Scenario 25: Cyber disruption of humanitarian assistance

__NUMBEREDHEADINGS__

A State involved in an international armed conflict hacks into the systems of an impartial humanitarian organization. It uses the information obtained to identify civilians and members of a paramilitary force belonging to a specific ethnic group in order to arrest or kill them. In addition, the attack compromises the perception of neutrality, impartiality and independence of the humanitarian organization and it results in restrictions on access for the organization and security incidents affecting its staff. The scenario explores whether the cyber operation constitutes an unlawful interference with the provision of humanitarian aid and violates the obligation to respect and to protect persons and objects used for humanitarian relief operations under international humanitarian law.

Keywords
Surveillance, humanitarian assistance, international humanitarian law, computer data, targeting.

Facts
[F1] Neutrality International (NI), an impartial international humanitarian organization, offers a range of humanitarian services digitally, directly to populations affected by armed conflicts across the world. These services – provided on a secure digital platform – include storing peoples’ important and sensitive documents, assisting family reunification, providing digital cash vouchers, and sharing information about when and where aid distributions are taking place.

[F2] State A, predominantly of ethnicity X, is engaged in an international armed conflict with State B, whose population is predominantly of ethnicity Y. NI is present and conducts its humanitarian activities in both States A and B, with the consent of both States.

[F3] Many citizens of State A who are of the minority ethnicity Y have lost contact with their families in State B and seek help from NI to search for their relatives. State A government authorities believe that their citizens of ethnicity Y who have contacts in State B are supporters of State B, and try to identify, capture and interrogate them to have information that may be helpful to suppress any opposition.

[F4] Security services of State A hack into NI’s platform and exfiltrate a list of all people in border areas who have activated a “tracing request” to restore links with family members across the border via that platform.

[F5] The following day State A’s forces commence arrests of people identified in the hack of NI who are present on State A’s territory. With regard to people identified in State B, they launch targeted strikes against those belonging to State B paramilitary forces and raids to capture others. Among State B’s forces, a rumour starts to spread according to which NI provided the list to State A and cooperated with State A’s intelligence services. State B’s forces freeze all of NI’s humanitarian operations in State B. A team of NI staff who were conducting a humanitarian assessment in a remote area on the territory of State B is arrested by State B paramilitary forces. One NI staff is killed.

Examples

 * UN data breach (2019)
 * Surveillance of Civil Society Groups/Ahmed Mansoor (2016)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis of the present scenario examines whether a cyber operation aimed at exfiltrating data from the systems of an impartial humanitarian organization in the context of an international armed conflict, which is subsequently used to target individuals, can constitute an unlawful interference with humanitarian relief operations and violate the obligation to respect and to protect persons and objects used for humanitarian relief operations under international humanitarian law.

[L2] This scenario does not consider the question whether the operation in question may qualify as an attack against NI under international humanitarian law. Neither does it consider whether the operation in question may violate the privileges and immunities of the international humanitarian organization or whether it violates the sovereignty of a host State of the organization, such as the State where the servers of the organization are located.

Disruption of humanitarian activities
[L3] The operation against NI’s platform is, on the face of it, an information gathering operation aimed to exfiltrate confidential information. A (digital) information gathering operation, as such, and is generally considered not prohibited under IHL as long as it does ‘not violate specific law of war rules’.

[L4] Thus, the main question to address under this section is whether State A has violated its IHL obligations with regard to the operations and protection of NI as an impartial humanitarian organization. Specifically, has State A interfered unduly with impartial efforts to provide humanitarian assistance? Were humanitarian relief personnel or consignments not respected or protected by virtue of the authorities hacking into the systems of the humanitarian organization and using exfiltrated data to further their military operations?

[L5] According to the facts provided, NI’s activities qualify as impartial humanitarian activities as understood under IHL. The services provided via NI’s platform include humanitarian relief activities, such as providing digital cash vouchers and sharing information about when and where aid distributions are taking place, and humanitarian protection activities, such as storing peoples’ important and sensitive documents on a secure platform and assisting family reunification. These services are humanitarian in nature and, based on the facts given, offered according to needs, as required by the principle of impartiality.

[L6] When an impartial humanitarian organization is the target of an information gathering operation, it cannot be ignored that its humanitarian work and safety of its staff and belongings are dependent on the trust that parties to an armed conflict and other actors have in it. Trust depends, in particular, on the perception these actors have of the organization’s neutrality, impartiality, and independence, and on a shared understanding that the information the organization collects is used exclusively for humanitarian purposes. Certain international humanitarian organizations indeed base their own security on this aspect. Another key pillar of the security for such organizations is the political, operational and cultural acceptance by parties to the conflict and affected populations as a neutral, impartial and humanitarian actor. Reference to this has been made by the international community on different occasions and in different fora.

[L7] State A is obliged not to conduct cyber operations that interfere unduly with NI’s impartial efforts to provide humanitarian relief. This prohibition addresses a broader set of cyber operations than those amounting to attacks; it prohibits ‘cyber operations to frustrate or prevent legitimate and impartial relief efforts’. In the present scenario, the information gathering operation against NI’s platform and the subsequent use of this specific data to arrest and target persons who had benefitted from NI’s tracing services amounts to an undue interference with NI’s humanitarian relief operations because it makes it impossible for NI to continue its humanitarian operations. It is therefore prohibited under IHL.

[L8] State A’s conduct may also be considered to violate the obligation to respect and protect humanitarian relief personnel. This obligation aims to safeguard humanitarian relief personnel against a wide range of harm to enable their humanitarian work. It includes a positive obligation of belligerents to protect humanitarian relief personnel against harm. In the present scenario, State B’s conduct would violate that obligation because it should be expected that State B’s conduct undermines the trust in NI and may thereby put humanitarian staff in danger.

Checklist

 * Disruption of humanitarian assistance
 * Is an organization engaging in activities furthering the purposes of alleviating human suffering and to protect life and health and to ensure respect for the human being, without discrimination?
 * Does the cyber operation interfere unduly with the functioning or delivery of humanitarian relief?
 * Does the cyber operation violate the obligation to respect and to protect humanitarian relief consignments or personnel?

Bibliography and further reading

 * Laurent Gisel, Tilman Rodenhauser and Knut Doermann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’ (2020) 102 (913) International Review of the Red Cross 287.
 * ICRC, ‘International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC Position Paper’ (November 2019).
 * Massimo Marelli, ‘Hacking humanitarians: Defining the cyber perimeter and developing a cyber security strategy for international humanitarian organizations in digital transformation’ (2020) 102 (913) International Review of the Red Cross 367.
 * Tilman Rodenhäuser, ‘Hacking Humanitarians? IHL and the protection of humanitarian organizations against cyber operations’, EJIL:Talk! (16 March 2020).
 * Michael Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).

Contributions

 * Scenario by: Massimo Marelli & Tilman Rodenhäuser
 * Analysis by: Massimo Marelli & Tilman Rodenhäuser
 * Reviewed by: Russell Buchan; Tristan Ferraro; Laurent Gisel; Tsvetelina van Benthem