Much of the following text is taken from a blog post from the International Committee of the Red Cross: Human Cost of Cyber Operations—Key ICRC Takeaways from Discussion with Tech Experts. ICRC has encouraged readers to share this blog, and they invite feedback. The authors are Laurent Gisel & Lukasz Olejnik.
This blog focused on a meeting of experts discussing cyber-attacks and their consequences, which have affected the delivery of essential services to the civilian population and have underscored the vulnerability of such services.
The Use of Cyber Operations in Armed Conflict Today
Noteworthy was the renewed attention to the use of cyber weapons during the current year in countries such as France, Iraq, Syria, Yemen, Afghanistan, Australia, the United Kingdom (in 2018), and Israel. Also an increasing number of States are developing military cyber capabilities for use in on-going conflicts. The UN General Assembly confirmed last year that international law and the UN Charter are applicable to cyber warfare and are essential to maintaining peace. Without legitimizing the militarization of cyberspace, international humanitarian law (IHL) imposes additional restrictions on the use of cyber operations during conflicts and protects civilians from the effects of those operations. ICRC, which monitors IHL, has been given the mandate to monitor the development of new technologies that could be used as means and methods of warfare, including cyber capabilities.
An Expert Meeting on the Potential Human Cost of Cyber Operations
ICRC invited cyber security and other experts from around the world to develop a realistic assessment of cyber capabilities and their potential human cost, focusing on the risk that cyber operations could cause death and/or physical damage or could affect the delivery of essential services to civilian populations. The group analyzed the most sophisticated of known cyber operations, regardless of whether they occurred in an armed conflict or in peacetime.
Specific Vulnerabilities of Certain Types of Infrastructure
The health care sector is particular in that human life is necessarily at stake. Health care is becoming increasingly digitalized and connected, with medical devices connected to hospitals’ IT systems, or pacemakers and insulin pumps using remote monitoring, which creates clear advantages but also risks. The number of vulnerabilities and potential entry points for malware increase commensurately with the increased digitalization and connectivity of such devices, so far without corresponding improvement in cyber security. Destruction of medical data most assuredly affects service delivery and requires special attention.
Attacks against industrial control systems (ICSs)—e.g. those controlling power plants—might cause physical damage at the industrial facility, or loss of life or injury, requiring the disabling of the safety mechanisms of the industrial process. These kinds of cyber operations may be very challenging for the attacker, requiring more and different resources and expertise.
The Application of International Humanitarian Law in Cyberspace
In the view of the ICRC, many cyber operations described in the report would be violations of international humanitarian law (IHL) if carried out in armed conflicts. Indeed, IHL prohibits attacks on civilians and civilian objects as well as indiscriminate and disproportionate attacks.
However, not all cyber-attacks are necessarily indiscriminate. Malware does not spread automatically by chance; a self-propagation functionality normally needs to be included in the design of the malware. Some attacks even require custom-built malware, and many cyber-attacks have been precisely targeted from a technical perspective.
Today, many services that are essential for the civilian population rely on industrial control systems—such as water, electricity, or sanitation. While these services are civilian in nature, and therefore protected, during armed conflicts distinct parts thereof might become military objectives, for example the electricity line powering a military command post. Depending on the circumstances, cyber operations might enable targeting a military objective with less risk of causing incidental damage to civilian objects than when using other means of warfare. This depends, among other things, on the resources and care with which the operations are developed and carried out. This would be a relevant consideration with regard to the obligation to take all feasible precautions in the choice of means and methods of warfare to avoid incidental harm to civilians or civilian objects.
Finally, the health care sector enjoys specific protection under IHL. Belligerents must respect and protect medical facilities and personnel at all times. Most—if not all—reported cyber-attacks against the health care sector would be violations of IHL if they had been carried out in an armed conflict. Given debate surrounding the protection of civilian data, it is necessary to emphasize that the specific protection afforded to medical facilities extends to their medical records, which holds equally true whether the records are in paper or digital form.
This paper concludes with a section on “Possible avenues to explore to reduce the human cost of cyber operations” and considers re-purposing or reengineering malware and other methods which were discussed. The reader is advised to refer to the full ICRC article linked in the opening paragraph, if interested.
It is the hope that this overview shares some light on the issue of the use of cyber operations in the larger goal of disarming our planet.