Scenario 20: Cyber operations against medical facilities

__NUMBEREDHEADINGS__ Public hospitals in a State fall victim to a hostile cyber operation, encrypting hospital computers. As a result, patient data becomes unavailable and a number of patients have to be diverted to private hospitals. The victim State’s forensic investigation indicates that the operation was conducted by a State actor but cannot immediately determine which State was responsible. Two possible culprits emerge: a State that is a political adversary of the victim State; and a State engaged in an armed conflict with the victim State. Therefore, this scenario analyses the incident first from the perspective of peacetime international law (primarily the principles of sovereignty and non-intervention, the prohibition against the use of force, and international human rights law) and then under international humanitarian law applicable during armed conflict (notably the obligation to respect and protect medical units).

Keywords
International humanitarian law, international human rights law, medical facilities, hospitals, ransomware, prohibition of intervention, sovereignty, use of force

Facts
[F1] State A is located in a region rattled by conflict and rivalry among regional powers. The tensions between States A and B run high and their governments have been constantly exchanging insults and political threats. However, neither State has ever used physical force against the other. By contrast, State A is locked into an ongoing international armed conflict with State C. For several years, the conflict has been continuing at low intensity with frequent shelling across the frontline.

[F2] Recently, public hospitals of State A, which account for 30% of all its hospitals, fell victim to a ransomware attack. All public hospitals use the same administration software and are connected to each other. The operation encrypted computers used in the hospitals and doctors became unable to access patient data stored digitally. This included data containing test results from hundreds of patients tested for a highly infectious disease. The inaccessibility of patient data meant the hospitals became unable to admit some patients or to treat others. As a result, the affected public hospitals had to transfer urgent cases to private hospitals.

[F3] After three days, cyber security specialists from State A found the key needed to decrypt the computers. Still, as a result of the incident, medical care at the hospitals was disrupted by delays and unavailability of important data on patient treatment. Two of the patients diverted to private hospitals died while in transit, although investigations were inconclusive as to whether their lives could have been saved if they had been admitted on time. Moreover, due to test results being unavailable, public authorities were unable to track and inform individuals who had been infected. State A’s Ministry of Health stated that the inability to track positive cases undermined the State’s strategy to combat the infectious disease.

[F4] State A’s forensic experts quickly determine that the operation was conducted by an advanced persistent threat actor, likely linked to a State. However, at the early stages they are unable to attribute the operation to a specific State. While waiting for further clarity from forensic experts, on the basis of the evidence available, State A’s intelligence service considers it is highly probable that the operation was either the work of State B, or of State C.

[F5] All States involved in this scenario are parties to the four Geneva Conventions, their Additional Protocol I, the Rome Statute of the International Criminal Court, the International Covenant on Civil and Political Rights (ICCPR), and the International Covenant on Economic, Social, and Cultural Rights (ICESCR).

Examples

 * Springhill Medical Center ransomware attack (2019)
 * Brno University Hospital ransomware attack (2020)
 * Ireland’s Health Service Executive ransomware attack (2021)
 * Cyber operation against the university hospital in Dusseldorf, Germany
 * Cyber operations against medical facilities in France, South Africa, Spain, Thailand, the United States

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] Attribution of the cyber operation against State A’s public hospitals is unclear. With available evidence suggesting that it was conducted either by State B or by State C, the legal analysis discusses the two possibilities in two separate sections below.

What if it was State B: Focus on peacetime international law
[L2] If the operation was attributed to State B, it would have taken place in time of peace. Thus, the legal analysis in this section focusses on whether the operation would have violated State A’s sovereignty, amounted to a prohibited intervention into the internal affairs of State A, and/or amounted to a use of force against State A. The analysis also examines whether State B would have violated its obligations under international human rights law.

Obligation to respect the sovereignty of other States
[L3] This analysis proceeds on the basis that the obligation to respect the sovereignty of another State is a rule of international law applicable to cyberspace. The operation interrupted and slowed down the delivery of medical services in another State. The fact that this was done through an unauthorized penetration of State A’s systems would suffice for the qualification of the operation as a breach of sovereignty under the test proposed by France.

[L4] The ransomware operation also resulted in a widespread loss of functionality, given that the affected systems in State A’s public hospitals ceased to operate properly until the encryption key was found. In addition, the operation prevented State A from tracking and informing patients who were tested positive for a highly infectious disease, thereby undermining its capacity to contain that disease. Taking measures to curb an epidemic is a governmental responsibility of any State and thus the tracking and informing of patients can be considered as an inherently governmental function of State A. Accordingly, State B’s cyber operation could also be characterized as a violation of State A’s sovereignty due to it having caused a loss of functionality of cyber infrastructure in State A (option 3 in the box above) and interfered with State A’s inherently governmental functions (option 4).

Prohibition of intervention
[L5] With regard to the first element of prohibited intervention, the ransomware incidents related to matters of public policy including the operation of public hospitals and the development of a strategy to contain an infectious disease. Although some aspects of these matters are now subject to international regulation – for example, the World Health Organization’s International Health Regulations codify certain international obligations in handling public health emergencies – the overall management of a public health crisis at a national level is still widely considered to remain a sovereign prerogative falling within each State’s domaine réservé. Accordingly, the incidents related to matters upon which State A had the right to decide freely.

[L6] With respect to the second element, the two approaches to the meaning of “coercion” defined above lead to different results in the present scenario. On the first approach, an intent to compel State A to change its behaviour cannot be discerned from the facts. The cyber operation interfered with the functioning of the hospitals and the implementation of State A’s strategy, but there is insufficient information to conclude that State B had the goal of effecting any particular change in the behaviour of State A.

[L7] By contrast, on the second approach, the interference with the hospitals would be considered coercive because it prevented State A from operating those hospitals according to its own will. As such, it effectively deprived that State of its ability to control or govern matters within its domaine réservé and, accordingly, it qualified as a violation of the prohibition of intervention.

Use of force
[L8] It is unlikely that the ransomware operations amounted to a use of force. There is no evidence of direct physical damage and it is doubtful that the operations can be considered comparable to the use of kinetic force on the basis of the criteria mentioned above. The consequences of the operations – in particular, the disruption to the functioning of public hospitals – would arguably not be considered serious or severe enough to equate the operation with a physical use of force against those targets. Even if a causal link between the cyber operations and the two patient deaths could be established, these effects might still fall below a de minimis threshold suggested in legal doctrine as well as in international practice. The indirect nature of any such effects would also militate against the qualification of the underlying operation as a use of force. Finally, the target of the operations and the circumstances prevailing at the time when the operations were launched did not suggest that the operations had a military character.

Applicability of international humanitarian law
[L9] Provided that the operation is attributed to State B, a separate legal question is whether the cyber operation conducted by State B would bring into existence an international armed conflict between State B and State A.

[L10] In the present scenario, the effect of the cyber operation is difficult to compare to a classic kinetic operation because there is no physical damage comparable to that resulting from armed hostilities between States. At the same time, if computer systems in a significant number of hospitals are targeted and disrupted, it is reasonably foreseeable that injury or death will result. In line with the prevailing view that there is no requirement of a specific level of intensity of violence to trigger an international armed conflict (see in the box above), it could thus be argued that such operations would bring into existence an international armed conflict and have to comply with the limits imposed by IHL (on which see section 2.2.1 below). For the time being, however, it is unclear whether States would classify such cyber operations as bringing IHL into application.

International human rights law
[L11] The scenario also raises the question of whether the cyber operation is in violation of State B’s obligation (1) to respect the right to life of those patients who died following the operation (article 6 ICCPR) and (2) the right to health of persons whose health is negatively affected by the operation (article 12 ICESCR).

[L12] In the present scenario, it must first be determined whether the patients are within State B’s jurisdiction, meaning whether State B owes human rights obligations to them.

[L13] There are at least three possible approaches to determining whether a State owes human rights obligations to persons living abroad who are affected by its cyber activities.

[L14] First, a few States take the view that human rights treaties, such as the ICCPR, do not apply extraterritorially. On this view, State B would not owe human rights obligations to anyone outside of its territory, including the affected patients in State A. However, it should be noted that this view has been contradicted by the International Court of Justice and it has gained minimal traction outside of the limited number of its supporters.

[L15] Second, in line with the well-established understanding of jurisdiction under human rights law, a State only owes obligations under the ICCPR or the ICESCR to persons abroad if it exercises effective control over the territory in which the effects of the operation manifest, or if it has physical control over the victims; referred to in the literature as, respectively, the spatial and personal models of jurisdiction. However, neither of these conditions is met in the present scenario. As a result, a cyber operation by State B that affects victims in State A would not violate State B’s human rights obligations because the victims do not come within State B’s jurisdiction.

[L16] Third, and without specifically referring to cyber operations, human rights treaty bodies have presented more extensive views on the scope of States’ extraterritorial jurisdiction under the ICCPR and the ICESCR. With regard to the right to life under the ICCPR, the UN Human Rights Committee opined that a State’s obligations to respect and to ensure this right extend to “persons located outside any territory effectively controlled by the State, whose right to life is nonetheless impacted by its military or other activities in a direct and reasonably foreseeable manner”. More broadly, the UN Committee on Economic, Social, and Cultural Rights has argued that under the ICESCR “States parties have to respect the enjoyment of the right to health in other countries”. Under this approach, State B would owe human rights obligations to those affected by its cyber operations. It is unclear, however, whether such broad interpretations of the notion of jurisdiction reflect the current state of international law.

[L17] If the view suggested by the UN treaty bodies was followed, it would still need to be analysed whether State B acted in violation of its obligation under the right to life by using ransomware against public hospitals. Following the UN Human Rights Committee’s interpretation of the right to life, this would be the case if an act of the State – in this case the cyber operation that resulted in the death of two patients – impacted the right to life in an “in a direct and reasonably foreseeable manner”. In the present case, it could be argued that a cyber operation against a significant number of hospitals affects the right to life of patients in a direct and reasonably foreseeable manner, even if the cyber operation is not the immediate cause of death.

[L18] Similarly, if the more extensive approach to jurisdiction was taken, it would follow that State B also violated its obligations under the right to health. This is because, as noted by the Committee on Economic, Social, and Cultural Rights, the obligation to respect that right requires States not to interfere “directly or indirectly with the enjoyment of the right to health”. State B’s cyber operations which prevented patients from receiving treatment and which negatively affected State A’s ability to respond to a public health crisis would have violated that obligation.

International humanitarian law
[L19] If the operation is attributed to State C, it takes place in the context of an existing international armed conflict. As a consequence, all acts of the parties to the conflict with a sufficient nexus to that conflict are governed by IHL. Based on the evidence available, it is unclear whether such nexus existed, which would be assessed by reference to whether State C “acted in furtherance of or under the guise of the armed conflict”. The remainder of the analysis in this subsection proceeds on the assumption that this requirement was met.

[L20] In the present scenario, the malware encrypted computers used in the hospital and made medical data of hospital patients temporarily unavailable. The operation thereby interfered with the hospital’s medical work and prevented medical staff from treating those in need of care. Therefore, the operation would have constituted a violation of State C’s obligations to respect and to protect medical units.

[L21] It must further be inquired whether the operation amounts to an attack against a medical unit, which could amount to a war crime. This would be the case if the operation can reasonably be expected to cause injury or death to persons or damage or destruction to objects (see box above). If the view is taken that the notion of damage includes a loss of functionality, the present operation amounts to an attack because it effectively disabled the hospital computers. This conclusion will also be reached if the focus is not on the damage caused but on the reasonably foreseeable injury or death. This is because conducting a cyber operation that is expected to disrupt computers in 30% of a State’s hospitals can be “reasonably expected to cause injury or death to persons”. On the basis of the foregoing, the operation would thus qualify as a prohibited attack against a medical unit.

International human rights law
[L22] Finally, it should be noted that it is generally – though not universally – accepted that international human rights law continues to apply during armed conflicts. If the more extensive view on the notion of jurisdiction is taken, the conduct attributed to State C might also implicate its human rights obligations, in particular those under the rights to life and health (see paras L16–L18 above). In that case, the precise interplay between the relevant IHL and human rights obligations would require further analysis, which is beyond the scope of the present scenario.

Checklist

 * Who is responsible for the operation and can the act be attributed to a State?
 * Does the operation take place in time of peace or in the context of an armed conflict?
 * If the operation takes place in time of peace, does it
 * Violate the principle of sovereignty, the principle of non-intervention, or the prohibition against the use of force?
 * Violate the acting State’s human rights obligations? Does the acting State owe human rights obligations to the victims?
 * Could it bring into existence an international armed conflict to which IHL applies?
 * If the operation takes place in times of armed conflict, does it violate relevant rules of IHL, notably the obligation to respect and protect medical facilities and the prohibition against attacks against medical units?

Bibliography and further reading

 * Laurent Gisel, Tilman Rodenhäuser and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts (2020) 102 IRRC 913.
 * Kubo Mačák, Tilman Rodenhäuser and Laurent Gisel, Cyber attacks against hospitals and the COVID-19 pandemic: How strong are international law protections?, ICRC Humanitarian Law and Policy Blog, 2 April 2020.
 * Marko Milanovic and Michael N Schmitt, Cyber Attacks and Cyber (Mis)information Operations during a Pandemic, (2020) 11 Journal of National Security Law & Policy 247.
 * Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy.
 * Harriet Moynihan, ‘The Application of International Law to State Cyberattacks: Sovereignty and Non-intervention’ (2019) Chatham House.
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Oxford Statement on the International Law Protections against Cyber Operations Targeting the Health-Care Sector (20 May 2020).

Contributions

 * Scenario by: Tilman Rodenhäuser & Kubo Mačák
 * Analysis by: Tilman Rodenhäuser & Kubo Mačák
 * Reviewed by: Joost Bunk; Gary Corn; Przemyslaw Roguski