Modern conflicts are not only fought out on the battlefields, but also in cyberspace. As our lives are permanently technologically conditioned, an interference as fundamental and horrific as is the case during conflict also extends to areas of data privacy and access to technologies and the internet. In fact, conflict not only disrupts these areas. Conflict parties may choose to actively exploit and utilise this disruption for military and political gains. Nowadays, kinetic attacks, such as those by land, water, and air, are nearly always accompanied by cyber-attacks and virtual attacks against critical infrastructure.
While the law of armed conflict does not address issues around data privacy or rules on data processing per se, other legal frameworks (such as international human rights conventions), which include the protection of individuals’ privacy, continue to apply to those involved and affected by a conflict. At the same time, frameworks that take effect specifically during armed conflict and war, such as international humanitarian law (e.g. the Geneva Conventions), lay down fundamental rules that should never be crossed by any conflict party. These include the principle of distinction and proportionality, i.e., that military and civilian objects must be distinguished at all times, and that attacks that have the potential to cause excessive civilian harm must be avoided. While these rules were set out during a time when cyberspace wasn’t a thing, they can and should undoubtedly be applied to any virtual activities during conflict. Unfortunately, even those most fundamental safeguards to protect individuals from some of the horrors of war are violated regularly, and so are their human rights, including the right to data privacy.
This two-part insight will look at recent incidences and examples of some of the most dangerous ways in which digital infrastructures and personal data have been exploited during conflict and what this means for those having their digital rights and data privacy affected as a result.
Part one will address the targeting of critical digital infrastructure, including through the use of denial-of-service attacks, network shutdowns, security hacking, social engineering and malware; which compromise organisations’ and businesses’ data security and integrity, as well as individuals’ access to information and communication. Part two will examine a variety of uses of (personal) data in the context of violent conflict and political unrest, how these impact people’s data privacy, and what the use of their data might mean for their physical safety down the line.
Disclaimer: The topics of armed conflict, warfare, humanitarian operations and peacebuilding are extremely complex and sensitive. This two-part insight aims to shed light on some of the most harmful digital and data privacy related activities in the context of these topics but should by no means be viewed as a comprehensive analysis of the many horrors that accompany a modern conflict. As such, it will focus on aspects related to the data privacy, information security and cybersecurity of individuals, businesses, organisations, and governmental institutions touched by violent conflict and political unrest.
Critical infrastructure, data security & access to information
People all around the world nowadays rely (more or less) heavily on the internet, digital devices, and data processing for all the main functions in societies. Suddenly not being able to access crucial services like online communications, money transfers/payments, or sources for news and vital information, can disrupt and even cripple a society and the people (including those in the governments, organisations and military who participate in a conflict) relying on its functioning. It’s therefore unsurprising that warfare strategies have developed to include the targeting of the digital infrastructures to weaken their adversaries or other parties to a conflict.
For example, the current conflict in Ukraine, following Russia’s invasion in February 2022, has seen a large variety of attacks on critical infrastructure, (digital) services and people’s access to communication and information, as well as disinformation campaigns and other malicious uses of data. A chronological account of related activities can be found here: https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks/
One of the most common tactics of cyber-attacks are so-called denial-of-service (DoS) attacks, which are aimed at preventing people from using certain services by flooding and overloading the targeted system with requests. The most dangerous DoS attacks are distributed denial-of-service (DDoS) attacks, which, essentially, means that a system is targeted by a large number of host machines, often originating from random people’s computers infected with malware all around the world. These activities result in an overload of servers, that makes hinders people to access the affected websites or services. Because attacks are coming in from so many sources, they are difficult to track and eliminate. DoS and DDoS attacks are effective military tactics, particularly when used in or against countries with high levels of digitalisation. A country commonly known to rely on DoS, DDoS and other highly sophisticated cyber-attacks is Russia. During the Russo-Georgian War in 2008, for example, DDoS attacks were used to disable crucial web services and websites several weeks before Russia started its invasion of Georgian territories. While DoS and DDoS attacks don’t meddle with individuals’ data, outages of this kind and scale have serve impacts on data privacy as people rely on their stored data and the services using this data to be available to them when needed.
Blocked access to communication and information channels
Another way of targeting critical infrastructure for conflict parties has been to block access to communication and information channels. This means, for example, blocking access to certain website or apps through internet service providers (ISPs) or firewalls, or censoring information available online. This form of interference is perhaps more common with actors like governments or quasi-governments that aim to restrict their own people’s access to sources and to cut them off from the international network.
For example, in Yemen, where war has been raging since 2015, Houthi rebel groups now run large parts of the country and use the internet and telecom services to serve their military objectives. They regularly disconnect and heavily censor communication channels and thereby deprive citizens of their freedom of speech, access to information and other data privacy rights. Yemen’s humanitarian crisis is devastating: 80% of the population is starving and in need of aid. Cutting off people from vital communication and information, therefore, exacerbates an already dire situation.
In Ethiopia, where a conflict between the central government and forces in the Tigray region broke out in November 2020, network shutdowns (including electricity, telephone, and internet services) were among the first actions taken by the federal authorities to weaken resistance in the region. One and a half years into the conflict, shutdowns are still being used as weapons of war and information control, and make it difficult for affected people to communicate with loved ones, or access help, and for human rights advocates to document the many horrible crimes (including mass rape and murders) happening in the Tigray region.
Security hacking, social engineering & malware
Other attacks on critical infrastructure, different from DoS or blocking of services, include security hacking. Security hacking is a broad term capturing activities such as breaching firewalls and other information security defences, as well as exploiting vulnerabilities in computer programmes, systems, or networks. This allows perpetrators to gain access to information and data stored in the targeted systems. While hacking incidences are a regular occurrence everywhere around the world, they also serve as military strategies.
For example, in January 2022, the International Committee of the Red Cross (ICRC) discovered a sophisticated cyber-attack at its servers, which host personal data of 515,000 people, including names, locations and contact information. Many of the concerned were people receiving help or services from the ICRC because they had been affected by armed conflict or natural disasters, as well as detainees or missing persons and their families. It’s presumed that the hackers had been in the system for 70 days when they breach was determined, and that data sets had been copied and exported from the servers.
There is no doubt that this represents a massive and dangerous interference with people’s data privacy. In addition, vulnerable populations, humanitarian workers, and rights advocates face even greater dangers when their data falls into the wrong hands. Data stolen this way can be used by the perpetrators to gain an advantage over the affected population collectively, but it could also lead to individuals being filtered out and targeted based on information that hackers obtained through their activities. As will be discussed in part two of this insight, there are many ways in which conflict parties and repressive groups use personal data to monitor, censor, and persecute those that don’t share their opinions or go as far as openly oppose them.
As such, security hacking poses a significant threat to data security, and to people’s data privacy overall. Even more importantly, though, hacking in the context of violent conflict and political unrest can result in dangers to people’s physical safety if their data is used against them.
While some of what we understand as ‘hacking’ may be done by engineers who break through firewalls and crack computer codes, oftentimes the weakest link in a system or network is the human factor. In other words, some of the most significant breaches happen due to social engineering, i.e. the manipulation of people to get them to reveal confidential information, such as login details to a system. This is the kind of ‘hacking’ that most of us will have experienced before (albeit on a smaller scale), e.g. phishing e-mails requiring somebody to reset their password due to a problem, vishing (voice phishing) calls during which the caller asks for confidential details because of an emergency, or perhaps even having an ID card stolen that can allow a hacker to impersonate their victim and gain physical access to a facility. Recent incidences of phishing campaigns used in the context of violent conflict happened in February and March 2022 during the ongoing invasion of Russia in Ukraine. The campaigns targeted individuals involved with the Ukrainian and Polish government, Ukrainian media companies, military organisations and European personnel working with refugees fleeing Ukraine; with the aim of stealing information, compromising accounts, and delivering malware.
In the lead up of the invasion on 24 February 2022, several malware operations were detected within 100+ Ukrainian entities working on governmental, financial, IT and other critical infrastructure services, including in the agricultural and emergency response sectors. For example, the malware dubbed ‘HermeticWiper’, which Microsoft identified and pre-empted around 23/24 February, is capable of wiping and corrupting all available data within a network or on a computer. A successful attack of this kind and magnitude would have resulted in major disruptions to people’s access to banking, food, and energy, as well as to the government’s ability to effectively respond to the physical attacks of the invasion that would follow shortly after.
Physical destruction & forced displacement
Lastly, disruptions to critical infrastructure and violations to people’s (data) privacy also occur as by-products of violent conflict. Physical destruction, caused by bombs and shelling or through continuous fighting, leads to the breakdown of infrastructure and forced displacement of the affected population. As a result, people may lose their access to internet or stable connection, as well as a decent level of privacy, including privacy of their data. As mentioned, the targeting of critical infrastructure is often part of a conflict party’s military strategy. However, as time passes and more destruction is caused, many digital rights, including data privacy, are indirectly affected, and violated by the actions of those fighting the war.
What about data?
So far, this insight has focused on the targeting, exploitation and manipulation of critical infrastructure and related services in the context of violent conflict. While these attacks don’t always impact people’s data privacy rights directly, their implications can have severe negative effects on other digital rights or affect data privacy indirectly. Moreover, much of the success of these attacks is reliant on and fuelled by (personal) data and affects physical and structural aspects of data security and integrity, both of which are critical for upholding people’s data privacy. Attacks on infrastructure have negative consequences for people individually and the affected society collectively.
However, besides the mentioned attacks, personal data in combination with other types of data is also used for other strategic political and military purposes, including the surveillance, targeting, persecution and censoring of individuals; or the spread of mis/disinformation and propaganda. What we mean by that and how such activities have unfolded during recent conflicts in practice will be discussed in part two of this insight.