions in attack requirement. In the case of the prohibition, the ‘object of attack’ would be the entity affected, not the data; as to proportionality and precautions, the collateral damage would be that resulting from harm to the data, not the harm to the data itself.Footnote 52
To summarise, a methodical reading of the Tallinn Manual in its entirety establishes that the IGE rejected the notion of contemporaneity, interpreted the extant law in context, carefully considered the object and purpose of IHL and understood that IHL norms evolve over time. The group recognised, in the words of the Israeli Supreme Court, that ‘new reality at times requires new interpretation. Rules developed against the background of a reality which has changed must take on a dynamic interpretation which adapts them, in the framework of accepted interpretational rules, to the new reality’.Footnote 53 Thus, in the absence of evidence signalling the emergence of a new norm or reinterpretation of the notion of object by states, Mr Mačák's disagreement with the majority position boils down to a difference of opinion as to whether the issue fell within the first category described above – that in which the applicability of a norm in the cyber context is self-evident in light of the changed circumstances – or not.
Allow me to comment on his position. To begin with, the precise issue is not, as he puts it, to ‘interpret the term “object” in Article 52(2) in light of present day conditions’ – that is, to define it by reference to the prerequisites for an object to qualify as a military objective. It is how to define the term as it appears in Article 52(1), which contains the operative prohibition on attacking civilian objects. Article 52(2) has little direct bearing on whether a target is an object. Instead, it imposes a further requirement that objects qualify as military objectives before they may be lawfully attacked.
With respect to defining the term ‘object’, Mr Mačák first points to translation discrepancies in the six authentic languages, noting that in two – French and Spanish – the term ‘un bien’ may be translated into English as ‘a good’ or ‘a property’, and that in the Francophone world the legal term includes both tangible and intangible property. However, this argument ignores the full text of the ICRC Commentary on the issue.
The English text uses the word ‘objects’, which means ‘something placed before the eyes, or presented to the sight or other sense, an individual thing seen, or perceived, or that may be seen or perceived; a material thing’. The French text uses the word ‘biens’, which means ‘chose tangible, susceptible d'appropriation’.
It is clear that in both English and French the word means something that is visible and tangible.Footnote 54
As is apparent, the authors of the ICRC Commentary – who include native French speakers who were involved in the Diplomatic Conference that drafted the treaty – considered the French text and were comfortable with the ‘visible and tangible’ rendering of ‘object’.
Mr Mačák next contends that the term ‘object’ in the Additional Protocol section relating to attacks ‘means something that may become the target of attacks. It must thus be something susceptible to “destruction, capture, or neutralization”’ – a phrase drawn from Article 52(2)'s definition of military objective. Presumably this logic is based in part on that paragraph's introductory proviso that only military objectives may be attacked. He asserts that data fits this description.
This approach reverses the correct chain of legal analysis. Enemy morale may be ‘destroyed’. Enemy radio and phone transmissions may be ‘captured’. Enemy command and control capability may be ‘neutralised’. However, the fact that targeting them ‘make[s] an effective contribution to military action and [their] total or partial destruction, capture or neutralisation, in the circumstances ruling at the time, offers a definite military advantage’ does not render them objects.Footnote 55
Proper analysis starts with determining whether a target is an object. This is why the issue of data as an object is fundamental. Only if it is an object (which I believe it is not) does the requirement for the second step arise – determining whether the operation qualifies as an attack. If the data (object) in question is destroyed (deleted) or damaged (altered), the operation is logically an attack because damage and destruction are conditions precedent to qualification as an attack.Footnote 56 Once this threshold is crossed, it is necessary to establish whether the data (the object of attack) is a military objective, which is assessed in part by whether its ‘destruction, capture, or neutralisation, in the circumstances ruling at the time, offers a definite military advantage’.Footnote 57 Accordingly, the fact that data may be deleted (destroyed) or altered (damaged) is not in itself determinative as a matter of law; it must qualify as an object before such consequences have a normative effect.Footnote 58
Continuing his analysis, Mr Mačák highlights the discussion of psychological operations that appears in my writings.Footnote 59 Similar analysis can be found in the Tallinn Manual commentary, and the subject was in part engaged above.Footnote 60 He contends that I have ‘argued that destruction of data without physical consequences is more akin to psychological operations’ and therefore he queries ‘is computer data analogous to abstract notions such as population morale or to “tangible” things such as a bridge?’. However, I was addressing a different issue – qualification of cyber operations as ‘attacks’ under IHL – not the character of data.
As noted in the introduction, a major debate – unresolved during the Tallinn Manual process – surrounds the legal scope of the term ‘attack’, a critical matter because many of IHL's ‘conduct of hostilities’ prohibitions are framed in terms of ‘attack’, including that at issue here.Footnote 61 Article 49(1) of Additional Protocol I defines attacks as ‘acts of violence against the adversary, whether in offence or defence’.Footnote 62 The IGE agreed that the definition extends to acts that are not in themselves violent (as in the case of cyber operations) but which nevertheless produce violent consequences.Footnote 63 Therefore, the group unanimously agreed that, at a minimum, ‘a cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects’.Footnote 64 The majority further took the position that damage included the notion of interference with the functionality of an object that necessitates repair, even if the object is not physically affected.Footnote 65
A key issue in this debate is the meaning of the term ‘violence’ in Article 49(1); the specific question is whether non-destructive or non-injurious consequences can nevertheless amount to the type of violence envisaged by the Article. My references to psychological operations were made in this context: ‘operations aimed at the civilian population are not uncommon during armed conflict, the paradigmatic example being psychological operations, which are generally deemed lawful unless they cause physical harm or human suffering’.Footnote 66 The issue raised by psychological operations is not whether data is more like morale or bridges; it is whether non-destructive or non-injurious cyber operations directed at civilian objects or civilians are more like psychological operations against them (not traditionally viewed as ‘violent’, and therefore not an attack) or kinetic targeting operations (clearly unlawful attacks because they are violent).
In the article he cites, written two years before completion of the Tallinn Manual, I took on the ‘object’ controversy without reference to psychological operations.Footnote 67
[O]ne unsettled issue is whether data resident in computers comprise an ‘object’ …
No definitive answer to this question exists. It would appear overbroad to characterise all data as ‘objects’. Surely a cyber operation that deletes an innocuous e-mail or temporarily disrupts a television broadcast does not amount to an unlawful attack on a civilian object. For instance, it is well settled that an operation employing electronic warfare to disrupt civilian media is lawful. It would make no sense to distinguish between such an operation and a cyber operation that destroys data to achieve precisely the same result. Absent an agreed interpretation in the cyber context, it is perhaps best to tread lightly in characterising data as an object.
Generally, data should not be characterised as an object in itself. Rather, the determinative question is whether the consequences attendant to its destruction involve the requisite level of harm to protected physical objects or persons. If so, the cyber operation constitutes an unlawful attack.
My position is thus as follows. Since data is not an object, then on that basis it is not subject to the prohibition on attacking civilian objects; it is instead necessary to look to the consequences of its damage or destruction to determine whether the prohibition applies. However, as I have just noted above, I concede that if data is an object as a matter of law, the prohibition applies, albeit only if the cyber operation in question qualifies as an attack because the data has been damaged or destroyed.Footnote 68
Mr Mačák later returns to the issue of ‘attack’, contending that cyber operations that destroy data would constitute an attack. As just stated, I agree that they would if data first qualifies as an object, but his choice of examples to demonstrate that states would treat them as attacks is unconvincing. For example, he cites the case of targeting ‘critical data of a military nature, such as weapons logs, timetables for the deployment of military logistics or air traffic control information’. He argues that states would be likely to accept characterisation of the data as a legitimate military objective. In doing so, he falls into the same trap as before, for the question remains as to whether such data is an object. If so, obviously it constitutes a military objective and may be ‘attacked’; but if it is not an object, it may still be ‘targeted’ because the prohibition on attacking civilian objects does not attach. States would be comfortable with either approach.
He also employs the example of ‘essentially civilian data, such as electronic health records held at a particular hospital’ that if ‘clandestinely erased or altered’ could endanger the lives and health of patients. Operations against such data should therefore not fall ‘outside the scope of IHL’. But they do not. To begin with, the operation is an attack irrespective of the targeting of the data because of the potential foreseeable harm to patients. As the IGE noted without dissent, the requisite consequences to qualify as an attack ‘include any foreseeable consequential damage, destruction, injury or death’ and, accordingly, ‘[w]henever an attack on data results in the injury or death of individuals … those individuals … constitute the “object of attack” and the operation qualifies as an attack’.Footnote 69 Further, foreseeable collateral damage of the qualifying nature would also render the operation in question an attack.Footnote 70 Finally, the example is inapposite because the IGE unanimously concluded in Rule 71 that ‘data that form an integral part of the operations or administration of medical units and transports must be respected and protected, and in particular may not be made the object of attack’.Footnote 71
Mr Mačák next takes on my assertion that states would be unlikely to countenance treating data as an object because it would restrict their options, and suggests that the ‘premise of [my] argument is flawed’. He analogises my example of the innocuous e-mail with a single letter (which we agree is an object) and argues that ‘it is unlikely that states would, within the scope of armed conflict, engage in a military operation the sole aim of which would be to destroy one civilian letter (or one such e-mail)’. For him, the more likely scenario is an attack on a facility that qualifies as a military objective, such as a post office taken over by enemy forces. Operation of the proportionality rule would allow for the attack so long as expected collateral damage, which would include loss of the letter, is not excessive relative to the anticipated military advantage of the attack. Thus, even if an object, destruction of the letter – or the e-mail in an analogous cyber situation – would not be precluded. Therefore, states need not worry about the impact of styling data as an object.
This is unresponsive logic. The point of my argument was that there can be situations in which a state would want to target civilian data directly and therefore would hesitate to embrace an interpretive approach that would render it a civilian object. Examples were provided above; there are many more, including the other illustration I used in the article he refers to (extracted above) – disrupting television broadcasts. His reference to a situation in which states would see no need to target the civilian data in question is relevant only with respect to whether the harm to that data factors into the proportionality and precautions in attack analyses. In that regard, discounting my position would have necessitated an example in which the harm to the civilian data would have altered these assessments. It is only the inclusion of such data that would concern states.
Finally, Mr Mačák turns to the matter of ‘object and purpose’, which, as noted, I believe must be assessed in the contemporary context. In my mind, this is the key issue. It is where he should have begun, and stopped. This is so because I agree with his observation that ‘[t]eleological interpretation is … an available method ... with respect to customary norms’.Footnote 72 I likewise agree with his assessment that ‘the enhancement of the protection of civilians during situations of armed conflict’ is the object and purpose of Article 52(2), although the better reference is Article 52(1), which contains the operative prohibition in question.
In my estimation, Mr Mačák oversimplifies the teleological interpretation of IHL. What I have noted elsewhere bears repeating here.Footnote 73
As the 1899 and 1907 Hague Regulations famously noted, ‘[t]he right of belligerents to adopt means of injuring the enemy is not unlimited.’Footnote 74 Rather, IHL represents a carefully thought out balance between the principles of military necessity and humanity. Every one of its rules constitutes a dialectical compromise between these two opposing forces.
This should be unsurprising, for only states have the capacity to make international law, either by treaty or through state practice maturing into customary law. International law thus reflects the goals of those states consenting to be bound by it. In the arena of conflict, states harbour two prevailing aims. The first is an ability to pursue and safeguard vital national interests. When crafting IHL, states therefore insist that legal norms not unduly restrict their freedom of action on the battlefield, such that national interests might be affected. The principle of military necessity constitutes the IHL mechanism for safeguarding this purpose. It is not, as sometimes asserted, a limitation on military operations. Instead, the principle recognises the appropriateness of considering military factors in setting the rules of warfare.
Legitimate states are equally obligated to ensure the well-being of their citizenry, for the provision of ‘public goods,’ such as physical safety, underpins the social contract between a state and its people. The principle of humanity, which operates to protect the population (whether combatants or noncombatants) and its property, advances this imperative.
I feel compelled to make this point in response to two mirror image errors that are often made when interpreting IHL provisions. On the one hand, it is sometimes asserted that the application of IHL rules is subject to the condition of military necessity such that necessity may justify deviation therefrom, a position famously rejected in the Hostages Case.Footnote 75 On the other hand, IHL's incontrovertible object and purpose of tempering the suffering and destruction of warfare is frequently assessed in isolation from military necessity factors. That states carefully consider military necessity when crafting treaties or engaging in practice and expressing opinio juris is best illustrated by the rule of proportionality. This rule permits attacks that are expected to cause incidental harm to civilians and civilian objects so long as said harm is not excessive relative to the concrete and direct military advantage anticipated by the attacker.Footnote 76 This is so despite the fact that, for instance, the individuals harmed or otherwise affected may have nothing to do with the conflict.
Of course, Mr Mačák's concern that failure to interpret data as an object would ‘greatly expand the class of permissible targets in warfare’ is compelling in light of the object and purpose of protecting civilian objects, although a more precise formulation would be that cyber operations expand the practical ability to reach certain targets that exist in the form of data or that can be affected by targeting data. If the term ‘object’ does not include data, civilian data may be lawfully targeted despite deleterious effects on the civilian population, a reality that runs counter to humanitarian considerations. I agree.
However, one must be careful in this regard and think the matter through with normative balance. Mr Mačák cites the example of the April 2013 Syrian Electronic Army cyber operation involving a false Associated Press tweet that President Obama had been injured in a White House explosion. The tweet resulted in a significant fall on Wall Street but had no physical effects on any cyber infrastructure. He notes that ‘[a]ny such large-scale damage to civilian property in the physical world would certainly not escape the regulatory reach of IHL’.
In fact, the operation in question fell outside the reach of IHL because it was not associated with an armed conflict to which the United States was party. However, even had it occurred in the context of armed conflict, characterising data as an object would not have drawn the operation within the reach of IHL. While it could have been mounted by altering Associated Press data, the operation actually employed spear phishing (and a watering-hole attack)Footnote 77 to acquire the credentials necessary to tweet on behalf of the organisation.Footnote 78 Only in the case of altering the data would treating data as an object have rendered the operation unlawful; the phishing operation involved no data damage and thus the operation would not have qualified as a prohibited attack.
Even more simply, the group could have created multiple false media websites (for example, creating a website resembling that of The New York Times and using the domain name timesny.com instead of nytimes.com). If the websites were successfully publicised (on social media, for example) such that they would have begun to be actively shared or re-tweeted, the effects could have been just as disruptive as that which occurred. Yet, the operation would not be barred by the IHL prohibition on attacking civilian objects because no civilian data would have been affected.
Ultimately, one's position on the term ‘objects’ depends on a judgment call as to whether states are likely to interpret the notion as including data when they perform the balance between humanitarian considerations and military necessity that underpins all of IHL. The majority of the IGE concluded that at the present time it was premature to decide that they would. Mr Mačák merely disagrees.
Finally, Mr Mačák asserts that his interpretation ‘has the additional benefit of providing clarity as to the identification of permissible military targets’ and criticises the IGE's characterisation of a cyber operation against a website passing coded messages as an attack in which the military objective is the supporting cyber infrastructure. The IGE offered the example (distinguished in the commentary from a website inspiring patriotism) only to demonstrate that civilian objects engaged in cyber operations were capable of making ‘an effective contribution to military action’, and therefore could be converted into a military objective by the express terms of Article 52(2).Footnote 79 Yet, he dubs the characterisation ‘entirely counter-intuitive and without correspondence in reality’ and argues that ‘any attempt to bring the website down would be likely to take the form of a denial-of-service attack’.
The characterisation is hardly counter-intuitive. Whether the data qualifies as a military objective or not, its supporting cyber infrastructure undeniably does. As to the reality of the illustration, Mr Mačák misses the fact that in light of the paucity of offensive cyber capabilities in many armed forces today, the purpose of the characterisation may be to justify a kinetic attack. Most importantly, and at the risk of excessive repetition, labelling data as an object provides no meaningful clarity to the identification of permissible military targets. This is because if data is an object and qualifies as a military objective, it may be attacked. If it is not an object, then such qualification is meaningless since the prohibition does not apply; it may be targeted provided a loss of functionality does not ensue. From the perspective of those planning, approving, executing or commenting on an attack, labelling data as an object provides no greater clarity than saying it is not data.
4. A Reply to Dr Harrison Dinniss
The criticism of the majority approach by Dr Harrison Dinniss is more linear and less theoretical than that of Mr Mačák. In great part, her approach and that of the majority lead to similar practical results, albeit arrived at by dissimilar legal logic. This arises from her distinction between ‘content-level’ and ‘operational-level’ data. In particular, exclusion of content-level data (such as ‘the text of [her] article, or the contents of medical databases, library catalogues and the like’) from the ambit of the prohibition on attacking civilian objects makes sense. I agree fully with her that to the extent that ‘content-level data’ is protected, it is because IHL affords, as will be discussed, ‘special protection’ to certain entities.
Where we part ways conceptually is with respect to operational-level data (program data) – that is, the ‘type of data that gives hardware its functionality and ability to perform the tasks we require’. She argues that this should be considered an object. Although a majority of the IGE rejected this view, a different majority, when considering the separate issue of qualification of a cyber operation as an attack, deemed a cyber operation that results in a system's loss of functionality and requiring replacement of physical components to be an attack.Footnote 80 Within that majority were experts, myself among them, who were of the view that attacks included situations in which ‘functionality can be restored by reinstalling the operating system’.Footnote 81 Thus, whether the operation is prohibited because targeted operational-level data is a civilian object or because a civilian system is targeted in a manner that results in its loss of functionality, the operation in question is unlawful.
Dr Harrison Dinniss then turns to her assessment of the majority approach to data as an object, which she labels ‘inconsistent’. She begins, like Mr Mačák, with the observation that Rule 38 on the definition of military objectives omits the phrase ‘in so far as objects are concerned’ that appears in Article 52(2) of Additional Protocol I. She also highlights the majority's citation of the ICRC Commentary's ‘visible and tangible’ text, noting – again as Mr Mačák did – that the phrase was meant to distinguish objects in the sense of Article 52 from the general aims or purposes of a military operation; it was not ‘to specifically exclude intangible objects from the definition’. These points were addressed earlier and merit no further comment.
However, based on the latter distinction, Dr Harrison Dinniss maintains ‘[t]hus any computer program, database, system or virtual network could still qualify as a legitimate target if it meets the two-part definition set out in Article 52(2)’. This assertion is a leap of logic. The mere fact that the ‘visible and tangible’ text was not included to eliminate intangible entities from the scope of the term ‘objects’ does not mean that the prohibition on attacking objects necessarily encompasses entities lacking those characteristics. It merely leaves open that possibility. Moreover, as explained above, the majority considered the phrase but did not attribute determinative significance to it; like Mr Mačák, she attributes greater significance to the phrase in the majority position than did the majority itself, although in fairness to both of them a more robust discussion of the issue might have added clarity.
After brief discussion of whether data is or should be considered ‘tangible’ from a scientific perspective – a point on which I defer to the project's technical experts – Dr Harrison Dinniss makes the bold claim that ‘requiring tangibility leads to a manifestly unreasonable result’, and offers the following example in support of the assertion.
To take a practical example, weapons, weapons systems and military matériel are perhaps the epitome of a legitimate military objective. Malware that is designed specifically to cause death, injury, destruction or damage is indisputably a weapon. Examples include Stuxnet-type code, which is intended to cause physical destruction, or even viruses such as Wiper, which destroyed the functionality of computer systems without destroying any physical components. However, by excluding intangible objects such as code from the interpretation of the definition offered by the majority of the Tallinn group, neither of these cyber weapons would constitute a legitimate military objective. It cannot be correct that one can have a weapon that is made entirely from code that does not constitute a military objective.
She continues that ‘either a piece of code such as Stuxnet is a civilian object [because it is not a military objective] or, given that the problem is with the term “object” itself, it is not covered by the definition of military objectives at all’. Because the object and purpose of Additional Protocol I is ‘to provide effective protection for civilians and civilian objects while enabling parties to an armed conflict to conduct effective military operations, either of those alternatives produces a manifestly unreasonable result’. Presumably, her dilemma is that the malicious code cannot be attacked when doing so would further this object and purpose.
In fact, no dilemma exists. Irrespective of the view one takes on the object issue, Stuxnet-like code is clearly targetable during an armed conflict. This is so even if the code is used to target only civilian objects.Footnote 82 If it falls within the meaning of ‘object’ (the IGE minority position), the code accordingly qualifies as a military objective that may be lawfully attacked. If it is not an object (the IGE majority position), the Article 52(1) prohibition on attacking civilian objects does not apply and the code may be targeted even if the operation results in destruction or damage to the code. Further strengthening the targetability of the Stuxnet code by the majority approach is the fact that there is no prohibition on targeting data by employing a military operation that does not qualify as an attack, a separate norm explored above. Interestingly, what distinguishes Dr Harrison Dinniss' approach is her concern that, at least in this case, failure to treat data as an object precludes targeting a militarily valuable entity – which it does not. Most other critics find fault with the fact that the majority interpretation leaves the door open to targeting civilian data. She seems to turn their concern on its head.
The glitch in her analysis is that she characterises the majority approach as ‘insist[ing] on tangibility in the permitted targets of cyber operations’. This is the product of her focus on the concept of military objectives and the related Article 52(2) proviso that ‘[a]ttacks shall be limited strictly to military objectives’. However, the IGE did not adopt, as she suggests, a ‘materiality requirement for objectives’. Recall that Article 52(2) merely confirms Article 52(1), the prohibition on attacking civilian objects; it was the Article 52(1) prohibition that was at issue during the IGE's deliberations. That being so, the majority was interpreting the term ‘object’ to determine when an entity qualifies as a civilian object protected from attack pursuant to Article 52(1), not to assess whether data qualifies as a military objective subject to attack. The distinction is a fine but essential one. The fact that an entity is not an object does not mean it may not be ‘targeted’. On the contrary, it means that the prohibition on attacking civilian objects does not apply. There is no need to determine whether the target is a military objective.
This approach is consistent with the drafting history of Article 52. During the 1972 preparatory Conference of Government Experts, there was discussion about including both the mention of objects and the definition of military objects. For instance, according to the record of the Conference,Footnote 83
[t]hree experts proposed simply the deletion of the article on objects of a civilian character (CE/COM III/PC 22, 29 and 51) since, in their view, the concept of such objects flowed indirectly from that of military objectives (see below, Article 43). They declared that that course would be more favourable to the civilian population, for a positive definition of objects of a civilian character ran the risk of being either incomplete or open to a restrictive interpretation.
However, the reference to objects survived, thereby supporting the premise that the notion is not to be interpreted simply by reference to the definition of military objectives. Rather, the definition of military objectives is used to distinguish among objects, such that, as confirmed in the ICRC's study on customary international humanitarian law, ‘only those objects that qualify as military objectives may be attacked; other objects are protected against attack’.Footnote 84
Dr Harrison Dinniss further suggests that the majority's insistence on tangibility vis-à-vis military objectives is related to the IHL concept of attacks. In response, I suggest it is necessary to appreciate how the IGE dealt with the two distinct legal issues at hand – objects and attacks. The definition of object affects whether there is a prohibition on ‘shooting’ at data in cyberspace; it is about the target. By contrast, the definition of attack bears on whether a military operation qualifies as an attack, such that the various prohibitions on such operations apply; it is about the operation.Footnote 85
These are separate issues and the IGE treated them as such. At the risk of repeating some of what has been said above, deconstruction of the text of Article 52(1) – ‘Civilian objects shall not be the object of attack or of reprisals’ – makes this clear. The first inquiry is whether targeted data is even the object of attack. For instance, if the goal of a cyber operation is to affect the functionality of a cyber system, it is that system which is the ‘object of attack’ and the analysis would relate primarily to the system, not the data. If the goal is to affect the data itself, as in an operation to encrypt data to preclude its use by the enemy, the question is whether the data qualifies as an object. If data is not an object, as suggested by the majority, the Article 52(1) prohibition does not apply and analysis stops. The operation may proceed. If, as asserted by the minority, the data is an object, it becomes necessary to ask whether that data is civilian in nature. This is done by reference to the definition of military objectives in Article 52(2). If the data satisfies the test set out therein, the operation may proceed. If not, the final question is whether the operation qualifies as an attack. My view is that it does if the data is damaged (deleted, altered, etc). Should damage be likely to occur, the operation would be unlawful. However, if not – as with simply blocking data transmission – the cyber operation would not be an attack and, accordingly, is not subject to the prohibitory effect of Article 52(1). The operation may be launched.
Finally, Dr Harrison Dinniss suggests that the IGE was inconsistent in its approach to the tangibility of various entities. It was so, albeit with good reason. For instance, she cites the fact that the group imposed no tangibility condition when subjecting intangible weapons, such as biological contagions, to IHL.Footnote 86 Yet, it is unclear why that would matter. There is no logical reason to suggest that the character of a means or method of warfare must track that of the object it is used to attack.Footnote 87 From an IHL perspective, she is comparing the majority approach with dissimilar aspects of IHL and asking why we took different approaches to them.
The second example is similarly flawed. She correctly notes that the IGE concluded that certain digital property, in particular digital cultural property, was protected by IHL; this was offered as further evidence of inconsistency. Putting aside her failure to note that the IGE was split on the import of the intangibility of digital cultural property, a point discussed at some length in the commentary,Footnote 88 it is correct that the group extended IHL protection to certain types of data in various circumstances. In some cases this represented the view of the IGE as a whole, while in others majority and minority views emerged. Such data included, inter alia, that related to medical care, United Nations missions, detainee correspondence, journalism, cultural property, diplomatic archives and communications, humanitarian assistance, and occupation.Footnote 89 Protection attached also to data, harm to which might have negative effects on specified protected persons, objects, or activities. Examples include installations containing dangerous forces, objects indispensable to the civilian population, and the natural environment.Footnote 90
What has been missed in levelling the charge of inconsistency is that IHL provides special protection for certain objects, persons and activities that go beyond the protection from attack enjoyed by civilians and civilian objects. This protection is often framed in terms of respecting and protecting. Rule 70 is illustrative: ‘Medical and religious personnel, medical units, and medical transports must be respected and protected and, in particular, may not be made the object of cyber attack’. The commentary explains:Footnote 91
The requirement to ‘respect and protect’ involves separate obligations. The duty to respect is breached by actions that impede or prevent medical or religious personnel, medical units, or medical transports from performing their medical or religious functions, or that otherwise adversely affect the humanitarian functions of medical or religious personnel, units, or transports. It includes, but is not limited to, the prohibition on attacks. For instance, this Rule prohibits altering data in the Global Positioning System of a medical helicopter in order to misdirect it, even though the operation does not qualify as an attack on a medical transport (Rule 30). Similarly, blocking the online broadcast of a religious service for combat troops is prohibited. It must be cautioned that the Rule does not extend to situations that occur only incidentally, as in the case of the overall blocking of enemy communications.
By contrast, the duty to protect implies the taking of positive measures to ensure respect by others (e.g., non-state actors) for medical and religious personnel, medical units, and medical transports. For instance, the obligation would require a military force with the capability to do so to defend a hospital in an area under its control against cyber attacks by hacktivists, when and to the extent feasible.
The next rule expounds on this prohibition with respect to data: ‘Computers, computer networks, and data that form an integral part of the operations or administration of medical units and transports must be respected and protected, and in particular may not be made the object of attack’.Footnote 92 As noted in the accompanying commentary,Footnote 93
[t]he protection set forth in this Rule derives from the broader protection to which medical personnel, units, and transports are entitled (Rule 70).
…
The ‘data’ referred to in this Rule are those that are essential for the operation of medical units and transports. Examples include data necessary for the proper use of medical equipment and data tracking the inventory of medical supplies. Personal medical data required for the treatment of individual patients is likewise protected from alteration, deletion, or any other act by cyber means that would negatively affect their care, regardless of whether such acts amount to a cyber attack.
Similarly, Rule 74(a) provides that ‘[a]s long as they are entitled to the protection given to civilians and civilian objects under the law of armed conflict, United Nations personnel, installations, materiel, units, and vehicles, including computers and computer networks that support United Nations operations, must be respected and protected and are not subject to cyber attack’; Rule 82 states that ‘[t]he parties to an armed conflict must respect and protect cultural property that may be affected by cyber operations or that is located in cyberspace’; Rule 84 notes that ‘[d]iplomatic archives and communications are protected from cyber operations at all times’; Rule 86 prohibits cyber operations that are ‘designed or conducted to interfere unduly with impartial efforts to provide humanitarian assistance’; and Rule 87 provides that ‘[p]rotected persons in occupied territory must be respected and protected from the harmful effects of cyber operations’, for instance by being allowed ‘to transmit news of a strictly personal nature to members of their families, wherever they may be, and to receive news from them without undue delay’.Footnote 94
Plainly, the protection afforded to data in these and the other cases is not inconsistent with either the definition of objects or that of attacks because it is additional to the protection of civilian objects from attack. It is irrelevant as a matter of law whether the data concerned is an object or the operation in question amounts to an attack; neither is a condition of the special protection afforded to it under IHL. Since the activities enjoy special protection, data on which those activities depend likewise enjoys protection.
The remainder of Dr Harrison Dinniss' contribution examines the requirement under Article 52(2) of the Additional Protocol for an object to make an effective contribution to military action by ‘nature, location, purpose or use’, as well as the extent of specificity required in defining the military objective. As the discussion does not directly impact upon the question at hand – whether data qualifies as an object – I shall not examine it here. My sole comment is with regard to her treatment of code ‘forming part of the military matériel of the adversary … as part of an otherwise civilian object’. In her example, cyber operations are mounted against the code, thereby affecting the system's functionality. She states that
it seems disingenuous to suggest that the attack is directed against the host system (even though it would qualify as a military objective through its dual use), where it is, in fact, more properly viewed as collateral damage in the attack against the military object embedded within. The Tallinn Manual approach to such a problem merely moves the alleged object of the attack to the nearest physical component or the recipient of the physical effect.
This analysis is perplexing. If the host system qualifies as a military objective, as she correctly acknowledges it does because it is used to store military data, it may be attacked. This is so whether the data qualifies as an object or not. Assuming, solely for the sake of analysis, that the code is an object, both the code and the host system on which it is stored are military objectives. Neither the fact that the host system performs civilian functions nor that the goal of the attacker is to destroy the data relieves the host system of its character as a military objective. Any incidental damage to other cyber infrastructure that is civilian in nature is, of course, an issue of proportionality and precautions in attack. Yet, it has never been asserted that a military objective, such as the dual-use host system, should be factored into either of these analyses. The sole exception, as acknowledged by the entire IGE, is that ‘a cyber attack against a dual-use system will be unlawful whenever the individual military components thereof could have been attacked separately’.Footnote 95
5. Quo Vadis?
In my view, the analyses of both Mr Mačák and Dr Harrison Dinniss are at times counter-normative, while their characterisation of the work of the IGE is occasionally counter-factual. Both arrive at conclusions as to the lex lata that I cannot but regard as lex ferenda. This does not detract from the importance and erudition of their contributions to the dialectical process by which the interpretation of international law, especially IHL, continuously evolves to take account of the context in which it is to be applied.Footnote 96
I happen to believe the law will travel in the direction at which they both point. As I have noted elsewhere, the exclusion of data from the ambit of the concept of objectsFootnote 97
is unlikely to endure. Today, the importance of data usually exceeds that of their physical manifestation. In fact, the existence of data serves to diminish the significance of corresponding physical objects. To take a simple example, most governments maintain digital copies of records for activities such as census taking, the provision of social benefits, voting, taxation, and so forth. Loss of the digitized records would be a much greater impediment to the continuation of governmental functions than would destruction of their physical equivalents; indeed, in the future there will be no ‘hard copy’ records. IHL will assuredly evolve to meet the shift in the relative importance of physical and virtual data.
This process will be evolutionary, not revolutionary. States are unlikely to countenance treating all (or even just operational-level) data as an object subject to the relevant IHL prohibitions. They will continue to safeguard their legal option of directing certain operations, such as psychological operations, at civilian populations even when said operations involve damage to data. Additionally, in light of military necessity concerns, they will hesitate to accept an interpretation of IHL that includes such damage in proportionality or precautions in attack calculations.
This begs the question of how the relevant normative architecture will evolve. I can only speculate.Footnote 98 Arguably, the likeliest trend will be greater focus on consequentiality, as it is that characteristic which underpins the military necessity/humanitarian considerations balance of IHL. This approach is already evident in the acceptance of the notion of functionality by a majority of the IGE vis-à-vis the meaning of the term ‘attack’.
If evolution of the notion of object takes a similar vector, perhaps the concern of states regarding treating all data as objects (over inclusivity) and the countervailing concern regarding treating none of it as such could be addressed through the emergence of a new norm based on function. For instance, data upon which ‘essential civilian services’ rely would qualify, thereby rendering the data a civilian object immune from attack. This would, of course, require either interpretive acrobatics or evidence of crystallisation, but the approach would better accord with the inherent military necessity/humanitarian considerations balance of IHL than either an ‘all in’ or ‘all out’. I offer this as merely one possibility but, however the issue plays out, normative stasis is highly improbable.
