28 Oct Digital Emblems: The Protection of Health Care Facilities in the Cyber Domain in the Age of Pandemics
[Adriano Iaria is a Humanitarian Advocacy Officer for the Italian Red Cross and a faculty member of the Master’s course in Intelligence and Security for Link Campus University in Rome, Italy. The views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.]
Last May, in the midst of the ongoing COVID-19 pandemic, 40 international leaders called for governments to take immediate and decisive action to prevent and stop cyber attacks that would target hospitals, healthcare, research organizations, and international authorities that provide critical care and guidance. Cyber attacks against the healthcare sector can range from malware attacks, with the aim of compromising the integrity of systems and privacy of patients, to distributed denial of service (DDoS) attacks, which disrupt facilities’ ability to provide patient care. Attacks can also include disinformation campaigns aimed at undermining the public’s trust of key-players, or interference with testing and vaccine research facilities. Cyber attacks against healthcare were reported in Europe (France, Spain, and the Czech Republic), Thailand, and in the United States. The World Health Organization and other health authorities were targeted, thus underlying the vulnerability of this sector in a moment during which medical care is essential. Recent events evidence an emerging trend: cyber operations increasingly put human lives in jeopardy.
Domestic criminal law regimes primarily protect hospitals from cyber attacks by criminalizing the relevant conduct that endangers public health and safety. Moreover, in 2001, 65 States ratified the Budapest Cybercrime Convention, which criminalizes specific cyber activities, such as illegal access (Article 2), data interference (Article 4), and system interference (Article 5). In 2013, State parties to the Convention expressly agreed to include public health and safety assets among critical information infrastructures covered by the existing provisions of the Convention. At the inter-State level, the applicable legal framework depends on the context in which malicious cyber operations occur. IHL requires that medical units, transport, and personnel must be respected and protected by the parties of the conflict at all times (Kubo Mačák, Tilman Rodenhäuser & Laurent Gisel, Cyber attacks against hospitals and the COVID-19 pandemic: How strong are international law protections?, 2020).
During armed conflicts, the ICRC defines cyber warfare as “ operations against a computer or a computer system through a data stream, when used as means and methods of warfare in the context of an armed conflict, as defined under IHL. Cyber warfare can be resorted to as part of an armed conflict that is otherwise waged through kinetic operations. The notion of cyber warfare might also encompass the employment of cyber means in the absence of kinetic operations when their use amounts to an armed conflict, although no State is known to have publicly qualified an actual hostile cyber operation as such” (ICRC, Report on international humanitarian law and the challenges of contemporary armed conflicts, 2015). International humanitarian law provides special protection to certain objects, such as medical units and transport. In order to highlight this special protection, the international community established a list of specific emblems that reinforce the protection of these objectives during an armed conflict. Under the Rome Statute of the International Criminal Court, “intentionally directing attacks against buildings, material, medical units and transport, and personnel using the distinctive emblems of the Geneva Conventions in conformity with international law” constitutes a war crime.
IHL imposes a limit not only on existing means and methods of warfare, but also for new weapons. According to article 36 of Additional Protocol I to the Geneva Conventions, “in the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party.”
In the last years, cybersecurity has assumed a prominent role due to new threats to international security. Nowadays, the protection of critical infrastructures includes each State considering the cyberspace as: “a global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (Department of Defense, Dictionary of Military and Associated Terms, 2020). This means that this domain, like others, may become a battleground in which States engage with one another for control. In 2017, the ICRC urged States to address an international debate on new means of warfare, including cyberwarfare. IHL seeks to minimize suffering in armed conflicts. Notably, this includes protecting and assisting all victims of armed conflict to the greatest extent possible, and limiting means and methods of warfare to prevent superfluous injury and unnecessary suffering.
In the last years, States have conducted several operations that can be considered cyber attacks. Some of them, due to their low intensity, did not fall under the IHL. However, other cyber operations do fall under IHL ruling because of their intensity, and due to the fact that they took place between States in which a status of armed conflict already existed. In those cases, States considered cyberspace as another domain in which to prevail. Along with the protection of crucial infrastructures from kinetic attacks, those that employ physical means such as bombs and guns States need to identify and protectvirtual infrastructures connected to objects that are protected by IHL and considered essential for the State itself. Any entity operating within cyberspace – humans or Artificial Intelligence systems – should have a clear understanding of what can be targeted and what would be considered an attack to the principle of humanity, both in times of peace and in times of armed conflict.
Since 2004, the UN General Assembly has tried to address information and telecommunications in the context of international security by establishing different Groups of Governmental Experts. The Groups have examined existing and potential threats in the cybersphere, as well as possible cooperative measures to address them. In 2017, the Groups failed to find a consensus in a final report. In December 2018, the General Assembly established both a new Group of Governmental Experts and an Open-Ended Working Group (OEWG) to continue the discussion for 2019-2021 and 2019-2020, respectively (United Nations Office for Disarmament Affairs Factsheet, Developments in the field of information and telecommunications in the context of international security, 2019). The main problem relating to cyber attacks is the attribution of the attack; while it is quite easy to identify who is responsible for a kinetic attack, often in cyberspace there is a lack of accountability that renders all efforts made to regulate cyber operations a failure. For example, the non-legally binding confidence-building measures (CBMs) proposed within the OSCE framework in 2013 and 2016 did not realize the main goal of “preventing conflicts stemming from the use of ICTs and at maintaining peaceful use of ICTs” (OSCE, 2016). The 11 CBMs established in 2013 and the 5 more added in 2016 created a system of direct communication between States to defuse conflicts, prevent unintentional escalation, share best practices, and voluntarily report on vulnerabilities in the ICT systems.
Objects under special protection are present on the Internet, connected through a network, and can be under attack both in the times of peace and during armed conflicts. Cyberspace could also be seen as a humanitarian space where multiple parties are present, and together with States could develop common norms to protect cyber infrastructures. States may want to create a digital emblem as a protective device for facilities, such as hospitals and medical research institutes, that are already protected under IHL but not marked as so in cyberspace. Members of the International Movement of the Red Cross and Red Crescent (Movement) may also want to display a digital emblem as a distinctive marker for those digital utilities related to the Movement.
While this proposal may appear naive, something similar already happened more than 50 years ago. In 1977, State parties to the diplomatic conference on the Additional Protocols to the Geneva Conventions came to an agreement in codifying, among others, light and radio signals to protect the operations of medical units and other objects protected by emblems. By doing so, States displayed the protection of hospital ships and medical flights not only through a visible emblem, but also through radar systems and in the dark. Moreover, according to Article 1.4 of Annex I to the AP I, “parties to the conflict are invited at all times to agree upon additional or other signals, means or systems which enhance the possibility of identification and take full advantage of technological developments in this field.” Besides the emblems recognized and used to signify health care facilities and personnel in armed conflicts – the Red Cross, the Red Crescent and the Red Crystal – IT measures may include top-level domains, warning banners, and TCP/IP packets marking as useful tools to display this protection in the cyberspace (Sutherland I., Xynos K., Jones A., Blyth A., The Geneva Conventions and Cyber-Warfare, 2015).
During the COVID-19 pandemic, Brno University Hospital in the Czech Republic was targeted in an as yet-to-be-attributed attack that forced the facility to shut down its entire IT network. The attack then bled over into the affiliated Children’s Hospital and the Maternity Hospital. Urgent surgeries had to be postponed, and the hospital could not perform in its role as a designated COVID-19 testing center. In the UK, cyber criminals have conducted ransomware attacks targeting medical facilities, including the Hammersmith Medicines Research, which is on the frontline in testing vaccines. Although the primary attack was foiled, patient medical data was exfiltrated and held for ransom. Last July, the UK National Cyber Security Centre claimed that Russian cyber agents were behind the attacks on coronavirus vaccine development. Other international agencies, like the World Health Organization, were also subjected to malicious cyber operations that tried to secure the passwords of personnel. Costin Raiu, Head of Global Research and Analysis of Kaspersky, a global leader company in cyber security, noted that: “at times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.” Cyber criminals have also engaged in phishing attacks, impersonating WHO to gain access to information in personal computers. In one case, they distributed a fake “My Health e-book” attachment, which contained a malware-equipped file. (Milanovic M. and Schmitt M. N., Cyber Attacks and Cyber (Mis)information Operations during a Pandemic, 2020).
The COVID-19 outbreak must change States’ views on cyberspace as a place where the lack of accountability ensures impunity, and then it must change States’ perception of it as a domain in which there are no rules. As the pandemic effects are erga omnes, the protection of health care facilities from cyber attacks, both in times of peace and times of armed conflict, may rely on an erga omnes States’ will. Displaying digital emblems and codifying an emblem within cyberspace would easily ensure the identification of healthcare facilities in this domain and, ultimately, protect them.