Introduction
Cyberattacks in conflicts like the Israel-Palestine and Russia-Ukraine situations highlight the increasing importance of digital warfare alongside traditional methods for instance cyberattacks on the Jerusalem Post, other media websites, Israeli government offices, Palestinian internet service providers, and hospital servers, rendering hospitals non-functional. However, the lack of regulations on cyberattacks targeting civilian infrastructure is a global concern. While there's consensus that international humanitarian law (“IHL”) applies to cyberattacks during the war, various factors, including the means used, the perpetrators, and the status of war, determine its applicability. IHL can cover cyberattacks on civilian systems even without a formal state of war. Severe cyberattacks can escalate into full-scale wars. This blog explores the scope of IHL and the Geneva Convention in relation to cyberattacks during conflicts, with a focus on healthcare-specific risks. It also addresses the challenges of applying IHL and suggests potential solutions to address its gaps and inefficiencies in regulating healthcare cyberattacks.
Potential Human Cost of Cyber Attacks
Mankind’s increased reliance on technology is an undisputed fact, further accelerated by COVID-19 when everything shifted online. Though this is desirable from the point of view of technological advancement, at the same time, this development has made us vulnerable to cyber operations conducted by enemy states. And because of the interconnectedness of the whole system, attacks carried out on it would inevitably affect others as well, including civilians.
Healthcare seems particularly vulnerable to cyberattacks. The sector is experiencing a growing trend towards enhanced digitization and interconnectedness, resulting in a higher reliance on digital systems and a broader range of potential vulnerabilities. This trajectory is expected to persist in the foreseeable future. Frequently, there has been a lack of commensurate enhancements in cyber security to accompany these advancements. The International Committee of the Red Cross (“ICRC”) urges states to protect medical services and facilities from cyberattacks, especially during armed conflicts and health crises, and to adhere to international rules prohibiting such actions.
An illustrative case is evident in the Israel-Palestine conflict, where the Medical Aid for Palestinians organization experienced a cyberattack on their website. This attack has disrupted their humanitarian relief operations in Gaza.
Current Cyber Attack Framework in International Law
Article 36 of Additional Protocol I (“API”) to the Geneva Conventions underscores the adaptable nature of IHL. This provision, often referred to as the 'weapon review' clause, necessitates that states engage in a comprehensive legal evaluation of any new weapon, method, or combat strategy to determine its compliance with international law. The language of Article 36 clearly conveys that IHL is not confined to the weaponry in use at the time of its inception.
The International Court of Justice’s Advisory Opinion on the “Legality of the Threat or Use of Nuclear Weapons” reinforces this idea by affirming that the principles and rules of IHL are applicable to “all forms of warfare and to all kinds of weapons, including those that may emerge in the future”. While cyberattacks are not explicitly mentioned in IHL, the dynamic nature of this body of law allows for the inclusion of cyberattacks within the scope of Article 49 of API, which defines ‘attacks.’
As per ICRC, “an operation that leads to disabling a computer or a computer network would constitute an ‘attack’ within the ambit of IHL”. Hence, when cyber operations result in significant damage, they qualify as an 'attack,' making International Humanitarian Law (IHL) applicable to such cyber activities.
“A cyberattack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”. This also encompasses scenarios where patients in an intensive care unit lose their lives due to a cyber operation targeting the electricity grid, resulting in a critical loss of power to the hospital.
Additionally, International Criminal Law also applies to punish the commission of war crimes via cyberattacks. The same can be seen from the statement made by the lead prosecutor of the International Criminal Court “For the first time the Hague will investigate and prosecute any hacking crimes that violate existing international law, just as it does for war crimes committed in the physical world”.
In conclusion, there are compelling legal justifications and growing global backing for the assertion that IHL is applicable to cyber operations in times of armed conflict. Nevertheless, it's worth emphasizing that there remains a notable absence of unanimous consensus on this matter.
Inefficiency of the current framework in regulating Cyberattacks
The reason for the lack of unanimous consensus is concerns or reservations that arise during the application of IHL to cyberattacks in times of war. In this subsection, we will be looking at three major issues or challenges that exist in the application of IHL to cyberattacks in armed conflicts.
Whether IHL can govern cyber operations independently, without the presence of conventional or kinetic military actions.
The occurrence of cyberattacks in relation to the war that is already raging between two states will be regulated by IHL is an undisputed fact, but ambiguity arises when there is no war to begin with. Can a cyberattack, in itself, be regulated by IHL?
From a technical perspective, there's no compelling reason to treat the outcomes of a cyber operation, which results in civilian or military casualties or destruction, differently from traditional attacks that would trigger a state of war. Most experts concur that cyber operations, in isolation, have the potential to escalate into an international armed conflict under IHL. The ICRC aligns with this perspective. The key issue at hand revolves around the threshold, as there's a lack of specific or general legal definitions to clarify this threshold, making it an unresolved matter. This ambiguity is a significant obstacle to effective implementation of IHL.
Issue of Attributability of the Cyberattack
Encompassing cyberattacks under IHL is not sufficient, as the issue arises when the activities of non-state actors or private individuals have to be linked back to a certain state. States frequently employ private firms to carry out cyber actions in order to evade direct accountability. Additionally, the distinctive features of cyberspace, including the multitude of options for actors to obscure or counterfeit their identities, create complexities in assigning conduct to specific individuals and parties engaged in armed conflicts.
In such cases, applying IHL becomes challenging because establishing a direct link between the actions of private parties and a state becomes a daunting and nearly impossible task. This creates a situation where cyberattacks, which should be subject to IHL regulation, occur, yet the responsible actors go unpunished, and states evade accountability through plausible deniability.
If civilian information can be categorized as civilian objects and granted protection under IHL
Most of the cyberattacks that take place target some or the other kind of data. So, it becomes pertinent to see if IHL protects civilian data just as it protects civilians and basic infrastructure needed for their survival, such as hospitals, power plants, and humanitarian assistance operations. Technically, respecting and protecting medical facilities and humanitarian assistance operations should include protecting their medical data and humanitarian organizations' important data, but experts’ opinions on this diverge at this point.
According to some experts, the conventional definition of the term “object” cannot be extended to encompass data since objects are typically physical, observable, and tangible in nature. In contrast, the other school of thought says Operational-level data might meet the criteria for being considered a military target, suggesting that this category of data could similarly be regarded as a civilian object. Even the latter scenario falls short because safeguarding operational data alone doesn't cover sensitive civilian information like medical records, social security numbers, and bank details. Unauthorized access to such data could lead to severe consequences, like impeding patient care and resulting in loss of life. Excluding critical civilian data from the protection under IHL for civilian objects would create a significant gap in safeguarding these vital assets.
Specific Legislation regulating cyberattacks in Times of war
Legislation that exclusively regulates cyberattacks and has been recognized at the global level is the need of the hour. A comprehensive and elaborate legislation should be made by the United Nations General Assembly (“UNGA”) for this purpose with assistance from ICRC. The legislation should positively include a non-exhaustive definition of cyberattacks and should also solve the ambiguity regarding the threshold as mentioned in the above section.
Additionally, it should include parameters based on which an action can be attributed to a certain state, essentially eliminating the regulation gap. A focused discussion should also be conducted to evaluate the effect of these attacks on healthcare and how they can be mitigated by regulation through specific legislation. Moreover, the legislation should also consist of a provision for the formation of an authority that enforces the legislation at the base level and sees to its compliance by the member states.
UNGA serves as the suitable platform for this discussion due to its role in facilitating multilateral deliberations on the full range of international matters outlined in the UN Charter. Each of the 193 member states of the UN has an equal vote, thereby giving every state an equal opportunity to be heard.
Conclusion
Finally, the increased threat of cyberattacks during wartime, particularly on healthcare facilities, emphasizes the need for distinct legislation to control these operations. As the physical and digital battlefields overlap, deficiencies in the legal framework must be rectified to safeguard civilians from the human cost of cyberwar. Debate continues over whether cyberattacks during battle fall under the purview of IHL. Nonetheless, the adaptable nature of IHL, particularly Article 36 of API to the Geneva Conventions, lends support to regulating cyberattacks.
Key challenges in applying IHL to cyberattacks encompass defining the trigger threshold for IHL, attributing cyberattacks, and safeguarding civilian data. To address these concerns, a comprehensive legislation is essential. The UNGA, with assistance from the ICRC, should lead focused discussions to establish a global consensus on regulating cyberattacks in warfare. To enhance the current framework's efficiency, such legislation should define cyberattacks, specify the threshold, and create mechanisms for state responsibility. It should also prioritize the protection of vital civilian data, including medical information, as part of a comprehensive approach to safeguard civilians during armed conflicts.
Authors:
Sarfraz Alam and Kushagra Tiwari are law Students at National Law Institute University, Bhopal
Comments