The previous post in this series closed with a forward-reference. It argued that Article 52 AP I’s definition of military objectives remains workable in contemporary warfare. However, it also flagged a harder question: can data itself qualify as a military objective? This post takes that question up.
The stakes for practitioners are not theoretical. Whether data counts as an ‘object’ under international humanitarian law is decisive. It determines whether a cyber operation that deletes or corrupts data qualifies as an ‘attack’ at all. That in turn decides whether the rules on distinction, proportionality, and precautions apply. On one view, a state actor can wipe a civilian database with no IHL scrutiny. On another view, the same operation must clear the same legal bar as a bomb.
The honest summary is that the law is unsettled. The Tallinn Manual 2.0 records a split expert view. The International Law Association’s 2017 Study Group recorded the same split without resolving it. France, Germany, Denmark, Israel, and others have now issued position papers that read differently on the same question. There is no convergence in sight.
That does not mean the terrain is unmapped. There is a common operational floor on which every state position agrees. Only some states are prepared to recognise a contested ceiling. And there is a separate dual-use problem that will shape practice more than the abstract debate. This post maps those three layers and offers a working approach for legal advisers and defence-sector practitioners operating under time pressure.
For readers arriving fresh, the Article 52 post sets out the treaty baseline: What Is a Lawful Target? Military Objectives under Article 52 AP I in Contemporary Warfare.
Estimated reading time: 15 minutes
I. The Doctrinal Puzzle: Why “Object” Is the Hinge
The word doing the work
Article 52(2) AP I defines military objectives as objects which by their nature, location, purpose, or use make an effective contribution to military action, and whose neutralisation offers a definite military advantage. The Article 52 post covered that definition in detail. The word doing the work here is “object.” If data is not an object, the definition does not reach it.
Why it matters operationally
The operational consequence runs through the conduct-of-hostilities rules. Article 48 AP I requires parties to distinguish between civilian and military objects and direct operations only against military objectives. Article 49 (1) AP I defines “attacks” as acts of violence against the adversary, in offence or defence, and the attack rules on distinction, proportionality, and precautions are all framed in terms of civilian and military objects. A cyber operation that targets data alone, producing no physical damage and no loss of system functionality, arguably sits outside those rules if data is not an object.
A gloss, not a treaty definition
This is where the Tallinn Manual 2.0 majority started. Its Rule 100 commentary draws on the ICRC’s 1987 Commentary to the Additional Protocols, which glosses “object” as something visible and tangible (Rule 100 cmt. para 5, at p. 437). On that reading, data — being intangible — does not qualify. The majority therefore concluded that an attack on data per se is not an “attack” under IHL, unless it affects the functionality of cyber infrastructure or produces other qualifying consequences (Rule 100 cmt. para 6, at p. 437).
Two points are worth keeping in mind before we examine state practice. First, the exclusion of data rests on a gloss, not on treaty text. Article 52(2) AP I does not define “object.” The “visible and tangible” formulation comes from a 1987 commentary, and whether it should carry the argumentative weight the Tallinn majority places on it is itself contested. Second, the majority’s caveat does substantial work: most consequential cyber operations against data produce functional effects on infrastructure, and those effects bring the operation back inside the attack rules even on the restrictive reading.
II. The Expert Codifications Divide
The Tallinn Manual 2.0 majority: data is intangible
The Tallinn Manual 2.0 majority sets the starting point: data is not an object, and an attack on data per se is not an “attack” under IHL unless it affects the functionality of cyber infrastructure or produces other qualifying consequences (Rule 100 cmt. para 6, at p. 437). The reasoning is textual. The majority takes “object” to mean something visible and tangible, and treats data as falling outside that ordinary meaning.
The Tallinn Manual 2.0 minority: essential civilian data as a civilian object
A minority of the same expert group reached the opposite result. For these experts, the majority position was under-inclusive. If cyber operations against essential civilian datasets — social security, tax records, banking data — fell outside the attack rules, the general-protection principle in Article 48 AP I would be substantially hollowed out in the digital domain. The minority therefore took the view that, at a minimum, civilian data essential to the well-being of the civilian population qualifies as a civilian object and is protected as such (Rule 100 cmt. para 7, at p. 437). The anchor for this position is not the ordinary meaning of “object” but the object and purpose of Article 52 AP I read with Article 48.
The ILA Study Group: no consensus
The International Law Association Study Group on the Conduct of Hostilities reviewed the same question in 2017 and recorded the same split without resolving it. The Group’s Final Report, published in volume 93 of International Law Studies, describes both views and leaves the question open (ILA Final Report at pp. 338–341). That is a significant datum. Nearly a decade after the Tallinn 2.0 debate, an authoritative expert body with substantial state-practitioner membership declined to pick a side.
The ICRC position and the methodological split
Outside the expert-codification frame, the ICRC has developed a distinct position. Its 2019 position paper on IHL and cyber operations treats essential civilian data as protected through a functional extension of the protection of civilian objects, together with specific protections for categories such as medical data (ICRC 2019 position paper at pp. 7– 8). The ICRC position is not identical to the Tallinn 2.0 minority view — it rests more on the specific-protection rules than on an ordinary-meaning argument — but it points in the same direction.
One framing matters for what comes next. The split is not between maximalists and minimalists. It is between two interpretive methodologies. The Tallinn majority treats “ordinary meaning” as dispositive and reaches a restrictive result. The Tallinn minority and the ICRC treat object-and-purpose and general protection as dispositive and reach an expansive result. Recent positivist scholarship, notably Ori Pomson’s 2023 article in the Journal of Conflict and Security Law, defends the restrictive result under both treaty interpretation and customary international law (Pomson 2023, at pp. 363–380). The expert debate, in other words, is methodologically unresolved. That is why state positions carry such weight.
III. State Practice: France, Germany, Denmark, Israel
State papers are where practitioners look first, because coalition rules of engagement and national legal advice flow from them. Four positions illustrate the spectrum.
France (2019): civilian content data as a protected object
The French Ministry of the Armies’ 2019 position paper treats civilian content data as protected objects. The paper distinguishes content data (the information civilians store, use, or transmit) from process data (the underlying operational signals of systems), and positions the former within the protection of civilian objects. Content data such as civilian governmental, banking, and medical data is treated as a protected object; process data is assessed by reference to the effects an operation produces on associated systems (France 2019 position paper, at pp. 14–15). France therefore sits at the expansive end of the spectrum. For coalition operations under French rules of engagement, a cyber effect on civilian content data is presumptively prohibited as an attack on a civilian object.
Germany (2021): data stocks as military objectives by use
The German Federal Government’s 2021 position paper takes a middle path. It accepts that data stocks can become military objectives when put to military use, effectively transposing the “use” criterion of Article 52(2) AP I into the data domain (Germany 2021 position paper, at p. 8). The position does not expressly endorse the Tallinn majority or the French expansive reading. It works the targeting analysis through the existing “use” criterion — a pragmatic move that leaves the underlying ordinary-meaning debate to one side while producing an operationally usable result.
Denmark (2023): data not an object, but secondary effects count
Denmark’s position, published in the Nordic Journal of International Law, aligns more closely with the Tallinn majority but softens the edges through a secondary-effects test. The Danish paper takes the view that “digital data cannot generally in and of itself be considered an object under IHL”, while accepting that the destruction of data may nonetheless qualify as an attack where it has adverse secondary effects on individuals or physical objects (Denmark 2023 position paper, at p. 455). Importantly, Denmark also accepts that even where a cyber operation does not reach the attack threshold, the obligation of constant care applies and extends to essential civilian infrastructure, services, and data (ibid., at p. 455). In practical terms, Denmark’s position treats the functional-effects threshold as the legal boundary for the attack rules, while retaining a parallel duty of care below that threshold.
Israel (2020): only tangible things are objects
Israel’s position, as set out in the December 2020 Naval War College keynote by Deputy Attorney General Roy Schöndorf, is that under existing IHL only tangible things can constitute objects. The speech frames the data question through an effects-based lens consistent with Israel’s broader cautious approach to cyber-IHL rules. The position is close to the Tallinn majority. It widens the state-practice picture beyond European positions and adds the voice of a state with substantial operational cyber experience under rule-of-law constraints.
Two further positions deserve a mention because they illustrate the spread. Norway’s Military Manual takes the French direction, treating data as an object for targeting purposes (cited in Pomson 2023, at para. 5 and fn 164). Romania has taken what it calls a preliminary view that cyber operations against data trigger IHL and must respect the principle of distinction (cited in Pomson 2023, at para. 5 and fn 167). The United States DoD Law of War Manual frames the question through an effects-based analysis and does not directly engage the data-as-object debate; US practice is captured by the common operational floor.
A common floor, a contested ceiling
The divergence is real. But the floor is common. Every state position surveyed accepts that cyber operations producing physical effects or substantial functional disruption of infrastructure trigger the attack rules. The disagreement concerns operations that touch only data, with no functional spillover. The next section tests both the floor and the ceiling against verifiable incidents.
IV. Contemporary Incidents: What the Law Must Actually Govern
Two verifiable incidents bracket the spectrum the preceding sections have mapped. One resolves uniformly under every state position reviewed. The other does not. Together, they show where the doctrinal divide has operational consequences and where it does not.
Viasat KA-SAT (24 February 2022): the easy case
One hour before Russian ground forces crossed the Ukrainian border on 24 February 2022, a cyber operation hit the Viasat KA-SAT satellite network. The operation deployed wiper malware known as AcidRain against modems connecting to the network, corrupting their firmware and rendering them inoperable. The 2022 Viasat cyberattack bricked tens of thousands of modems across Ukraine and Europe. Ukrainian military command and control that relied on KA-SAT lost communications at the outset of the invasion. Spillover effects reached European civilian users, including nearly 9,000 French subscribers and the remote-monitoring systems of roughly 5,800 German wind turbines (CCDCOE Cyber Law Toolkit, Viasat KA-SAT attack (2022); EU High Representative declaration, 10 May 2022; Cyber Peace Institute, Viasat Case Study).
On the law, the case resolves uniformly. Every state position surveyed in Section III treats this as an attack under IHL. The operation corrupted data, but the corruption produced functional effects on hardware — the modems no longer worked. Under the Tallinn majority, that is a qualifying consequence. Under France’s position, both the targeting of modems and the content data flowing through them fall within the scope of the targeting rules. Germany’s ‘use’ analysis treats the KA-SAT network as a military use and the supporting data stocks as military objectives. Under Denmark’s secondary-effects test, the threshold is plainly met. Under Israel’s effects-based framing, the operation qualifies. The practitioner point is straightforward: the Viasat case sits comfortably on the common operational floor.
Ukrainian state registers (19 December 2024): the hard case
The harder case arose nearly three years later. On 19 December 2024, Russian-attributed actors disrupted the Ukrainian state registers of civil status acts, legal entities and individual entrepreneurs, and real property rights. The attack also affected Diia, the Ukrainian e-government platform with over 21 million unique users, which depends on data from the state registers. Services including business and property registration, marriage applications, and child-benefits payments were unavailable for roughly two weeks. No physical damage was reported (Recorded Future News, 20 December 2024; Recorded Future News, 9 January 2025). Ukrainian authorities have indicated they are considering prosecuting the attack as a war crime, and this sits within a broader pattern: in June 2024, Reuters confirmed that the International Criminal Court is investigating Russian cyber attacks on Ukrainian civilian infrastructure as possible war crimes, the first such investigation by international prosecutors.
On the law, the case fractures. Under the Tallinn majority, an attack on data per se is not an ‘attack’ unless it affects the functionality of cyber infrastructure or produces other qualifying consequences. Here, the disruption of the registers and the Diia platform plainly affected the functionality of those systems, and the Tallinn majority’s own caveat is therefore likely satisfied. The genuinely hard case under the Tallinn majority would be data corruption or exfiltration that leaves system availability intact — for example, tampering with backup archives while live services continue. Under France’s position, the civilian content data affected is directly protected as a civilian object. The Tallinn minority’s essential-civilian-data test, the registers — covering civil status, property, and identity — are a strong case for protection.
Under Denmark’s secondary-effects test, the answer turns on whether weeks-long service disruption to 21 million citizens rises to functional damage equivalence, and reasonable observers could reach different conclusions. Under Israel’s effects-based framing, the absence of physical consequence likely puts the operation below the attack threshold.
The lesson for practitioners
The Viasat case shows that the common operational floor does real work. Most consequential cyber operations against data produce functional effects, and the attack rules apply. The state-registers case shows that even under the most restrictive expert reading, the functional-effects caveat does substantial work — most consequential cyber operations against data trigger the attack rules.The genuinely contested cases are those that touch only data and leave system functionality intact, and those cases will be the testing ground for state practice in the years ahead.
V. A Working Approach for Practitioners, and the Dual-Use Question
The preceding sections show what the law is. This section addresses what to do with it.
A three-step operating approach
For legal advisers and commanders facing time-pressured cyber-targeting questions, three steps capture the working law.
First, if the cyber operation produces physical effects or substantial loss of system functionality, the standard attack rules apply. This step is uncontested across every position surveyed. The Tallinn majority, the Tallinn minority, France, Germany, Denmark, Israel, and the US DoD all agree on this floor. Distinction, proportionality, and precautions in attack must be run before the operation is launched.
Second, if the operation affects only data, the analysis depends on whose legal framework governs. Identify the framework early. National positions differ. Coalition rules of engagement may set a higher floor than the most restrictive participating state’s own position. Treaty obligations may add further constraints. The Viasat case is uncontroversial under any framework. The Ukrainian state registers case is not. Most real cases sit closer to the second.
Third, even under the most restrictive reading, the analysis does not end at “data is not an object.” Article 48 AP I sets out a general-protection principle for the civilian population. Specific protections continue to apply. They cover medical data and humanitarian-organisation data. Under Denmark’s position and the ICRC’s view, they also extend to essential civilian infrastructure, services, and data even where a cyber operation does not reach the attack threshold. Treating “data is not an object” as a blanket licence to target civilian datasets misreads every position on the map, including the Tallinn majority’s.
The dual-use question that follows
Once data is treated as an object, a second question opens. This may occur through the French direct route, the Tallinn minority’s essential-civilian-data carve-out, or Germany’s ‘use’ criterion. When does dual-use data lose its civilian protection?
Tallinn 2.0 Rule 101 takes a binary position: cyber infrastructure used for both civilian and military purposes is a military objective, full stop. The commentary states that as a matter of law, status as a civilian object and military objective cannot coexist. An object is either one or the other. All dual-use objects are military objectives without qualification (Rule 101 cmt. para 1, at p. 445). Applied to data, the consequence is severe. A civilian database with incidental military use would, under Rule 101, become a military objective in its entirety.
This is the binary that Hathaway, Khan & Revkin’s 2025 Yale Law Journal article attacks. The authors argue that the rise of the dual-use category has produced what they describe as “a porous category of targetable objects that are obviously critical to civilian life and yet are lawfully targetable” (Hathaway et al., at p. 2653). They propose that limited military use of an otherwise-civilian object should not strip it of all protection. They further argue that the proportionality analysis should account for the loss of the civilian use of the object as well as for civilian deaths (Hathaway et al., at pp. 2734–2735). The authors close their article by noting that the dual-use question becomes more acute, not less. This is so as cyber, AI, and space technologies make almost everything dual-use by default (Hathaway et al., at p. 2748).
For data, the dual-use question may be the more consequential practical issue going forward. The abstract debate over whether data is an “object” will be settled by state practice over years. The dual-use question arises in every operation the moment data is treated as an object at all. This is where legal counsel genuinely matters — and where operational practice will move ahead of doctrinal consensus.
VI. Conclusion and Outlook
The law on data as a military objective is unsettled, but it is not unstructured. Three layers of analysis hold together across the divergent state positions.
There is a common floor. Cyber operations producing physical effects or substantial loss of system functionality trigger the attack rules under every position surveyed. The Viasat case sits comfortably on that floor.
There is a contested ceiling. Pure data-layer operations with no physical or functional spillover are handled differently across states, and the answer turns on which legal framework governs. The Ukrainian state registers case sits on that ceiling. Practitioner advice in this domain depends on identifying the framework early.
There is a separate dual-use question that may shape practice more than the abstract debate. As soon as data is treated as an object at all, the binary in Tallinn 2.0 Rule 101 produces consequences that the Hathaway critique brings into focus. This is where future doctrinal development is most likely.
For rule-of-law democracies operating in coalition, operating to the highest accessible standard — treating essential civilian data as protected — is legally defensible and strategically sound. It protects coalition legitimacy and forecloses the propaganda value an adversary draws from civilian harm.
The next post in this series will examine the targeting cycle and the reasonable-commander standard in cyber operations.