Editor’s Note – The views of the authors expressed in this blog are those of the authors and do not necessarily reflect those of the International Committee of the Red Cross.
A major hospital in Brno, the Czech Republic’s second-biggest city, was hit by a cyber attack on March 13. According to the hospital’s management, the attack forced the staff to postpone urgent surgical interventions, reroute new acute patients, and reduce some of their other activities. The hospital is in charge of administering coronavirus tests in the city and the disruption delayed the processing of the tests by several days. Since then, cyber incidents targeting the health-care sector have been reported in a number of countries, including France, Spain, Thailand and the United States.
In a situation where most, if not all of us are potential patients, few government-provided services are more important than the efficient delivery of health care. The strain on hospitals around the world is rapidly growing, to which States have responded by mobilizing military medical units, nationalizing private medical facilities, and building emergency hospitals. It is essential that all of these facilities can function without interruption and that they have sufficient resources as they scale up their operations due to the unfolding crisis. However, as noted in a 2019 International Committee of the Red Cross (ICRC) report on the potential human cost of cyber operations, even in ordinary times the health-care sector is particularly vulnerable to cyber attacks due to its increasing digital dependency and “attack surface.” (see page 6 of the report)
All of this underlines the urgent need to understand what protections the law offers against such attacks. This article examines the protections afforded by existing international law. To the extent that rules that govern the behavior of States are discussed, it should be remembered that these apply only if a given operation is attributable to a State (e.g. because it was conducted by a State organ or under the instructions, direction, or control of a State). Experts have already warned of indications that some “coronavirus-themed cyberattack campaigns” may have been carried out by States. At this stage, however, no such allegation has been made with respect to the Brno hack.
Existing Rules Protecting the Health-Care Sector against Cyber Attacks
Individual criminal responsibility
At the individual level, relevant laws protect hospitals – or the health-care sector more generally – from cyber attacks by criminalizing the relevant conduct. This is done primarily within domestic criminal law regimes, which often criminalize conduct that endangers public health and safety, irrespective of the means used. But international law may also play a role.
In particular, the 65 States that have ratified the 2001 Budapest Cybercrime Convention are bound by international law to criminalize specified cyber activities, such as illegal access (Article 2), data interference (Article 4), and system interference (Article 5). State parties are also obliged to cooperate with each other in investigating and prosecuting acts criminalized by the Convention (see Articles 23–35). Importantly, in 2013, State parties to the Convention expressly agreed that attacks on computer systems essential for the maintenance of public health and safety are covered by the existing provisions of the Convention.
In addition, provided they fulfil the specific requirements of these crimes, certain particularly grave cyber attacks against medical facilities could qualify as international crimes, such as war crimes (see below) or crimes against humanity (see here, pages 141-142).
International humanitarian law
At the inter-State level, the applicable legal framework depends on the context in which malicious cyber operations occur.
During armed conflicts, international humanitarian law (IHL) provides robust protections for medical services and facilities. This is because one of IHL’s fundamental imperatives is “mitigating, as far as possible, the sufferings inseparable from war.” In war, combatants and civilians may suffer injuries and diseases and they must be tended to. IHL provides the protective framework to diminish their misfortune.
When conflicts and pandemics intersect, these protections are more important than ever: where people whose houses have been destroyed or who have been displaced by conflict live cramped together in shelters and without adequate hygiene facilities, the virus spreads more quickly and widely. But if hospitals are no longer functioning, life-saving treatment will not be available.
Accordingly, IHL requires that medical units, transport and personnel must be respected and protected by the parties to the conflict at all times (see e.g. Rules 25, 28, and 29 of ICRC’s Customary IHL Study). As Helen Durham, ICRC’s Director of International Law and Policy, explained yesterday, basic rules of IHL such as these ones also “apply in cyberspace and must be respected.” Therefore, belligerents must not harm medical infrastructure through cyber operations and must take great caution to avoid incidental harm caused by such operations.
In the ICRC’s view, this legal protection extends also to the data belonging to medical units and their personnel (see page 8 here). Similar views have been expressed by France (see page 15) and by international law experts (see e.g. the Tallinn Manual 2.0, page 515). Therefore, malicious cyber operations that would impede the functioning of health-care facilities during armed conflict are prohibited by IHL.
Finally, as noted above, a cyber attack may qualify as a war crime provided certain specific conditions are fulfilled (see generally here at pages 121-137). For example, the war crime of directing an attack against a medical facility under the Rome Statute of the International Criminal Court provided for in Articles 8(2)(b)(xxiv) and (e)(ii), could conceivably be committed using cyber means.
Use of force, non-intervention, and sovereignty
Paradoxically, the situation is less clear in situations other than armed conflict. There is no standalone international legal rule that would comprehensively protect medical facilities. One has to look to more general rules and principles of international law. Three areas of international law may offer relevant obligations with respect to attacks by a State or its proxies against the health infrastructure of another State: the law on the use of force, the principle of non-intervention, and the principle of sovereignty.
Firstly, international law provides for a general prohibition of the use of force in Article 2(4) of the United Nations Charter. There is consensus among academic commentators that a State-sponsored cyber operation directly resulting in the killing of persons abroad would be covered by this prohibition (see e.g. the Tallinn Manual 2.0, page 333 and some States, like Australia and Estonia, have expressed the view that such cyber operation could amount to a use of force). Such an interpretation would clearly encompass, for example, an operation that remotely shuts down ventilators and other life support systems at a big hospital and thereby causes the death of patients. While this prohibition does not cover all cyber attacks against medical facilities, it is critical as it prohibits those attacks that may be expected to have the most serious consequences.
Secondly, international law prohibits all States from intervening in the internal affairs of other States. The U.K., for example, has expressly stated that this prohibition may also cover acts such as the “targeting of essential medical services.” That still leaves open the question of which medical services are “essential” – although in the context of the ongoing pandemic, there is little doubt that, for example, a coronavirus testing facility would so qualify. However, pursuant to the element of coercion, the act in question is prohibited only when designed to compel a targeted State to change its conduct with respect to a matter on which it may otherwise decide freely (see the International Court of Justice’s Nicaragua judgment, para. 205 and the Tallinn Manual 2.0, page 317). Therefore, cyber operations that disrupt medical facilities without being coercive fall outside the scope of the prohibition on interference in the affairs of other States.
Thirdly, cyber operations that interfere with a State’s health-care sector could qualify as violations of that State’s sovereignty. Sovereignty is traditionally understood as including a State’s exclusive right to exercise its functions within its territory (see the Island of Palmas arbitral award, page 838). Cyber operations that undermine the provision of health care in another State’s territory would appear to interfere with this right. However, this analysis is complicated by the ongoing dispute as to whether there actually is a standalone international legal obligation to respect the sovereignty of other States in cyberspace – or whether sovereignty is “merely” a principle which guides State interactions, but which cannot itself be violated. Under the former view (held by States such as France, Germany or the Netherlands), cyber operations that disrupt the functioning of public hospitals abroad would indeed constitute violations of international law. But under the latter view (held by the U.K. and, possibly, the United States), this would not be the case. As noted above, however, the U.K. at least considers that cyber attacks that target essential medical services may violate the prohibition on intervention.
International human rights law
It may also be asked whether a State-sponsored cyber operation against the health-care sector of another State could violate international human rights law (IHRL). As “the same rights that people have offline must also be protected online,” States are generally bound by relevant obligations – such as those derived from the right to health enshrined in Article 12 of the International Covenant on Economic, Social and Cultural Rights (ICESCR), or the right to life enshrined in Article 6 of the International Covenant on Civil and Political Rights (ICCPR).
With regard to extraterritorial operations, according to U.N. Human Rights Committee General Comment 31, States owe relevant obligations to all persons within their “power or effective control.” Different views exist, however, on whether those affected by cyber operations on another State’s territory would be within that State’s power or effective control. On the one hand, in line with the understanding of human rights law as interpreted in most human rights jurisprudence, it is argued that this would only be the case if the State exercised effective control over the territory in which the operation is conducted, or had physical control over the victims (see the Tallinn Manual 2.0, page 185, para. 9).
On the other hand, without specifically referring to cyber operations, human rights treaty bodies have started to expand this view. With regard to the right to life, the Human Rights Committee opined recently that a State’s obligations to respect and to ensure this right extend to “persons located outside any territory effectively controlled by the State, whose right to life is nonetheless impacted by its military or other activities in a direct and reasonably foreseeable manner.” This could be the case, for example, if a cyber operation interfered with ventilators in intensive care units. More broadly, the U.N. Committee on Economic, Social, and Cultural Rights has argued that “States parties have to respect the enjoyment of the right to health in other countries.”
In other words, there are diverging views on the scope of the applicability of IHRL generally, and accordingly, on the extent of the protection that IHRL affords to medical facilities specifically, against cyber operations.
Proposing a New Norm against Cyber Attacks on Medical Facilities and Services
The above analysis demonstrates that various bodies of international law afford strong protections to medical facilities against cyber operations. Depending on how international law is interpreted, it could be deemed to prohibit any hostile cyber operation against medical services – though certain interpretations may leave some loopholes. This is a matter of concern considering the importance of medical services for every one of us.
In this regard, the ICRC recently proposed for the consideration of States participating in the U.N. Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG), a new norm of responsible State behavior in cyberspace. This norm would require that “States should not conduct or knowingly support [cyber] activity that would harm medical services or medical facilities, and should take measures to protect medical services from harm.” It would reaffirm existing prohibitions under international law applicable during both armed conflict and peacetime – or, depending on the view one takes on peacetime law, strengthen it.
It is sometimes said that in the midst of every crisis lie opportunities. This time is no different. The current global pandemic is highlighting the absolutely essential importance of a well-functioning public health-sector. We hope that this crisis will create the necessary impetus for the international community to reaffirm, in an unequivocal manner, that international law comprehensively prohibits cyber operations against medical services not only in times of war, but at all times.