“Big Data Breaches”, sovereignty of states and the challenges in attribution

Abstract

“Big data” refers to large sets of data, which are computationally analyzed to reveal patterns or trends in human behavior and interactions. At present, with the increased use of cyberspace for day-to-day activities, sensitive personal data is stored in computer servers. This massive number of data sets could be used to generate predictive models for a variety of uses such as policy-making and the prediction of societal changes. This has propelled nation-state adversaries to amass “big data” of another state through low-threshold data breaches. This article focuses on “big data breaches” committed by “state or state-sponsored groups”, involving a massive amount of data from victim states. For a cyber-attack to qualify as an “armed attack” or “use of force” under international law, it must satisfy the requirements of the “scale and effect” test. However, a big data breach would not satisfy this test and the attribution of the liability for lower-threshold cyber breaches has become a challenge. This is mainly because there is lack of consensus on the international law principles applicable to cyberspace. Nevertheless, big data breaches must be attributed, because it is an intrusion on state sovereignty, threatens security and results in economic loss. Qualitative research methodology was used to analyze state-sponsored big data breaches, the existing international legal framework, the drawbacks in attribution of such breaches and the need to push forth tailor-made laws for attribution of low-threshold big data breaches.