New Vulnerabilities: the Fate of Governmental Data Stored on the Cloud

[Cecilia Pechmeze is a public international law practitioner, and the founder of Pechmeze Law. She tweets @ceciliapechmeze.]

After a number of failures, Europe has been working on its own version of data infrastructure, GAIA-X, in an attempt to gain its independence from foreign Cloud Service Providers (CSPs). The project is still at its designing phase, a phase some argue it might never complete. Regardless of its prospects for success, the European cloud stresses the old continent’s ambition to be independent.

Meanwhile, governments, everywhere, have been using foreign Cloud Service Providers, leading to their data sometimes being located abroad. Beyond cyber security considerations, this raises questions regarding the qualification of an operation targeting government data located abroad. Practically, what would be the legal implications of a cyber operation conducted by an operating state A, against a targeted state B’s data located on host state C’s territory? A cyber operation affecting data only would unlikely amount to use of force or armed attack. This short essay thus reflects on the possibility for such an operation to constitute a violation of sovereignty and an intervention only. 

         I.     An Operation on Data as a Violation of Sovereignty

The rise, in frequency and sophistication, of cyber operations has reinvigorated discussions about the meaning and contours of the concept of sovereignty and its application in cyberspace. Both scholars and States have participated in the discussion attempting to draw the contours of the notion. 

Regardless of their location, knowing if an attack on data could lead to a violation of sovereignty has been addressed by scholars. Some authors, notably the Tallinn Manual Experts, have clearly addressed the question of operations targeting data, agreeing they could amount under specific circumstances to a violation of sovereignty. Relying on the seminal arbitral case, Island of Palmas, they conceive sovereignty being breached in two cases: in that of a violation of a state’s territorial integrity, and in the case of an interference with or usurpation of inherently governmental functions (Rule 4, note 10).  As noted by Professor Schmitt, this also seems to reflect Oppenheim’s view of sovereignty, that he conceives as being twofold as well: state’s independence, and territorial and personal supremacy. Regarding the infringement of a state’s territorial sovereignty, no consensus could be found among the Experts as to whether or not a “cyber operation that results in neither physical damage nor the loss of functionality amounts to a violation of sovereignty” (Rule 4, note 14). Among the proponent of a violation of territory in spite of any physical damage or loss of functionality, Experts noted that “altering or deleting data stored in cyber infrastructure without causing physical or functional consequences” could potentially amount to a violation of sovereignty. Nonetheless, their reasoning for this conclusion precludes any application of this rule to data located abroad: the Experts came to the conclusion that a cyber operation that results in neither physical damage nor the loss of functionality could potentially amount to a violation of sovereignty because it would be “consistent with the object and purpose of the principle of sovereignty that affords states the full control over access to and activities on their territory” (Rule 4, note 14).

Turning to interference of inherently governmental functions, the Experts clearly accepted that “a cyber operation that interferes with data or services that are necessary for the exercise of inherently governmental functions is prohibited as a violation of sovereignty”, citing as an example “changing or deleting data such that it interferes with the delivery of social services, the conduct of elections, the collection of taxes, the effective conduct of diplomacy, and the performance of key national defense activities” (Rule 4, note 16). On the question of an interference with data located abroad, the Tallinn Experts have, however, failed to find a consensus (Rule 4, note 19). Two visions arose. One opined that an interference with or a usurpation of an inherently governmental function could constitute a violation of sovereignty, “irrespective of where the cyber operation occurs or manifests.” (Rule 4, note 19). This seems to leave open the door to qualifying an operation against data located abroad as a violation of sovereignty. On the other hand, a minority of the Experts was of the opinion that qualifying an operation as a violation of sovereignty of both the host state and the targeted state would be barred by the nature of sovereignty that is, at its core, exclusive (Rule 4, note 20). Nonetheless, one could dispute this, arguing that an operation targeting a state’s data located in a third country consists in two operations at once: one targeting the cyber infrastructure, and another one targeting the data. 

Delerue, on the other hand, while agreeing that a cyber operation penetrating a cyber infrastructure would amount to a violation of sovereignty of the host state, seems to reject firmly the possibility of it violating the targeted state’s sovereignty:

The unlawful penetration only violates the territorial sovereignty of the State where the computers or servers are located. It does not, however, violate the territorial sovereignty of another State that owns the data on the targeted servers. For instance, in the case of State A having its data stored on a server located on State B’s territory, the cyber operations sponsored by State C infecting this server would only violate the territorial sovereignty of State B. They would, therefore, not constitute a violation of the territorial sovereignty of State A. Only the location of the server matters, and by extension so does the location of the data. The issue of ownership is irrelevant.

Like scholars, states increasingly share their positions on the application of international law to cyberspace, offering an array of differing views. Most states that made their position public, including Finland, Germany, the Netherlands or New Zealand, concur with the Tallinn Experts and agree there are two bases on which a cyber operation can violate a state’s sovereignty, all whilst setting different standards as to what could amount to such a violation. 

France has notoriously adopted a more open position regarding sovereignty, stating in its official position that: 

Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ, a person or an entity exercising elements of governmental authority or by a person or persons acting on the instructions of or under the direction or control of a State constitutes a breach of sovereignty.

Facing an operation on their data that would amount to producing effects on French territory, regardless of the location of the data on France territory or abroad, could therefore amount, in France’s view, to a violation of sovereignty. As a result, an attack on governmental data stored in the cloud located abroad could potentially amount to a violation of sovereignty, in France’s view, if it was to produce effects on French territory. 

At the other end of the Spectrum, the U.K. has stated it does not see sovereignty as a rule but only as a principle. As a result, a cyber operation conducted against cyber infrastructure located on its territory, or against U.K. data located abroad, would apparently not be qualified by the U.K. as amounting to a violation of sovereignty. 

This highlights one of the limits of states sharing their perspective on the application of international law to cyberspace. What would be the legal implications of cyber operations involving two states whose respective views on violations of sovereignty or coercion differ? With three states and potentially three different visions at play, the challenges may be greater. Not only could the operating state not view its operation as a violation of sovereignty, but the host state could likewise not conceive of the operation against its cyber infrastructure as such. A challenge would then consist for the targeted state in assessing whether it is justified in applying countermeasures in what it considers to be a case of violation of sovereignty. In order to be lawful, countermeasures – such as the targeting by the injured state of the infrastructure conducting the operation – must indeed be taken in response to a breach of an international obligation and attributed to the responsible state. The host state and the targeted state holding conflicting views on the qualification of a cyber operation would therefore constitute an additional parameter to take into account in the assessment of the legality of the countermeasure. Another challenge could arise if the targeted state needed the host state’s assistance to attribute the operation. Anticipating whether a state would provide such assistance while not considering the operation targeting data located on its territory appears delicate. 

         II.     An Operation on Data as Intervention 

Consistently recognized as applying in cyberspace, the prohibition of intervention stems from the principle of sovereignty. Although poorly defined by case law, it usually is understood to comprise of two elements highlighted by the International Court of Justice (ICJ) in its Nicaragua judgment (para. 205): 

“A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.”

A prohibited intervention thus consists in an interference on a state’s domaine réservé on the one hand, and coercion on the other. The domaine réservé notion is not defined, but the judgment provides with indications as to what it includes: “choice of a political, economic, social and cultural system, and the formulation of foreign policy.” Coercion, on the other hand, is less clear, but the Netherlands’s definition gives a good sense of what it entails: “compelling a state to take a course of action (whether an act or omission) that it would not otherwise pursue.”

In the case of intervention, therefore, the scope of operations appears at once narrower, in that it requires coercion, and broader, in the way it admits it to take place. The ongoing COVID-19 crisis offers a case for reflection. If a government was to store on the cloud health data, including the number of hospitalized patients, the number of available vaccine doses and the number of residents already vaccinated, a cyber operation targeting this data located abroad, rendering them unexploitable, could be argued by the targeted state to be constitutive of an intervention. That would be because public health belongs to a state’s domaine réservé, and because the destruction of data can be argued to be a coercive action, forcing the targeted state to adapt to the loss of data, essential to face the progression of the pandemic. The fact, therefore, that these data are located in the territory of a third state, appears inconsequential. 

         III.     Conclusion

The hypothetical case of a cyber operation conducted against a state’s data located on a third state reveals the uncertainty surrounding the application of international law to cyberspace. Localization of data appears to be so scattered that making the location a key determinant of a violation of sovereignty or intervention seems to empty the concept of a significant part of its meaning as understood by most scholars and states. States will, however, come up with their own interpretation of this intricate question. These considerations participate to the rise of states’ initiatives to secure their data, such as GAIA-X. Thus, France, opted to build a state cloud for specific sovereign administrations, while other states have dealt with the matter by ensuring that government data stored on the cloud be located on their territory, as India has done. This highlights the fact that in cyberspace, more than in any other context, a military and legal strategy cannot alone protect a state’s integrity. Governments must come up with a comprehensive strategy combining a robust legal perspective with advanced cyber-security capabilities to achieve security objectives.