Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector

[Dapo Akande, Duncan B. Hollis, Harold Hongju Koh, and James C. O’Brien.]

Many have recently written about the application of international law in cyberspace and to the global COVID-19 pandemic, but relatively few have examined the intersection between these two areas. Notwithstanding that oversight, recent weeks have seen cyberattacks on organizations at the frontline of the response to the COVID-19 pandemic, including malicious cyber operations against the World Health Organization, medical providers, research institutes, pharmaceutical manufacturers, hospitals and hospital networks. In response to these attacks, the European Union issued a statement in which “the European Union and its Member States call[ed] upon every country to exercise due diligence and take appropriate actions against actors conducting such activities from its territory, consistent with international law”. Twelve other countries aligned themselves with this declaration. In late March, three authors from the International Committee of the Red Cross (ICRC), writing in their personal capacities, examined the international law protections prohibiting cyberattacks against medical facilities during the pandemic.

These events triggered a two-day virtual workshop at the University of Oxford—co-sponsored by the Oxford Institute for Ethics, Law and Armed Conflict (ELAC) at the Blavatnik School of Government, Microsoft, and the Government of Japan—to discuss these issues.  On Friday, May 22, 2020, Estonia, as President of the United Nations Security Council, is planning an Arria-Formula meeting of the Council to discuss responsible state behavior in cyberspace, including the international legal protections accorded to healthcare. 

Because of the urgency of the current moment, the participants in the Oxford Workshop agreed upon the Oxford Statement below, regarding relevant international law rules and principles relating to malicious cyber operations targeting healthcare facilities. The Statement’s aim is not to cover all applicable principles of international law, but rather, to articulate a short list of consensus protections that apply under existing international law to cyberoperations targeting the health care sector. The Oxford Statement was opened for signature by international law scholars, and remains open for signature. The Oxford Statement is also being transmitted to participants in the May 22, 2020 Security Council meeting in hopes that it will promote discussion and spur clarification of the international law rules in this area. 

International law has always been disaster-driven. Deliberate targeting of medical facilities during armed conflict has been called “at once morally indefensible and categorically illegal.” The present crisis presents a rare window for making this point of law explicit and unambiguous: in real and virtual space, in times of war and peace. The UN Security Council is finally giving this matter its attention. Global crises create unique opportunities for international lawmaking. International lawyers should not waste this moment.

Oxford Statement on the International Law Protections against Cyber Operations Targeting the Health-Care Sector

May 20, 2020

We, the undersigned public international lawyers, have watched with growing concern reports of cyber incidents targeting medical facilities around the world, many of which are directly involved in responding to the ongoing COVID-19 pandemic.

We are concerned that the impact of such incidents is exacerbated by the existing vulnerability of the health-care sector to cyber harm. Even in ordinary times, this sector is particularly vulnerable to cyber threats due to its growing digital dependency and attack surface.

We consider it essential that medical facilities around the world function without disruption as they struggle to respond to the COVID-19 pandemic. Any interference with the provision of health-care, including by cyber means, risks further loss of life as thousands continue to die every day.

We support the International Committee of the Red Cross’ call on States to protect medical services and medical facilities from harmful cyber operations of any kind.

We emphasize that cyber operations do not occur in a normative void or a law-free zone. As recognized by the United Nations General Assembly, international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful information and communications technology environment.

Guided by these considerations, we agree that the following rules and principles of international law protect medical facilities against harmful cyber operations.  We encourage all States to consider these rules and principles when developing national positions as well as in the relevant multilateral processes and deliberations:

1. International law applies to cyber operations by States, including those that target the health-care sector.
2. International law prohibits cyber operations by States that have serious adverse consequences for essential medical services in other States.
3. International human rights law requires States to respect and to ensure the right to life and the right to health of all persons within their jurisdiction, including through taking measures to prevent third parties from interfering with these rights by cyber means.
4. When a State is or should be aware of a cyber operation that emanates from its territory or infrastructure under its jurisdiction or control, and which will produce adverse consequences for health-care facilities abroad, the State must take all feasible measures to prevent or stop the operation, and to mitigate any harms threatened or generated by the operation.
5. During armed conflict, international humanitarian law requires that medical units, transport and personnel must be respected and protected at all times. Accordingly, parties to armed conflicts: must not disrupt the functioning of health-care facilities through cyber operations; must take all feasible precautions to avoid incidental harm caused by cyber operations, and; must take all feasible measures to facilitate the functioning of health-care facilities and to prevent their being harmed, including by cyber operations.
6. Cyber operations against medical facilities will amount to international crimes, if they fulfil the specific elements of these crimes, including war crimes and crimes against humanity.
7. The application of the aforementioned rules of international law is without prejudice to any and all other applicable rules of international law that provide protections against harmful cyber operations.

The current list of signatories and their affiliations (for identification purposes only) is below. International lawyers who wish to append their name to the statement should send an email to oxfordcyberstatement@gmail.com

1)  Dapo Akande, Professor of Public International Law, Co-Director, Oxford Institute for Ethics, Law & Armed Conflict (ELAC), University of Oxford

2)  Russell Buchan, Senior Lecturer in International Law, University of Sheffield

3)  Sarah H. Cleveland, Louis Henkin Professor of Human and Constitutional Rights, Columbia University Law School, Former Vice Chair, UN Human Rights Committee

4)  Antonio Coco, Lecturer in Public International Law, University of Essex and Visiting Fellow at ELAC, University of Oxford

5)  Rebecca Crootof, Assistant Professor of Law, University of Richmond

6)  Federica D’Alessandra, Executive Director of the Oxford Programme on International Peace and Security, Blavatnik School of Government, University of Oxford

7)  François Delerue, Research Fellow in Cyberdefense and International Law at the Institut de Recherche stratégique de l’École militaire (IRSEM) and Adjunct Lecturer at Sciences Po, Paris, France

8)  Diane Desierto, Associate Professor of Human Rights Law and Global Affairs, Keough School of Global Affairs, University of Notre Dame

9)  Talita De Souza Dias, Postdoctoral Research Fellow, ELAC, University of Oxford

10) Kristen Eichensehr, Assistant Professor of Law, UCLA Law School

11) Claudio Grossman, Professor of Law, Dean Emeritus, American University Washington College of Law

12) Kevin Jon Heller, Professor, Australian National University, and Associate Professor of Public International Law at the University of Amsterdam

13) Duncan B. Hollis, Laura H. Carnell Professor of Law, Temple University School of Law

14) Eric Talbot Jensen, Robert W. Barker Professor of Law, Brigham Young University

15) Kate Jones, Law Faculty, University of Oxford

16) Harold Hongju Koh, Sterling Professor of International Law, Yale Law School,  Legal Adviser (2009-13) and Assistant Secretary for Democracy, Human Rights and Labor (1998-2001), US Department of State

17) Heike Krieger, Professor of International and Public Law, Freie Universität Berlin

18) Masahiro Kurosaki, Associate Professor of International Law and Director of the Study of Law, Security and Military Operations, National Defense Academy of Japan

19) Henning Lahmann, Digital Society Institute, ESMT Berlin

20) Rain Liivoja, Associate Professor of Law, University of Queensland

21) Tomohiro Mikanagi, Tokyo, Japan

22) Marko Milanovic, Professor of Public International Law, University of Nottingham School of Law

23) Harriet Moynihan, Senior Research Fellow, International Law Programme, Chatham House (Royal Institute of International Affairs)

24) James C. O’Brien, Vice Chair, Albright Stonebridge Group

25) Phoebe Okowa, Professor of Public International Law, Queen Mary, University of London

26) Przemysław Roguski, Lecturer in Law, Jagiellonian University, Kraków, Poland

27) Barrie Sander, Fellow, Fundação Getúlio Vargas, Brazil

28) Michael Schmitt, Professor of International Law at the University of Reading and Francis Lieber Distinguished Scholar at the United States Military Academy (West Point)

29) Liis Vihul, Founder and CEO, Cyber Law International

30) Elizabeth Wilmshurst, Distinguished Fellow, International Law Programme, Chatham House (Royal Institute of International Affairs)

31) Anne Peters, Managing Director, Max Planck Institute for Comparative Public Law and International Law Heidelberg (Germany), Professor at the Universities of Heidelberg, Freie Universität Berlin, Basel (Switzerland), and William W. Cook Global Law Professor at the University of Michigan