DSI Publications

This article presents a novel way to conceptualize the protection of data in situations of armed conflict. Although the question of the targeting of data through adversarial military cyber operations and its implications for the qualification of such conduct under International Humanitarian Law has been on scholars’ and states’ radar for the last few years, there remain a number of misunderstandings as to how to think about the notion of “data.” Based on a number of fictional scenarios, the article clarifies the pertinent terminology and makes some expedient distinctions between various types of data. It then analyzes how existing international humanitarian and international human rights law applies to cyber operations whose effects have an impact on data. The authors argue that given the persisting ambiguities of traditional concepts such as “object” and “attack” under international humanitarian law, the targeting of content data continues to fall into a legal grey zone, which potentially has wide-ranging ramifications both for the rights of individual civilians and the functioning of civilian societies during situations of conflict. At the same time, much legal uncertainty surrounds the application of human rights law to these contexts, and existing data protection frameworks explicitly exclude taking effect in relation to issues of security. Acknowledging these gaps, the article attempts to advance the debate by proposing a paradigm shift: Instead of taking existing rules on armed conflict and applying them to “data,” we should contemplate applying the principles of data protection, data security, and privacy frameworks to military cyber operations in armed conflict.

The article deals with necessity as one of the circumstances precluding wrongfulness under customary international law and how it will likely gain relevance in view of the difficulty to quickly attribute malicious cyber operations that threaten important assets of a state. While the necessity doctrine seems fit for purpose, it lacks granularity and is problematic from an international rule-of-law point of view. Taking these pitfalls into account, the article proposes some general principles for a possible special emergency regime for cyberspace.

The article examines the legal qualification of state-led information operations that aim to undermine democratic decision-making processes in other states. After a survey of the legal attitudes of states towards such operations during the Cold War, the impact of the digital transformation on the frequency and quality of information operations is explained. The article then assesses scholarly responses to the outlined paradigm shift regarding the prohibition of intervention, respect for sovereignty and the principle of self-determination. The study then inquires whether it is possible to detect a change in how states qualify adversarial information operations by tracking recent state practice and official statements of opinio juris. The survey concludes that there is insufficient uniformity to allow for an inference that the content of the analysed rules of customary international law has already shifted towards more restrictive treatment of foreign interference. As a possible way forward, the article ends with a proposal to focus on deceptive and manipulative conduct of information operations as the most viable path to outlaw such state behavior in the future. Instead of attempting to regulate the content of information, this approach is better suited to safeguard freedom of speech and other potentially affected civil rights.

© Cambridge University Press and The Faculty of Law, The Hebrew University of Jerusalem 2020

Increasing dependence on information technology calls for strengthening the requirements on their safety and security. Vulnerabilities that result from flaws in hardware and software are a core problem which market mechanisms have failed to eliminate. A strategy for resolving this issue should consider the following options: (1) private- and public-sector
funding for open and secure production, (2) strengthening the sovereign control over the production of critical IT components within an
economic zone, and (3) improving and enforcing regulation. This paper
analyses the strengths and weaknesses of these options and proposes
a globally distributed, secure supply chain based on open and mathematically proved components. The approach supports the integration
of legacy and new proprietary components.

The Commission “‘Competition Law 4.0’” was set up by the German Federal Minister for Economic Affairs and Energy with the task to draw up recommendations for the further development of EU competition law in the light of the digital economy. The final report with 22 recommendations was handed over in September 2019.
The commission finds that the practical and actual power of consumers to dispose of their own data must be improved, clear rules of conduct for dominant platforms must be introduced, legal certainty for cooperation in the digital sector must be enhanced, and the institutional linkage between competition law and other digital regulation must be strengthened.

With the increasing importance of the security of information technology for all areas of life, the IT security law has developed step by step without the European and German legislation being able to follow an overall draft. At the latest with the IT security regulations in the General Data Protection Regulation and the expansion of sector-specific regulations on IT security, questions of the systematization of the new area of law arise. The authors examine three key questions - the modeling of systems subject to the law, the concept of risk management, and the determination of the state of the art security measures. Finally, they outline the main elements of a restructuring of IT security law. [Das IT-Sicherheitsrecht will die IT-Sicherheit schützen, folgt aber weder auf europäischer noch auf deutscher Gesetzgebungsebene einem Gesamtentwurf. Der Beitrag geht drei Schlüsselfragen nach – der Modellierung der dem Recht unterworfenen Systeme (II.), dem Risikobegriff (III.) sowie der Ermittlung des Standes der Technik (IV.) – und entwirft Grundzüge einer Strukturierung des IT-Sicherheitsrechts (V.).]

This article describes the newly enacted or rewritten regulations for the defense against IT attacks as part of IT security law: first the relevant criminal offenses, then the powers of the police and intelligence services, then of the IT security authorities and Internet providers. At the end, the political statements for the 19th parliamentary term will be compared with the remaining need for action in IT security law. Furthermore, the future of IT security law will be discussed in the context of implementation, ongoing development and consolidation.