Nothing is certain but death and taxes (unless you get hacked): An international law perspective on Ukraine’s cyber attack against Russia’s Federal Tax Service

Written by

Talk about bad timing. This week, all international lawyers with a little more than passing interest in all things cyber have their eyes on – or are themselves in – New York. That’s because the UN “Cyber OEWG”, a shorthand for an open-ended working group with a much longer name, is in session to discuss, among other issues, how international law applies to the use of information and communications technologies by States.

But while State representatives were reciting their polished statements replete with references to abstract international legal rules, a very concrete incident was unfolding halfway around the globe, one that cast a bright light on a key legal dilemma faced by States. That dilemma is how to qualify computer data under international humanitarian law (IHL), a question with paramount implications for the protection of civilian populations during modern armed conflicts.

The story that is the subject of this article began, as many things do these days, with a social media post. On Tuesday 12 December, Ukraine’s military intelligence said that it had successfully hacked into the cyber infrastructure of Russia’s tax system and then destroyed the tax database. The tone of the emoji-laden announcement, made public on the Telegram platform, was unabashedly self-congratulatory. Here’s a brief sample, machine-translated into English:

 

The immediate reaction from the cyber security community confirmed that we were in uncharted waters. For example, Dan Black from the Cyber Espionage team at Google’s Mandiant noted that this was likely the first case in which a State has “directly self-attributed” an operation of this kind. Assuming that the facts as described in Ukraine’s announcement were accurate (unsurprisingly, Russia’s Federal Tax Service soon denied the incident), this means we can put the vexing attribution problem to the side. Ukraine has clearly claimed responsibility for the operation. But was it lawful?

The hack was governed by international humanitarian law

The operation took place in the context of the ongoing international armed conflict between Russia and Ukraine. As an activity undertaken by one of the parties to that conflict against the other, it had a clear nexus to the conflict. There is therefore no doubt that it was governed by IHL, in other words, the body of law that regulates the conduct of belligerents during an armed conflict.

During the 2010s, there was some discussion among States whether IHL applies in cyberspace. At the time, some States expressed concerns that accepting the applicability of IHL in the cyber context might legitimize the use of military cyber operations and lead to the militarization of cyberspace. While these are important considerations, as Laurent Gisel and I explained elsewhere, they are not necessarily incompatible with the application of IHL to cyber operations during armed conflict (see at p. 146).

Importantly, in 2021, States agreed on a compromise formulation – first expressed in an expert report that was later endorsed by a consensus resolution of the UN General Assembly – which acknowledged the applicability of IHL but noted that “recalling [IHL] principles by no means legitimizes or encourages conflict”. Since then, we can speak of an international consensus that IHL governs cyber operations during armed conflict – such as the one analysed in this post.

Measuring the operation against the conduct of hostilities rules

To assess whether the operation was lawful, two aspects should be underscored at this juncture. First of all, the operation did not stop at penetrating Russian Federal Tax Service’s networks, but according to Ukraine’s military intelligence, it destroyed the data stored in those networks. This is important because there is a broad agreement that cyber espionage as such does not violate IHL (see e.g. Tallinn Manual 2.0, commentary to rule 89 at para. 5). What matters is whether the operation results in something more than just accessing networks and exfiltrating data – which this one allegedly did.

Second, the data in question was not associated with any objects or personnel that are given specific protection under IHL. These are entities such as medical facilities and impartial humanitarian organizations together with their personnel. So, for example, if Ukraine had targeted and destroyed a medical database, the operation would have implicated the requirement that medical units, transport and personnel must be respected and protected by the parties to the conflict at all times (see Rules 25, 28, and 29 of the ICRC’s Customary IHL Study). Because the destruction of a database relied upon by a health-care facility would by definition impede the functioning of such a facility, it would be prohibited by IHL.

However, tax data does not enjoy such special protection, and it must therefore be assessed under the ordinary conduct of hostilities rules. The key among them is Article 52(1) of the First Additional Protocol to the 1949 Geneva Conventions, which provides for the prohibition of direct attacks against civilian objects. If the Ukrainian armed forces had bombed a building belonging to the Russian tax authorities – i.e., a civilian object – the attack would have obviously violated this rule. But is civilian data also a civilian object?

Qualification of data as an object under IHL

This is a vexing question that has long divided international legal scholars, States, and other stakeholders, going back to the exchanges by Tallinn Manual experts (see the commentary on Rule 38 in the 2013 edition, paras 4–5). I was one of those to throw their hat in the ring fairly early on, arguing in 2015 that the strict application of the treaty interpretation rules leads to the conclusion that the meaning of the term “object” in Additional Protocol I has evolved over time to include computer data (at pp. 65–80). Others disagree: for instance, in a recent article, Ori Pomson rejected such evolutionary interpretation and argued that the term “object” in AP I basically means “a material thing” (at pp. 368–373).

An overview of State views expressed thus far suggests that three broad schools of thought or general approaches have emerged:

  1. Originalist approach: This is a view that places a premium on the understanding of the term “object” as it was back when Additional Protocol I was drafted in the 1970s. According to this view, for something to be an object, it must be visible and tangible. Therefore, civilian computer data – such as a tax database – would not qualify as a civilian object, and it would thus be outside of the protective scope of the relevant conduct of hostilities rules. States that subscribe to this approach include Denmark, Chile, and Israel.
  2. Evolutive approach: Other States, including Costa Rica, Finland, Germany, Norway, and Romania, consider all civilian data to be protected as civilian objects. This implies that data qualify as objects under IHL. That point is sometimes made expressly: for instance, Costa Rica has said that it “endorses the view that civilian data constitute civilian objects under IHL” (at para. 50). This approach can be described as “evolutive” as it looks at the function that data plays in the modern society and it interprets the notion of “objects” under IHL through this contemporary lens.
  3. Hybrid approach: Finally, there is a third, hybrid category, which for now consists of one State. This State is France, which in its national position considers “content data” (“des données de contenu”) as protected under the principle of distinction, leaving to the side whether other types of data (such as code or metadata) formally qualify as objects or not (see at pp. 15–16). Under this approach, civilian content data (such as tax data) is protected against attack just as other types of civilian objects.

Overall, this wide spectrum of views shows that the question of whether and to what extent data constitute objects for the purposes of their protection under IHL remains unresolved at the present time (for more, see this page in the Cyber Law Toolkit, which also contains excerpts from many relevant State position papers). At any rate, at least under approaches (2) and (3), the datasets targeted by Ukraine’s military intelligence qualified as protected civilian objects. Based on the available facts, their destruction thus would have amounted to a violation of IHL. For what it’s worth, I tend to agree with this interpretation.

Implications and possible ways forward

Even if some may view this particular operation as a creative tactic employed against a more powerful adversary, we should not lose focus of the fact that the rules of IHL are of general application and are designed to apply to all conflicts and all belligerents equally. As the ICRC has said, destroying essential civilian data “can quickly bring government services and private businesses to a complete standstill” and thus “cause more harm to civilians than the destruction of physical objects” (at p. 490).

In my view, we should thus resist any interpretive approaches that do not sufficiently protect against these forms of harm – bearing in mind that the overall aim of IHL is to protect victims of war, including in particular the civilian populations in conflict-stricken territories. In other words, a permissive interpretation one might be tempted to endorse today may well have considerable detrimental effect on one’s own civilian population in a conflict tomorrow.

Ultimately, it is through incidents such as this one that the international community will gradually coalesce around one of the possible interpretive approaches. This process underscores the dynamic nature of international law, which is made first and foremost by States. The incident discussed in this post will thus no doubt be studied by international lawyers in foreign and defence ministries around the world, quite likely including a few who will just be returning home from a busy week in New York.

When advising their governments which approach to endorse, they should carefully weigh the ramifications it would have for the protection of their own governance datasets (not just tax databases, but also social security, banking, election databases, and so on) and, by extension, their own civilian populations caught in the digital crossfire. This week’s incident is yet another confirmation that in the digital age, legal protections must cover more than just physical objects.

Print Friendly, PDF & Email

Leave a Comment

Comments for this post are closed

Comments

Bill Boothby says

December 14, 2023

Kubo, Thank you for this clear exposition of this long-standing, tricky yet highly important issue. I have always wondered whether there is mileage in thinking about the words 'In so far as objects are concerned' in the second sentence of Article 52(2). This wording makes it clear that phenomena other than objects can be military objectives. I guess the traditional view was that those phenomena comprise persons, in the form of combatants and directly participating civilians. An interesting question is whether, in the 21st Century, data can be included in this category of 'military objectives that are not objects'. One rather wonders if not, why not. Equally, one wonders if so, what criteria would have to be applied, e.g. to data, to render it a military objective, and indeed what other kinds of non-object can be military objectives. Where the criteria to be applied are concerned, a possibility to consider is, of course, the twin tests in the second sentence of 52(2). I suppose the objection to this approach is that it would not have been in the contemplation of those who negotiated API. A supporter of the approach would counter that in the years since 1977, technology has developed, national dependencies have developed with it, and the vital protective purpose that Articles 48 to 52 serve requires that legal interpretation move with the times. Perhaps the key objection to extending the military objective notion to non-objects in this way would be that the military objective notion might thereby be broadened such as to imperil the distinction principle's effectiveness. These are just thoughts that occurred to me as I read your excellent piece for which I thank you.
All the best,
Bill

Dapo Akande says

December 15, 2023

Hi Kubo! Thanks for this post. You measure the operation against the conduct of hostilities rules in IHL so you seem to take the view that the operation constituted an "attack" since the principle of distinction prohibits "attacks" against or directed at civilian objects. You seem to base your assessment on the use of the fact that the Ukrainian agency states that it "destroyed" the data or the infrastructure of the tax authorities. But do we know whether this is more deletion of the data (in addition to exfiltration). If it was no more than exfiltration, deletion and some loss of functionality, would this amount to "destruction" for the purposes of qualifying the operation as an attack?

Kubo Mačák says

December 19, 2023

Bill,

Thank you for your question. I think the solution you propose is certainly a possible one. I looked at it in some detail when writing the 2015 article cited in the piece. In the article, I called it the “Alternative route: Data is not an object, yet it may be a military objective” (see section 4 on pp. 63–65). Ultimately, I argued against it in the article, in part for the same reasons as you mention in your question.

Basically, the notion of military objectives under IHL is predicated on a persons-objects dichotomy. Once we remove a class of entities from this dichotomy, it is unclear how to determine when those entities (here: data) would qualify as a military objective. This is because by qualifying such entity as a non-object, one has removed it from the scope of the second sentence of Article 52(2) which is delineated by the opening phrase that you mention, i.e., “In so far as objects are concerned”. There is more in the article itself, in which I concluded the relevant section by saying that “despite its initial appeal, the ‘alternative route’ solution must … be rejected”.

If I was writing it today, I would add that there is (to my knowledge) no supporting State practice for this “alternative” position – whereas, by contrast, there are express State views supporting the three approaches outlined in the post above. So it seems that the law isn’t really moving in this direction. But it’s a very good point and I am glad you raised it, as due to the space constraints I wasn’t able to go into it in the post itself.

Best wishes,
Kubo

Kubo Mačák says

December 19, 2023

Dapo,

Thank you for your question. An operation that deletes some datasets and thereby occasions a loss of functionality of parts of cyber infrastructure can in my view qualify as an “attack” at least through two interpretive routes. As a preliminary point, it is useful to recall that the term “attack” is defined in Article 49 AP I as an act of violence against the adversary, whether in offence or in defence. Today, there is a general agreement that cyber operations that can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under that definition (see e.g. Tallinn Manual 2.0, rule 92; this interpretation is also expressly held by several States as well as the ICRC).

The first interpretive route is to consider the loss of functionality as a form of damage (as several States do, although there are shades of grey among their opinions: see this Cyber Law Toolkit page for an up-to-date overview). In my view this is the correct interpretation: if an operation is designed to disable an object, it does not matter whether this effect is achieved through kinetic or cyber means. And if loss of functionality is a form of damage, then launching a cyber operation that is reasonably expected to result in this outcome qualifies as an attack.

The second route is – as I have done in the post – to focus on the effects the operation in question may have on data. In that case, the key question is: what does the acting party to the conflict do to the data? Does it merely access it, or also exfiltrate it, perhaps encrypt it (thereby precluding access by the data holder), or delete it altogether? Provided that one interprets data as an object under IHL, then its destruction through deletion qualifies as an attack. That same conclusion would not in my view apply to the other modalities mentioned above such as accessing or exfiltrating data because the affected datasets would not be damaged or destroyed. And an interesting open question remains vis-à-vis encryption given that some forms of ransomware may not destroy the targeted data, but merely make it inaccessible on a temporary or permanent basis. This was discussed during one of the ICRC’s regional consultations on IHL and cyber operations but participating States did not reach any consensus on the issue (see p. 8 of the report).

Best wishes,
Kubo

Jyoti Singh says

January 2, 2024

Hi Kubo,

Let me first thank you for this brilliantly articulated blog. This definitely is very helpful. As I can infer from this write up, there is almost an international consensus on the applicability of IHL to the Cyber Warfare during an armed conflict, which means the principles of proportionality, distinction and precaution,are all applicable to cyber warfare as well. However,in my understanding, according to Article 48(1) of the AP(I), the Parties must distinguish between civilian objects and military objectives. My question to you is, If, it is still unsettled whether the civilian data qualifies as an object, wont the consensus of IHLs applicability to Cyber Warfare also be dubious? This is just for my understanding. Thanks and regards.