Scenario 25: Cyber disruption of humanitarian assistance

From International cyber law: interactive toolkit
Jump to navigation Jump to search

A State involved in an international armed conflict hacks into the systems of an impartial humanitarian organization. It uses the information obtained to identify civilians and members of a paramilitary force belonging to a specific ethnic group in order to arrest or kill them. In addition, the attack compromises the perception of neutrality, impartiality and independence of the humanitarian organization and it results in restrictions on access for the organization and security incidents affecting its staff. The scenario explores whether the cyber operation constitutes an unlawful interference with the provision of humanitarian aid and violates the obligation to respect and to protect persons and objects used for humanitarian relief operations under international humanitarian law.

Scenario[edit | edit source]

Keywords[edit | edit source]

Surveillance, humanitarian assistance, international humanitarian law, computer data, targeting.

Facts[edit | edit source]

[F1] Neutrality International (NI), an impartial international humanitarian organization, offers a range of humanitarian services digitally, directly to populations affected by armed conflicts across the world. These services – provided on a secure digital platform – include storing peoples’ important and sensitive documents, assisting family reunification, providing digital cash vouchers, and sharing information about when and where aid distributions are taking place.

[F2] State A, predominantly of ethnicity X, is engaged in an international armed conflict with State B, whose population is predominantly of ethnicity Y. NI is present and conducts its humanitarian activities in both States A and B, with the consent of both States.

[F3] Many citizens of State A who are of the minority ethnicity Y have lost contact with their families in State B and seek help from NI to search for their relatives. State A government authorities believe that their citizens of ethnicity Y who have contacts in State B are supporters of State B, and try to identify, capture and interrogate them to have information that may be helpful to suppress any opposition.

[F4] Security services of State A hack into NI’s platform and exfiltrate a list of all people in border areas who have activated a “tracing request” to restore links with family members across the border via that platform.

[F5] The following day State A’s forces commence arrests of people identified in the hack of NI who are present on State A’s territory. With regard to people identified in State B, they launch targeted strikes against those belonging to State B paramilitary forces and raids to capture others. Among State B’s forces, a rumour starts to spread according to which NI provided the list to State A and cooperated with State A’s intelligence services. State B’s forces freeze all of NI’s humanitarian operations in State B. A team of NI staff who were conducting a humanitarian assessment in a remote area on the territory of State B is arrested by State B paramilitary forces. One NI staff is killed.

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis of the present scenario examines whether a cyber operation aimed at exfiltrating data from the systems of an impartial humanitarian organization in the context of an international armed conflict, which is subsequently used to target individuals, can constitute an unlawful interference with humanitarian relief operations and violate the obligation to respect and to protect persons and objects used for humanitarian relief operations under international humanitarian law.

[L2] This scenario does not consider the question whether the operation in question may qualify as an attack against NI under international humanitarian law. Neither does it consider whether the operation in question may violate the privileges and immunities of the international humanitarian organization or whether it violates the sovereignty of a host State of the organization, such as the State where the servers of the organization are located.

Disruption of humanitarian activities[edit | edit source]

Humanitarian relief operations

In times of armed conflict, IHL foresees that impartial humanitarian organizations, such as the International Committee of the Red Cross, may undertake, or offer to undertake, humanitarian activities to provide assistance for those in need and to protect persons affected by armed conflict.[1] In practice, humanitarian activities may include, for instance, the distribution of material assistance, the restoration of family links, the search for missing persons, or the visiting of detainees.[2]

IHL sets out specific rules to facilitate and protect humanitarian activities.

Under IHL, once an offer of services by an impartial humanitarian organization has been accepted by the parties concerned, ‘the parties to the conflict must allow and facilitate rapid and unimpeded passage of humanitarian relief for civilians in need, which is impartial in character and conducted without any adverse distinction, subject to their right of control’.[3] For the purpose of this rule, humanitarian relief items traditionally include ‘food and medical supplies’ as well as ‘clothing, bedding, means of shelter, other supplies essential to the survival of the civilian population’.[4] In the cyber context, experts have interpreted this rule as prohibiting cyber operations that are ‘designed or conducted to interfere unduly with impartial efforts to provide humanitarian assistance’.[5]

IHL further provides that humanitarian relief personnel and objects must be ‘respected and protected’.[6] This obligation builds on, but goes beyond, the general protection of humanitarian organizations and their staff as civilians. In analogy to the obligation to respect and protect medical personnel and facilities, this obligation should also be understood as prohibiting not only attacks against humanitarian relief operations but also ‘other forms of harmful conduct outside the conduct of hostilities’ against humanitarian relief personnel or undue interference with their work.[7]

In the cyber context, these obligations entail a prohibition against attacking or otherwise harming humanitarian relief personnel and consignments, an obligation to protect them against harm,[8] and a prohibition against using cyber operations to interfere with the impartial efforts to provide humanitarian relief, even if this interference does not rise to the level of attack.[9] The obligation to respect and to protect relief personnel and operations should also be understood as protecting the relevant data.[10]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023).

[L3] The operation against NI’s platform is, on the face of it, an information gathering operation aimed to exfiltrate confidential information. A (digital) information gathering operation, as such, and is generally considered not prohibited under IHL as long as it does ‘not violate specific law of war rules’.[11]

[L4] Thus, the main question to address under this section is whether State A has violated its IHL obligations with regard to the operations and protection of NI as an impartial humanitarian organization. Specifically, has State A interfered unduly with impartial efforts to provide humanitarian assistance? Were humanitarian relief personnel or consignments not respected or protected by virtue of the authorities hacking into the systems of the humanitarian organization and using exfiltrated data to further their military operations?

[L5] According to the facts provided, NI’s activities qualify as impartial humanitarian activities as understood under IHL. The services provided via NI’s platform include humanitarian relief activities, such as providing digital cash vouchers and sharing information about when and where aid distributions are taking place, and humanitarian protection activities, such as storing peoples’ important and sensitive documents on a secure platform and assisting family reunification. These services are humanitarian in nature and, based on the facts given, offered according to needs, as required by the principle of impartiality.

[L6] When an impartial humanitarian organization is the target of an information gathering operation, it cannot be ignored that its humanitarian work and safety of its staff and belongings are dependent on the trust that parties to an armed conflict and other actors have in it. Trust depends, in particular, on the perception these actors have of the organization’s neutrality, impartiality, and independence, and on a shared understanding that the information the organization collects is used exclusively for humanitarian purposes. Certain international humanitarian organizations indeed base their own security on this aspect.[12] Another key pillar of the security for such organizations is the political, operational and cultural acceptance by parties to the conflict and affected populations as a neutral, impartial and humanitarian actor.[13] Reference to this has been made by the international community on different occasions and in different fora.[14]

[L7] State A is obliged not to conduct cyber operations that interfere unduly with NI’s impartial efforts to provide humanitarian relief. This prohibition addresses a broader set of cyber operations than those amounting to attacks; it prohibits ‘cyber operations to frustrate or prevent legitimate and impartial relief efforts’.[15] In the present scenario, the information gathering operation against NI’s platform and the subsequent use of this specific data to arrest and target persons who had benefitted from NI’s tracing services amounts to an undue interference with NI’s humanitarian relief operations because it makes it impossible for NI to continue its humanitarian operations. It is therefore prohibited under IHL.

[L8] State A’s conduct may also be considered to violate the obligation to respect and protect humanitarian relief personnel. This obligation aims to safeguard humanitarian relief personnel against a wide range of harm to enable their humanitarian work. It includes a positive obligation of belligerents to protect humanitarian relief personnel against harm. In the present scenario, State B’s conduct would violate that obligation because it should be expected that State B’s conduct undermines the trust in NI and may thereby put humanitarian staff in danger.[16]

Checklist[edit | edit source]

  • Disruption of humanitarian assistance
    • Is an organization engaging in activities furthering the purposes of alleviating human suffering and to protect life and health and to ensure respect for the human being, without discrimination?
    • Does the cyber operation interfere unduly with the functioning or delivery of humanitarian relief?
    • Does the cyber operation violate the obligation to respect and to protect humanitarian relief consignments or personnel?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. GC I/II/III/IV, Common Art 9/9/9/10 (applicable in international armed conflict); GC I/II/III/IV, Common Art 3 (applicable in non-international armed conflict).
  2. For further discussion, see ICRC (ed), Commentary on the Third Geneva Convention (CUP 2020), paras 1338–1347.
  3. AP I, Art 70(2), which broadened previously adopted provisions in GC IV, Art 23. See also ICRC CIHL Study, Rule 55.
  4. AP I, Art 69(1); see also Michael N Schmitt (ed), Tallinn Manual 2.0, commentary to Rule 145, para. 5.
  5. Tallinn Manual 2.0, Rule 145.
  6. GC IV, Arts 59, 70(4) and 71(2); ICRC CIHL Study, Rules 31–32.
  7. For an interpretation of the obligation to respect and protect medical personnel, see ICRC (ed), Commentary on the First Geneva Convention (CUP 2016), paras 1358 and 1799.
  8. See Laurent Gisel, Tilman Rodenhauser and Knut Doermann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’ (2020) 102 (913) International Review of the Red Cross 287, 329.
  9. Tallinn Manual 2.0, commentary to Rule 80, para 4.
  10. For further discussion, see Tilman Rodenhäuser, ‘Hacking Humanitarians? IHL and the protection of humanitarian organizations against cyber operations’, EJIL:Talk! (16 March 2020).
  11. United States Department of Defense, Law of War Manual (2016) para 5.26.2; Tallinn Manual 2.0, commentary to Rule 89, para 5.
  12. See, eg, Massimo Marelli, ‘Hacking humanitarians: Defining the cyber perimeter and developing a cyber security strategy for international humanitarian organizations in digital transformation’ (2020) 102 (913) International Review of the Red Cross 367.
  13. Philippe Dind, ‘Security in ICRC Field Operations’ in Secure 02 (Finnish Red Cross 2002) 22; IFRC, ‘Stay Safe - the International Federation Guide to a Safer Mission’ (2010) 16–17.
  14. See, eg, 37th International Conference of Data Protection and Privacy Commissioners, ‘Resolution on Privacy and International Humanitarian Action’ (27 October 2015) para 5 of the Explanatory Statement; 33rd International Conference of the Red Cross and Red Crescent, ‘Res 4: Restoring Family Links While Respecting Privacy, Including as It Relates to Personal Data Protection’ (2019) preambular para 8 and operative paras 8–11; Swiss Confederation, ‘Cyber-Attacks Against Critical Infrastructure’, statement at the Security Council on behalf of: Australia, Austria, Belgium, Brazil, Canada, Dominican Republic, France, Germany, Indonesia, Ireland, Italy, Ivory Coast, Kuwait, Japan, Liechtenstein, Luxembourg, Netherlands, Norway, Poland, Portugal, Sweden, United Kingdom, Ukraine, Uruguay and Switzerland (26 August 2020).
  15. Tallinn Manual 2.0, Rule 145; commentary to Rule 145, para 6; see also ibid., commentary to Rule 80, para 4.
  16. See Tilman Rodenhäuser, ‘Hacking Humanitarians? IHL and the protection of humanitarian organizations against cyber operations’, EJIL:Talk! (16 March 2020).

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

Previous: Scenario 24: Internet blockage Next: Scenario 26: Export licensing of intrusion tools