Cyber attacks and their consequences are on top of the agenda around the world. Cyber operations—such as WannaCry, NotPetya or attacks against the electricity grid in Ukraine—have affected the delivery of essential services to the civilian population and underscored the vulnerability of such services to cyber attacks. Six months ago, in an expert meeting, we started the conversation on the potential human cost of cyber operations. Today, we are very pleased to present the ICRC report stemming from that meeting. While we cannot do justice here to the richness of two days of intense discussion, we highlight below some of the ICRC’s key takeaways.

The use of cyber operations in armed conflict today

 Before getting into the specifics of the meeting’s discussions, it is worth bearing in mind the renewed attention that the use of cyber operations during armed conflict has received recently. In January, France published elements of its doctrine on offensive cyber operations. In February, General Nakasone, U.S. Cyber Command, confirmed the use of cyberspace operations ‘in places like Iraq, Syria, Yemen, and Afghanistan’, while in March, the Director of the Australian Signals Directorate (ASD) spoke about ASD’s use of offensive cyber operations during armed conflicts— echoing similar declaration by the UK in 2018. Earlier this month, Israeli Defense Forces confirmed it had ‘targeted a building where the Hamas cyber operatives work’ in what is widely seen as the first public report of a kinetic response to a cyber attack.

More generally, an increasing number of States are developing military cyber capabilities (here and here). Several groups carrying cyber operations also purport to be linked to on-going conflicts, though exactly who they are and with whom they might be affiliated is not necessarily clear. Cyber attacks have affected other countries involved in armed conflicts, although whether the attacks have been linked to the conflict in question is either controversial or not established.

Cyber operations during armed conflicts do not occur in a legal vacuum. In December last year, the General Assembly confirmed that international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability (here and here). Without legitimizing the use of force in cyberspace nor its militarization, international humanitarian law (IHL) imposes additional restrictions on the belligerents’ resort to cyber operations during conflicts and protects civilians from their effects.

As part of the mandate that the international community gave to the ICRC, we monitor the development of new technologies that could be used as means and methods of warfare, including cyber capabilities. Our analysis is based on the design-dependent features of cyber technologies, the intended or expected use of cyber operations during conflicts, the human cost they may cause, and the challenges they raise for IHL and in particular for the protection of civilians.

An expert meeting on the potential human cost of cyber operations

To develop a realistic assessment of cyber capabilities and their potential human cost, we invited cyber security and other experts from around the world. We focused on the analysis of the technical possibility of causing specific effects—namely the risk that cyber operations would cause death, injury, physical damage, or affect the delivery of essential services to the population or the core internet services.

Considering the rapidly evolving nature of cyber technology and the limited details known about cyber operations during armed conflicts, we analysed the most sophisticated of known cyber operations, regardless of whether they occurred in an armed conflict or in peacetime. 

Specific vulnerabilities of certain types of infrastructure 

The health care sector is particular in that human life is necessarily at stake (pp 18-22). Consistent with the general evolution of our society, the health sector is becoming increasingly digitalized and connected. Medical devices are connected to hospitals’ IT systems. Bio-medical devices—such as pacemakers and insulin pumps—are increasingly connected to the internet to enable their remote monitoring. These technological advancements entail clear advantages but also risks. The number of vulnerabilities and potential entry point for malware increases commensurately with the increased digitalisation and connectivity of such devices, while this broader ‘attack surface’ has not been matched with corresponding improvement in cyber security. As observed in past events, attacks that affect the availability of medical data can hamper the ability of the concerned health care facility to deliver services.

Attacks against industrial control systems (ICSs) are of a specific nature (pp 23-28). Affecting ICSs in a manner that would cause physical damage at the industrial facility or loss of life or injury requires disabling the industrial process’ safety mechanisms. This is technically very challenging as it necessitates an adequate understanding of the industrial processes at play. It may therefore require more and different resources and expertise than other type of cyber operations, as well as custom-built malware. The capabilities to undertake such an attack was, however, illustrated through the two reported attacks that caused physical damages—Stuxnet in 2010 and at a German steel mill in 2014. Since then, advanced persistent threat (APT) groups have been observed developing the capability to carry out attacks against ICSs and critical infrastructure (here and here). While very few of the groups have been identified as having actually demonstrated this capability, experts have raised concern that the threat is evolving more rapidly than expected. For example, it would not have been anticipated a few years ago that threats such as Trisis / Triton (here, here and here) would materialize so rapidly.

The application of international humanitarian law in cyberspace 

In the view of the ICRC, many cyber operations described in the report would be violations of international humanitarian law (IHL) if carried out in armed conflicts. Indeed, IHL prohibits attacks on civilians and civilian objects as well as indiscriminate and disproportionate attacks.

However, not all cyber attacks are necessarily indiscriminate. Malware do not spread automatically by chance, a self-propagation functionality normally needs to be included in the design of the malware. Some attacks even require custom-built malware, and many cyber attacks have been precisely targeted from a technical perspective. This does not mean they were lawful, it means that the technical characteristic of cyberspace does not prevent a belligerent to respect the principle of distinction. For IHL to truly protect civilians against the effects of cyber hostilities however, these prohibitions must be considered to apply to cyber attacks designed to disable the targets regardless of whether the attack caused physical damage (p 41).

Today, many services that are essential for the civilian population rely on ICSs—such as water, electricity or sanitation. While these services are civilian in nature, and therefore protected, during armed conflicts distinct parts thereof might become military objectives, for example the electricity line powering a military command, control and communication post. Depending on the circumstances, cyber operations might enable targeting a military objective with less risks of causing incidental damage to civilian objects than when using other means of warfare. This depends, among other things, on the resources and care with which the operations are developed and carried out. This would be a relevant consideration with regard to the obligation to take all feasible precautions in the choice of means and methods of warfare to avoid incidental harm to civilians or civilian objects.

Finally, the health care sector enjoys specific protection under IHL. Belligerents must respect and protect medical facilities and personnel at all times. Most—if not all—reported cyber attacks against the health care sector would be violations of IHL if they had been carried out in an armed conflict. Given the debate surrounding the protection of civilian data (see here and here), it is necessary to emphasize that the specific protection afforded to medical facilities extends to their medical records, which holds equally true whether the records are in paper or digital form (p 43).

Possible avenues to explore to reduce the human cost of cyber operations

The analysis of the evolution of cyber attacks that we drafted in view of the meeting lists different avenues that could be explored to reduce the human cost of cyber operations (pp 75-77). A number of these were discussed by experts at the meeting (pp 39-42).

A key issue that was repeatedly underlined during the meeting was the possibility to technically repurpose or reengineer malware. This is a widely used method, including by militaries.

While reverse-engineering the technologies developed by adversaries or competitors is a common feature in the military and commercial sectors, it plays out in a unique manner with regard to cyber tools and impacts how cyber tools proliferate. Actors that might not have the expertise to develop harmful tools on their own might repurpose tools developed by more sophisticated actors. This is compounded by the fact that once used (or stolen or leaked), cyber tools are potentially accessible to other cyberspace actors worldwide. While repurposing often takes place after the malware has become publicly known, this can at times be even more complex. A recent report illustrates a situation where a threat actor used a variant of tools developed by another actor before anything had been known publicly about these tools.One possible explanation would be that the first threat actor had observed the use of the original tool by the actor that developed it, and then independently developed this variant on the basis of this observation.

Could repurposing or reengineering malware be prevented technically? Not entirely. But those that develop or use malware can take measures to raise the bar in terms of the expertise required to repurpose ore reengineer the tools. Such measures could include encrypting the payload and including obstacles in different components of the code. This could prevent at least some actors from repurposing the tools. In fact, militaries say they analyse the risk that cyber tools be reverse-engineered before taking the decision to use them, which may operate as a restraining factor regarding their use.

International law does not prohibit repurposing cyber tools, a technique also helpful in cyber security testing. The actor that uses a malware—whether it developed, repurposed or reengineered it—is responsible in event that a violation of IHL or other rule of international law occurs. There is currently no specific rule that would impose a residual responsibility on the actor that originally developed or used malware. Yet, the idea that a belligerent might continue to bear some responsibility after having used specific means of warfare is not foreign to IHL. This is, for example, the case with regard to explosives remnants of war. Nothing would prevent States from deciding to move in this direction with regard to cyber operations.

To enhance the safety of cyberspace, disclosing vulnerabilities in software or systems to the developer should remain the preferred option. States may nevertheless not be ready to disclose some vulnerabilities, such as those found in enemy weapons systems. Some States, such as the Australia, the UK and the United States have put in place equity processes to balance competing interests and risks and decide whether to disclose the vulnerabilities they identify. Responsible disclosure and equity processes have also been encouraged by the UN General Assembly, the Paris Call for Trust and Security in Cyberspace and the Global Commission for the Stability of Cyberspace.

Looking ahead

As with any other new technology used as means and methods of warfare, the analysis of the specific characteristic of the technology is an important building block to assess its potential human cost, but only one among several. It is equally important to analyse how cyber operations may be expected to be used by belligerents during armed conflicts—a task rendered more difficult by the secrecy surrounding the development and use of cyber operations. Further analysis is also needed to  address the challenges that cyber operations during armed conflicts raise for IHL.

The technology is evolving fast and the capabilities of the most sophisticated actors may remain largely unknown. So, today’s conclusions will require constant reassessment. We look forward to feedback to this report to pursue the dialogue on the potential humanitarian consequences of cyber operations and their evolution.

***

Other posts in the series