The potential human cost of cyber operations – ICRC REport

Cyber – Armed Conflict

The potential human cost of cyber operations
29-05-2019 | ICRC Report
This report provides an account of the discussions that took place during a meeting of experts organised by the ICRC in November 2018 on the potential human cost of cyber operations.

Cyber attacks and their consequences are on top of the agenda around the world. Apart from causing substantial economic loss, cyber operations can cause physical damage and affect the delivery of essential services to civilians. Cyber attacks against electrical grids and the health-care sector have underscored the vulnerability of these services.

The use of cyber operations during armed conflicts is also a reality. While only a few States so far have publicly acknowledged that they use them, an increasing number of States are developing military cyber capabilities.

To move towards a realistic assessment of the potential human cost of cyber warfare, the ICRC convened a meeting of scientific and cyber security experts from all over the world. They analysed some of the most sophisticated known cyber operations, regardless of whether they occurred during conflict or in peacetime, focusing on the risk that cyber operations may result in death, injury or physical damage, affect the delivery of essential services to the population, or affect core internet services.

The rich discussions provided a nuanced picture of the risks that cyber warfare can entail for the civilian population. The ICRC looks forward to the feedback to this report to continue to follow the evolution of cyber operations, in particular during armed conflicts.


The potential human cost of cyber operations
14–16 NOVEMBER 2018 – GENEVA :: 80 pages
Report prepared and edited by Laurent Gisel, senior legal adviser, and Lukasz Olejnik, scientific adviser on cyber, ICRC

Executive Summary [except]
…Avenues that could be explored to reduce the potential human cost of cyber operations
Cyber security measures
Beyond the restraints imposed by IHL upon those carrying out cyber operation, it is critical to enhance the cyber security posture and resilience of the actors potentially affected. While cyber security and defence are constantly improving, older systems with outdated or even non-existing cyber security are particularly vulnerable to cyber attacks and will remain a concern in the years to come. Both the public and private sectors have a role to play through industry standards and legal regulation.

In the health-care sector, for instance, the regulatory environment should be adapted to the increased risk, such as through standardization requirements, with a view to ensuring resilience in the event of a cyber attack. Cyber security needs to be taken into account in the design and development of medical devices and updated throughout their lifetime, no matter how long they last. Similarly, for industrial control systems, industry standards, whether imposed or self-imposed, are critical. This includes reporting incidents and sharing information between trusted partners.

In terms of IHL, parties to armed conflicts must take all feasible precautions to protect civilians and civilian objects under their control against the effects of attack. This is one of the few IHL obligations that States must already implement in peacetime.

Disclosing vulnerabilities
The preferred option for enhancing the safety of cyber space should be disclosing vulnerabilities to the appropriate software developer so that the vulnerabilities can be fixed. Some States have therefore put in place equity processes to balance competing interests and risks and decide whether to disclose the vulnerabilities they identify.

Measures to prevent proliferation
Those who develop cyber weapons should consider creating obstacles in order to make repurposing difficult and expensive. While it is hardly possible from a technical standpoint to guarantee that malware cannot be repurposed, methods like encrypting its payload and including obstacles in different components of the code, for example, could raise the bar in terms of the expertise required to reengineer malicious tools. While there is currently no express obligation under IHL to create obstacles to the repurposing of cyber tools, this could prevent at least some actors from doing so and therefore reduce the risk of subsequent misuse that their proliferation entails. The unique way in which cyber tools proliferate also raises the question of whether existing law is adequate or sufficient to address this phenomenon.

Marking of certain civilian infrastructure
Another avenue, which builds on existing international law, could be to create a “digital watermark” to identify certain actors or infrastructure in cyber space that must be protected (such as objects that enjoy specific protection under IHL). The aim would be to help their identification and prevent them from being targeted during armed conflicts. The potentially positive effects in terms of protection against unintended harm by law-abiding actors would however need to be balanced against the risk of disclosing information on critical infrastructure to potential adversaries, including criminals. The prospects of positive effects might depend in part on attribution becoming easier.

Improving attribution and accountability
Finally, enhanced attribution capacities would help ensure that actors who violate international law in cyber space can be held accountable, which is a means to strengthen compliance with the law and more generally encourage responsible behaviour in cyber space.

Way forward
The use of cyber operations in armed conflict is likely to continue and might remain shrouded in secrecy. Analysing its consequences is a complex and long-term endeavour that requires
multidisciplinary expertise and interaction with a wide variety of stakeholders.

Building upon the conclusions reached at the expert meeting, the ICRC would like to pursue the dialogue with governments, experts and the IT sector. It looks forward to the feedback to this report to continue to follow the evolution of cyber operations, in particular during armed conflicts, and their potential human cost, explore avenues that could reduce them, and work towards a consensus on the interpretation of existing IHL rules, and potentially the development of complementary rules that
afford effective protection to civilians.