From responding to emergencies to promoting respect for international humanitarian law, the presence, access and work of the ICRC, as with other humanitarian organizations, hinge on acceptance and trust. This trust derives from the organization’s neutrality, impartiality, and independence, from the fact that it furthers exclusively humanitarian objectives, and from its strictly confidential approach. In this sense, being able to establish bilateral, confidential dialogue with all stakeholders, irrespective of whether they are State or non-State actors and whether they may be accepted as lawful groups or not, is an essential requirement to ensure performance of the mandate.

These are the underpinnings that have shaped in-person dialogue for the ICRC for many decades. These are also, incidentally, precisely the features we need to emulate and promote as we navigate the realm of cyberspace.

Dialogue with ‘cyber-host States’

Developing and deploying digital humanitarian services requires an organization such as the ICRC to identify one or more key jurisdictions where it can safely host services and procure the necessary ingredients to then offer them globally. These ‘cyber-host States’ are likely to be countries where there is no active conflict or violence and where, therefore, the humanitarian organization would otherwise be unlikely to run humanitarian programmes. They are also likely to be identified among countries with a strong cyber-industry, capabilities, academia to partner on research and development, and infrastructure.

Operational dialogue with cyber-host States is framed, first and foremost, in the host state agreement itself, along with any further memoranda of understanding, documents, or practices existing between the two parties. This dialogue should be shaped to cover, at a minimum, the aspects set out below.

First, dialogue should address the cooperation required to ensure the anticipation, detection, and attribution/identification of a group behind an adverse operation, as well as the identification of the appropriate response to them. Because of its control over the network on its territory and flows of data going through it, the resources and expertise available, and the international cooperation networks it is likely to be involved in, a cyber-host State may have much better means than the organization alone to anticipate, detect, attribute, and respond to cyber operations. Defining the perimeters of this dialogue is sensitive and important to ensure that, on the one hand, the dialogue is effective, while on the other hand, it does not make the organization overly reliant on the cooperation of the cyber-host State, thereby risking to compromise the neutrality, impartiality, and independence of the organization.

Second, the dialogue between the State and the organization should clarify how to deal with ‘cyber crime’, i.e. cases in which an operation affecting the organization is attributed to criminal groups and not linked to State or State-sponsored actors. How can the organization rely on law enforcement by the host State to protect its activities, and what type of cooperation does this require? How can the organization and the host State deal with the cross-border and international nature of ‘cyber criminals’ – who may not be found in the jurisdiction of the host State – and the potential effects in third countries, where the organization deploys its humanitarian action? What types of international cooperation mechanisms does the host State engage in, and are these suitable for the nature, mandate and working modalities of the organization?

Third, the dialogue should also clarify how to deal with adverse cyber operations attributed to third countries, including by State-sponsored actors. This is also a sensitive area that may need to be specifically discussed and agreed between the organization and the host state, since it may raise sensitive questions of public international law and international relations. These questions may relate to the neutrality, impartiality, and independence of the humanitarian organization balanced against a possible determination by the host State that an operation targeting an international organization on its territory may be a violation of its sovereignty, possible consequent countermeasures available to the host state, and reliance on due diligence measures of third countries under international law to support bringing the adverse operation to an end.

While some of these scenarios have been examined in detail, including those relating to a host State’s possible failure to assist an international organization and availability of countermeasures, many questions remain. In particular, while questions around sovereignty, countermeasures and due diligence in cyberspace have been discussed in different fora and in certain governments’ cybersecurity policies and/or statements, they have so far looked more at the implications on sovereignty when it comes to operations impacting a State affected, and, with the notable exception mentioned above, not as much when it comes to the relationship between an international organization and its host State. In this area, however, different states may have different and diverging views as to how they interpret those concepts, and some may not have a clear, public position on their interpretation of this area of law. It is therefore important to ensure that questions that may affect an organization’s capacity to operate or compromise its neutrality, impartiality, and independence are addressed by it in its dialogue with its host state.

In other words, would a cyber-host State consider an operation targeting an organization hosted on its territory as a violation of its sovereignty or other rules or principles of international law? If so, under what conditions? Could the cyber-host State in that case seek countermeasures against the perpetrators? If so, which measures? If the operation is being run through infrastructure on the territory of a third State, would the cyber-host State seek to get the cooperation of such third State to bring the operation to an end? Would the cyber-host State ask the third State to take due diligence measures to bring the operation to an end? Would any of the above constitute a concern for the organization, in so far as intervention of the cyber-host State may affect and compromise its neutrality, impartiality, and independence?

Dialogue with States where the organization intends to offer digital services

For an organization like the ICRC, working in areas of conflict and other situations of violence, dialogue with the State where it operates or intends to operate is an essential step to ensuring acceptance of the deployment of digital humanitarian services.

This is not anodyne, particularly taking into account that, as set out above, such services must be exclusively humanitarian, and offered in a neutral, impartial, and independent way. This implies that affected people rely on trust that any communication with or data provided to the humanitarian organization will not be accessed and used by third parties for non-humanitarian purposes. Similarly, the State in question should accept this protected digital humanitarian space and not interfere with it, and, in turn, with the technical measures used by the humanitarian organization to protect this digital humanitarian space.

Similarly, this dialogue should also aim at ensuring that ‘humanitarian data flows’ directed to the organization are not affected by internet shut downs, and that affected populations have access to the maximum possible extent to connectivity.

Dialogue with State and non-State actors

Securing the organization’s cyber perimeter against the technical capabilities of State-led or State-sponsored actors, and in some cases also of certain groups linked to non-State groups, is a major challenge. A humanitarian organization will most likely never have sufficient resources to counter their offensive power. From the point of view of an organization like the ICRC, which bases its security on acceptance and respect of its humanitarian mandate, the primary objective would be to ensure acceptance of a protected digital humanitarian space.

If this were to be the objective, it would require the organization to consider how to securely carry out a bilateral confidential dialogue with both States, State-sponsored groups and groups linked to non-State groups with sophisticated capabilities, potentially including hacker groups, to explain its work, mandate and modus operandi, to establish respect for its ‘digital humanitarian space’, prevent adverse cyber operations and, thereby negotiate and obtain ‘digital access’ just like it negotiates access in the physical world.

In this respect, key questions will arise about how, technically, the organization could in practice set up a bilateral confidential dialogue with these actors (and being able to verify it is indeed with them they are holding said dialogue). In order to maintain the trust of all stakeholders in the international community it is also important that the organization is transparent about the existence, reasons, and objectives of this dialogue. As part of its mandate to protect and assist people affected by war and other violence, the ICRC seeks a dialogue with all those who may influence humanitarian situations and who may be in a position to facilitate or hinder humanitarian action. This includes State and non-State actors, and is true in both the physical world and in cyberspace.

This confidential dialogue should be complemented with state of the art security and, where possible, research and development partnerships with academia. Although it is likely very difficult to ensure security at a level sufficient to counter a powerful actor in all circumstances, the level of security needed to ensure effective protection should be guided by: (i) due diligence, i.e. applying a level of security that can be expected from an organization handling highly sensitive data, taking into account cost of technology, sensitivity of the information, and state of the art; and (ii) raising the cost – in terms of financial resources, time, staff required to carry out adverse cyber operations, as well as reputational repercussions – of successfully affecting the organization to a level that is not worth the cost of achieving it.

Conclusion

An international humanitarian organization going through a process of digital transformation and aiming to offer digital services directly to beneficiaries faces numerous novel questions. These include legal, organizational, technical, and operational questions and relate to issues that are transversal and highly interdependent –  and none of these questions has, at present, clear and univocal answers.

To move towards answers, it is important to carry out an in-depth analysis of the specificities of the status, mandate, mission, and working modalities of the organization. This analysis should be contextualized in the framework of the environment in which the organization operates. This will enable the organization to identify any features of its operational dialogue, stakeholders, objectives, and dialogue modalities it may need to adapt in order to support its presence in cyberspace.

See also

• Massimo Marelli & Adrian Perrig, Hacking humanitarians: mapping the cyber environment and threat landscape, May 7, 2020
• Massimo Marelli, Hacking Humanitarians: moving towards a humanitarian cybersecurity strategy, January 16, 2020
• Tilman Rodenhäuser, Hacking Humanitarians? IHL and the protection of humanitarian organizations against cyber operations, March 16, 2020