In the spring of 2021, the ICRC and Geneva Academy jointly organized a student essay competition on the protection of civilians against the dangers posed by military cyber operations. Students from nearly 30 countries and all continents of the world contributed short essays answering the question: ‘Which measures – technical, policy, legal, or other – should States put in place to avoid or at least reduce the risk of civilian harm from military cyber operations during armed conflicts?’ Today, we are delighted to publish Isabelle Peart’s winning essay. In the words of one of the chairs of the jury, ICRC’s Laurent Gisel, Isabelle’s essay ‘impressed us by the maturity of the presented thoughts as well as by the well-argued suggestions on how to reduce the risk of harm to civilians that is posed by military cyber operations’. The essay adapts the IHL concept of demilitarized zones to the cyber context, and on that basis presents an argument for the establishment of international digital safe havens.

 

In September 2020, police in Germany commenced a homicide investigation into the death of a patient who was diverted away from a hospital due to a cyberattack. Although a prosecution was ultimately unsuccessful, this event revealed the grave danger cyberattacks can pose to the public. With more and more States investing in military cyber capabilities, and conducting military operations in cyberspace, this threat to the civilian population is heightened. It is generally accepted that principles of international humanitarian law (IHL) apply to military cyber operations during armed conflict. However, IHL as it stands may place civilians at greater risk of harm in the context of military cyber operations. This is due to the doctrine of dual-use objects and its application during cyber conflict.

Military objectives and ‘dual-use’ objects under IHL

Under article 52(2) of Additional Protocol I, attacks must be strictly limited to military objectives. Further, under article 58(1), parties to a conflict are required to take necessary precautions to ensure that civilians and civilian objects are protected against the dangers posed by military operations. Traditionally, in kinetic warfare, this could be achieved by separating civilians and civilian objects from the targeted military objective as much as possible, to spare them from the effects of attacks.

However, cases will arise in which an objective serves a dual military and civilian purpose. In such cases, State practice indicates that a ‘dual-use’ object may amount to a military objective. For example, the Trial Chamber of the International Tribunal for the Former Yugoslavia found in the Prlcase that the destruction of a bridge, used as a supply route for both civilian and military purposes, could constitute a military objective (at para. 1582).

In the context of cyber operations, the Tallinn Manual 2.0 has characterized cyber infrastructure used for both civilian and military purposes as a potential military objective (at page 554). This characterization creates a real risk to civilians during military cyber operations considering the interconnectedness of civilian and military infrastructure. For example, it has been estimated that 98 per cent of US government communications, including classified military communications, travel over civilian networks. The scale at which military and civilian networks are integrated means that the separation of these networks is considered unfeasible (at page 219).

Although a ‘dual use’ object is a military objective, a proportionality assessment must be conducted to ensure the attack does not cause disproportionate harm to the civilian population. This offers some protection to civilians. For instance, the Tallinn Manual 2.0 considers it is unlikely that the entire internet would constitute a military objective, even though it is used for military purposes (at page 446). Nonetheless, the risk remains that civilian cyber infrastructure will be incidentally damaged due to its interconnectedness with military cyber infrastructure.

The solution: A digital safe haven agreement

To reduce the risk of civilian harm during military cyber operations, States should adopt a ‘digital safe haven’ agreement to protect certain computer networks from being targeted during cyber operations. As discussed by Robin Geiß and Henning Lahmann (at page 394), a digital safe haven would be the virtual equivalent of a demilitarized zone, as set out in article 60 of Additional Protocol I. Rather than separating networks into civilian or military, States should isolate essential civilian networks and protect them from any military interference through an internationally binding agreement. To be effective, such an agreement would need to impose two key obligations on States: first, that States must not conduct military operations against designated networks and data systems, and secondly, that States must not use designated networks or systems for military purposes.

To gain access to the digital safe haven, States would be required to isolated protected networks and data systems. For example, military data would not be allowed to sit on the same server as protected data. When determining what networks should be protected, at first, a more conservative approach should be adopted to ensure the digital safe haven is successful and efficient. Although areas such as financial systems and power grids can be considered essential for civilian populations, protected systems should initially be limited to medical networks, such as the digital infrastructure of hospitals.

Limiting the areas protected by a safe haven agreement would mean that the haven is less susceptible to abuse by States. Further, given the recent surge in criminal cyberattacks against hospitals, isolating medical networks would additionally provide the hospitals with the opportunity to strengthen their cybersecurity through measures such as improving data encryption.

As demonstrated by the events in Germany in September 2020, disruptions to medical networks can have immediate and deadly consequences for civilians. Although medical infrastructure is already protected under IHL, the introduction of an international agreement establishing a digital safe haven would bolster this framework and provide additional protection to civilians. By removing military activities from medical networks, a digital safe haven agreement would ensure that these networks can never lawfully be the object of an attack.

Editor’s note: This post has been lightly edited to fit the blog post format, without any changes to its content.

See also