In September 2020, police in Germany commenced a homicide investigation into the death of a patient who was diverted away from a hospital due to a cyberattack. Although a prosecution was ultimately unsuccessful, this event revealed the grave danger cyberattacks can pose to the public. With more and more States investing in military cyber capabilities, and conducting military operations in cyberspace, this threat to the civilian population is heightened. It is generally accepted that principles of international humanitarian law (IHL) apply to military cyber operations during armed conflict. However, IHL as it stands may place civilians at greater risk of harm in the context of military cyber operations. This is due to the doctrine of dual-use objects and its application during cyber conflict.
Military objectives and ‘dual-use’ objects under IHL
Under article 52(2) of Additional Protocol I, attacks must be strictly limited to military objectives. Further, under article 58(1), parties to a conflict are required to take necessary precautions to ensure that civilians and civilian objects are protected against the dangers posed by military operations. Traditionally, in kinetic warfare, this could be achieved by separating civilians and civilian objects from the targeted military objective as much as possible, to spare them from the effects of attacks.
However, cases will arise in which an objective serves a dual military and civilian purpose. In such cases, State practice indicates that a ‘dual-use’ object may amount to a military objective. For example, the Trial Chamber of the International Tribunal for the Former Yugoslavia found in the Prlić case that the destruction of a bridge, used as a supply route for both civilian and military purposes, could constitute a military objective (at para. 1582).
In the context of cyber operations, the Tallinn Manual 2.0 has characterized cyber infrastructure used for both civilian and military purposes as a potential military objective (at page 554). This characterization creates a real risk to civilians during military cyber operations considering the interconnectedness of civilian and military infrastructure. For example, it has been estimated that 98 per cent of US government communications, including classified military communications, travel over civilian networks. The scale at which military and civilian networks are integrated means that the separation of these networks is considered unfeasible (at page 219).
Although a ‘dual use’ object is a military objective, a proportionality assessment must be conducted to ensure the attack does not cause disproportionate harm to the civilian population. This offers some protection to civilians. For instance, the Tallinn Manual 2.0 considers it is unlikely that the entire internet would constitute a military objective, even though it is used for military purposes (at page 446). Nonetheless, the risk remains that civilian cyber infrastructure will be incidentally damaged due to its interconnectedness with military cyber infrastructure.
The solution: A digital safe haven agreement
To reduce the risk of civilian harm during military cyber operations, States should adopt a ‘digital safe haven’ agreement to protect certain computer networks from being targeted during cyber operations. As discussed by Robin Geiß and Henning Lahmann (at page 394), a digital safe haven would be the virtual equivalent of a demilitarized zone, as set out in article 60 of Additional Protocol I. Rather than separating networks into civilian or military, States should isolate essential civilian networks and protect them from any military interference through an internationally binding agreement. To be effective, such an agreement would need to impose two key obligations on States: first, that States must not conduct military operations against designated networks and data systems, and secondly, that States must not use designated networks or systems for military purposes.
To gain access to the digital safe haven, States would be required to isolated protected networks and data systems. For example, military data would not be allowed to sit on the same server as protected data. When determining what networks should be protected, at first, a more conservative approach should be adopted to ensure the digital safe haven is successful and efficient. Although areas such as financial systems and power grids can be considered essential for civilian populations, protected systems should initially be limited to medical networks, such as the digital infrastructure of hospitals.
Limiting the areas protected by a safe haven agreement would mean that the haven is less susceptible to abuse by States. Further, given the recent surge in criminal cyberattacks against hospitals, isolating medical networks would additionally provide the hospitals with the opportunity to strengthen their cybersecurity through measures such as improving data encryption.
As demonstrated by the events in Germany in September 2020, disruptions to medical networks can have immediate and deadly consequences for civilians. Although medical infrastructure is already protected under IHL, the introduction of an international agreement establishing a digital safe haven would bolster this framework and provide additional protection to civilians. By removing military activities from medical networks, a digital safe haven agreement would ensure that these networks can never lawfully be the object of an attack.
Editor’s note: This post has been lightly edited to fit the blog post format, without any changes to its content.
- Pete Renals, Future developments in military cyber operations and their impact on the risk of civilian harm, June 24, 2021
- Ellie Shami, Assessing the risks of civilian harm from military cyber operations during armed conflicts, June 22, 2021
- Noëlle van der Waag-Cowling, Stepping into the breach: military responses to global cyber insecurity, June 17, 2021
- Kubo Mačák & Ewan Lawson, Avoiding civilian harm during military cyber operations: six key takeaways, June 15, 2021