Attacking Big Data as a Use of Force
Big Data and Armed Conflict: Legal Issues Above and Below the Armed Conflict Threshold, edited by Laura A. Dickinson & Edward Berg, Forhtcoming 2022
20 Pages Posted: 8 May 2022
Date Written: April 18, 2022
Since the advent of cyber operations, international law has operated on the assumption that state actors are not prohibited from breaching each other’s systems to manipulate, and potentially destroy, digital data. This assumption is based on the common understanding that international law does not make acts of harm to data illegal. However, with decreasing storage costs and the emergence of large quantities of data, this assumption is increasingly questioned by both states and scholars.
This chapter seeks to challenge the assumption that all data is created equal. The current legal state of affairs affords states a carte blanche to hack each other’s computer systems and networks regardless of the type of data being targeted (personal v. non-personal) and its volume (a single file v. an entire database). Indeed, such action may lead to criminal charges initiated by the targeted state, but internationally, states rarely face any consequences or condemnation.
This chapter will argue that international law, generally, should treat big data differently from “small” data. More specifically, this chapter is focused on jus ad bellum questions pertaining to cyber operations against big data. Given the increasing volume of sensitive and personal data compromised by states, both pre-conflict and during conflict, the equilibrium between sovereignty (a state’s freedom of action in cyberspace) and the confidentiality, integrity, and availability of data ought to change. To support this argument, this chapter will take two routes to conduct its analysis. First, this chapter will conceptualize Big Data, as compared to Small Data.
Second, this chapter will explore how cyber operations against data may be addressed by the jus ad bellum. This exercise will highlight that international law has an existing legal framework through which a subset of cyber operations against Big Data may be addressed.
Third, this chapter will offer a way to conceptualize the jus ad bellum in the context of cyber operations against Big Data. Today’s big data is far more sensitive, revealing, and prone to misuse. For example, the compromise of biometric data database may enable the adversary to misuse these credentials in future cyber operations as well as make powerful inferences based on the quality and quantity of the data. Therefore, Big Data should be treated differently by the use of force framework as compared to Small Data. The focus of this chapter, therefore, is on the use of force and armed attack thresholds and their application to Big Data.
Fourth, this chapter will explore some of the developments in the context of international law and cyberspace, in particular, official state statements on how the jus ad bellum applies to non-kinetic cyber operations. At the heart of this exploration is the observation that some states are ever more willing to extend existing jus ad bellum to cyber operations targeting data, though they do not dive any deeper into what they mean by ‘data’. This deviation from the kinetic approach is heralding a shift in the way cyber operations against Big Data may be handled under the jus ad bellum in the future.
Finally, this chapter will make a normative argument and a methodological recommendation. Normatively, cyber operations targeting Big Data are much more devastating than cyber operations against Small Data, therefore the jus ad bellum framework should distinguish between the severities of the two scenarios. Methodologically, any State statements on how the use of force framework applies to non-kinetic cyber operations should explicitly distinguish between Small Data and Big Data, given the normative position that this chapter takes on the difference between the two.
This chapter therefore contributes to the current body of scholarship by arguing that not all data is created equal. Up to this point, scholarship has addressed data as a monolith, without acknowledging the changing nature, volume, and sensitivity of data which we are witnessing with the emerging Big Data environment. Scholarship to date has largely failed to distinguish between data and Big Data, which is a critical distinction to make as this chapter will argue. While the law has by and large tolerated the cyber operations against data, it has only addressed such operations against Big Data by analogy to small data. As will be shown in this chapter, the two operations cannot be analogized.
Suggested Citation: Suggested Citation