Data Breach and Cyber Security

Written by Syed Qasim Abbas July 17, 2021 11:47 am Articles, International Relations, Published Content

Data Breach and Cyber Security: The Case of Civilian Risks & IHL

With the progression of cyber technology, threats to the cyber security of civilians have increased, particularly in the last decade. The author, Syed Qasim Abbas, notes that while the International Humanitarian Law (IHL) ensures the safety of civilians and their property in an armed conflict, it fails to provide adequate protection and punishment in the case of cyber warfare, in the absence of an ongoing war. Moreover, it fails to categorize civilian data—which is easier to breach when outdated technology is involved—as civilian property. This leaves civilian populations vulnerable to cyberattacks and perpetrators free to do as they please, thus elevating the risks of a humanitarian crisis. In light of the limitations of IHL, the author recommends certain changes to extend the applicability of the law to cyberattacks against civilians and reduce humanitarian risks.
community forum image
About the Author(s)
Syed Qasim Abbas
+ posts

Syed Qasim Abbas is a student of law at the Lahore University of Management Sciences (LUMS). His prime focus, and area of interest, is international law, under the light of which, he analyzes international diplomacy.

Introduction

The internet, undoubtedly, has been one of the most contributive creations that have enabled man to connect over distances in a virtual capacity. The byproduct of this fruitful creation is consumer data, which in modern times has become a precious asset. Its misuse has the potential to affect civilian lives in unimaginable ways. Unfortunately, the trend of exploiting consumer data has grown by many folds in recent times. A small data breach puts a civilian’s cyber security at risk, which can eventually lead to a larger humanitarian crisis.

States and non-state actors are using this as a new tool to compete for personal benefits. As a result, warfare has proliferated in cyberspace, especially with the objective of breaching data to spy and exploit a country’s national secrets. According to the world’s cyber warfare statistics, cyber operations have increased by 440% between 2008 and 2018.

Recent examples from 2021 include operations by Iranian and Russian hackers on Japan’s Fujitsu system, the US State Department, and the Israeli medical infrastructure. These attacks stole credentials of medical officers, emails, and government files.

Submissions 2023

States across the globe are using cyberattacks as an alternative to using kinetic force. The motivation behind this is the potential of cyberattacks to create collateral damage, with minimal accountability, at very low costs. Hence, the chances of humanitarian harm have become very real.

Also Read:  Cybersecurity in Pakistan: A Grave Vulnerability

Recognizing the proliferation of cyberattacks and their humanitarian risks, this article analyzes the applicability of International Humanitarian Law (IHL) on state-sponsored cyber operations that breach data independent of an armed conflict. It evaluates the protections available against such operations in jus in bello, simultaneously suggesting certain necessary changes that can ensure direct applicability of IHL on cyberattacks.

IHL’s Applicability to Cyberattacks

Cyber technology developed many years after the formulation of International Humanitarian Law (IHL), hence,  IHL has no direct provisions relating to cyber warfare. However, ratifying states agreed on applying IHL’s customs to unpredicted war techniques of the future in the Martens Clause, which was made part of the Geneva and Hague Conventions. Consequently, one can argue that there is some indirect applicability of IHL to cyberattacks. But the absence of direct provisions leaves a legal lacuna that exposes civilians to humanitarian risks of cyberattacks.

IHL fails to apply to cyberattacks happening without an ongoing armed conflict. This is because kinetic use of force is a fundamental prerequisite for invoking IHL’s provisions. There should be some nexus between a cyber operation and an armed conflict to apply IHL, as recognized by rule 80 of the Tallinn Manual 2.0 (TM). Most of the time, a nexus is absent or inexplicit. In fact, states carry out most cyber operations with a motivation to exploit this legal lacuna. It allows them to escape any accountability under international law.

Examples of such operations are the cyberattacks conducted on Estonia by the Russian military in 2007. These attacks blocked the websites of many banks, state departments, and newspapers, making it difficult to enjoy the civilians right to freedom, speech, and information.

A similar attack happened in 2017 that affected England’s National Health Services (NHS). A hacking group targeted outdated Microsoft Windows Operating Systems by using a cryptoworm called “WannaCry” based on a stolen exploit developed by the United States National Security Agency. It took four days for the NHS to recover. In both cases, despite the fact that the attackers were identified they faced no legal repercussions.

Applying IHL’s Customs on the Threats to Cybersecurity

To apply IHL’s customs to cyberattacks, the international community must tweak the legal order by creating distinctive provisions within IHL for cyberattacks. Through an additional protocol to the Hague and Geneva Conventions, states can bypass the existing legal requirement of establishing a nexus between a cyber operation and an armed conflict.

Also Read:  Israel's Dominance in Cyberspace: What Made It Possible?

For this, states must expand the definition of an armed conflict to the administration of inter-state hostilities through kinetic operations or cyberattacks, or both. A consensus must be reached that cyberattacks should be considered armed conflicts, which is also illustrated in rule 82 of TM.

With the aforementioned first step, some progress in this domain can be achieved. IHL’s existing customs – such as distinction, proportionality, humanity, and precaution – would be applicable to all kinds of cyberattacks. However, this will not be enough to protect data from the threats to cybersecurity under IHL. As mentioned in Article 48 of the Additional Protocol 1 of the Geneva Conventions and Rule 93 of the TM, the principle of distinction shields civilians and civilian objects from attacks. Data, however, does not classify as an object under IHL. This is also recognized under Rule 37 of the first edition of the TM.

Protecting Data under IHL

The breach of data must be curtailed as they impede the cyber security of the civilians and their right to privacy, and can lead to civilian injuries. Injury to civilians due to a data breach in their cyber security is excessive in relation to the concrete and direct strategic advantage sought, which makes such attacks disproportionate under IHL.

In order to protect civilians against threats to their cybersecurity, states must adopt technical and policy measures to limit data collection to necessity thresholds. This can be done in two ways: collecting only extremely relevant data, and making data retention an exclusive right for public services like health, national registration, and social-services provision.  

Moreover, technical measures like proper data encryption must be used for civilian data and privacy protection to ensure that no breach in their cyber security occurs. All states must begin with updating the technology used for humanitarian purposes. This should be a lesson learned from the aforementioned WannaCry attack of 2017, which targeted outdated operating systems.

Protective measures like firewalls should be regularly updated. Due to the internet’s global usage, cyberattacks fail to distinguish between humanitarian and military contexts. Hence, developed states, under the principle of common but differentiated responsibility, should provide funding and assistance for capacity building in developing states.

Also Read:  The Politics of the Veil in France, India & Iran

The resources and funding from developed states can be channeled by using international organizations. However, in order for this to happen, these organizations need to expand their focus on addressing cyber operations. For building global capacity in collaboration with developing states, international organizations – like the International Committee of the Red Cross (ICRC) – must identify states like Singapore that have an abundance of resources as well as little threat of conflict.

These states can then function as cyber-host states where cyber assistance cells can be set up to develop technical capacity and human resources, which can be used to assist poor countries with the restoration of humanitarian services in cyberattacks. These cells can also help identify the geographical location of a cyberattack and produce neutral reports that help international courts adjudicate on the issue. All technical and policy measures can be made binding if included as efforts to be pursued by all signatory states of the aforementioned proposed convention.

Conclusion

The 2017 attack on the NHS showed that while the dependence of modern medical facilities on cyber technology makes treatment efficient, it also opens possibilities for newer kinds of threats. The Covid-19 pandemic has further highlighted that even for advanced nations, impediments on the functioning of medical facilities or other essential services can have catastrophic results.

Keeping this in mind, it is essential that the international community comes together to take legal, policy, and technical measures to ensure that no state or non-state actor tries to weaponize cyberattacks, by exploiting the threats to cybersecurity, to cause humanitarian losses. IHL must ensure its continued relevance and evolution in relation to cyberattacks to ensure that humans can reap the benefits of modern technology with minimal risks of a humanitarian crisis.

If you want to submit your articles and/or research papers, please check the Submissions page.

The views and opinions expressed in this article/paper are the author’s own and do not necessarily reflect the editorial position of Paradigm Shift.

(Visited 600 times, 1 visits today)
Civil War in Congo Previous Story
The Civil War in Congo (1960-1965): The Roles of Belgium, the USA & the USSR
us military bases in pakistan Next Story
“Absolutely Not” To US Military Bases in Pakistan: The Possible Consequences

Related Posts

cyberwarfare israel

Cyberwarfare in the Israel-Hamas Conflict

Written by Babar Khan Akhunzada December 15, 2023 7:41 pm

Babar Khan Akhunzada delves into the intricate cyber battlefield that has emerged between Hamas and Israel, exploring the strategies, incidents, and implications of their digital warfare. As he navigates through this complex subject, he uncovers the broader context of cyberwarfare’s role in modern conflicts, shedding light on its escalating significance and the evolving nature of warfare in the digital age.
Read More Read More: Cyberwarfare in the Israel-Hamas Conflict
israel's cyberspace

Israel’s Dominance in Cyberspace: What Made It Possible?

Written by Fatimah Naeem November 11, 2023 7:54 pm

In recent years, Israel has emerged as a dominant force in the realm of cyberspace, sparking widespread interest and concern worldwide. Fatimah Naeem delves into the factors behind Israel’s ascent in the cyber domain. Israel’s close relationship with the United States has enabled extensive collaboration and intelligence sharing, bolstering its cyber capabilities. However, this dominance is not without controversy. Israel’s activities in cyberspace have raised ethical and geopolitical concerns, leading to calls for increased transparency and regulation. As Israel’s influence in cyberspace continues to grow, understanding its role in this digital landscape is of paramount importance.
Read More Read More: Israel’s Dominance in Cyberspace: What Made It Possible?
AI and

AI in Politics: A Blessing or a Curse?

Written by Sabrina Sohail November 2, 2023 7:26 pm

Sabrina Sohail contemplates the effects of artificial intelligence on politics in the modern day. The innovative breakthrough presents challenges to the state and to individuals if used for nefarious reasons. She presents the case of the fake Pentagon bombing to emphasize the use of AI as a propaganda tool.
Read More Read More: AI in Politics: A Blessing or a Curse?
International Responsibility of International Organisations

The International Responsibility of International Organisations

Written by Memoona Nasir June 13, 2023 8:30 pm

Moritz P. Moelle ponders the decades-old question of whether or not collective responsibility and accountability should exist in the peacekeeping missions of international organizations. His book, “The International Responsibility of International Organisations,” addresses the intricacies involved in the conduct of international organizations through a comprehensive analysis of both the UN Charter and the International Law Commission’s Articles on Responsibility of International Organizations (ARIO). The book further encompasses Moelle’s idea of normative control to foster joint responsibility of international and regional organizations.
Read More Read More: The International Responsibility of International Organisations

Comments are closed.

Close
Click to access the login or register cheese