The Digital Red Cross: A Recognition of Warcrimes in the Cyberspace
Abstract: This paper will evaluate recent cyberattacks news stories against hospitals that have constituted breaches of the Geneva Convention taken by advesaries of NATO. The research will be a mix of course information that is supported by news findings. The perspective will be from a western-oriented think tank. The audience is policymakers in Washington, D.C.
Contents
Introduction
International efforts are being made to determine the legal ramifications of conflict within cyberspace (Hathaway et al 842). Researchers look to existing and evolving laws to address cyberattacks that do not rise to the level of armed conflict ( Hathaway et al 817). If future or present laws of war are applied, state actions would be regulated within cyberspace. Ergo, deliberately targetting civilian institutions could be prosecuted under a form of the “Geneva Convention.” Cyber attacks that follow a “Digital Geneva Convention,” would be governed under a Jus in Bella (Owens et al.). Attacks within cyberspace would be judged by their actions, their audience, and not their methods (Owens et al.). Evolving the legal framework would then recognize that deliberate attacks against civilian digital systems are a war crime. States and non-state actors could be then prosecuted by international and domestic courts if they target civilian institutions like healthcare. Currently, cyber attacks on civilian apparatuses have not been judged within the same framework. In 2020, hospitals or healthcare apparatuses are a target of 1/3 of all malware attacks (Pifer). If the Digital Geneva Convention would be in effect, attacks on hospitals would be considered a war crime. There would also be a recognition that states and non-state actors have already committed war crimes using cyber tools.
What Defines a War Crime
A war crime can be committed by a state or non-state actor. A war crime does not inherently constitute a physical act (War Crimes). A violation can occur based on the proportionality or intended target of an act (War Crimes). A war crime can be prosecuted by domestic courts. However, war crimes are also prosecuted by international, mixed and hybrid tribunals, and the International Criminal Court (War Crimes). Accusations of war crimes have already been established for physical attacks on healthcare apparatuses. “Let us be clear: Intentional and direct attacks on hospitals are war crimes. Denying people access to essential health care is a serious violation of international humanitarian law,” UN Secretary-General Ban Ki-Moon.
Violations of Geneva
There have been no charges of war crimes for actions taken in cyberspace. Cyberattacks do not directly involve traditional violence and can be perceived as measures short of war. However, in the Tallinn Manual on the International Law Applicable to Cyber Warfare, both Jus ad Bellum and Jus in Bello apply to cyber operations (Finlay). Cyberattacks that deliberately target healthcare’s digital infrastructure if prosecuted by their actions and not their methods, would violate the current Geneva Convention in multiple ways. The first is that healthcare industries are a civilian apparatus that has no military value (Article 51(2) of the 1977 Additional Protocol I). Second, is that if an attack on healthcare industries may serve wounded soldiers (Article 41(1) of the 1977 Additional Protocol I) and third, when the human layer of digital infrastructure is targeted, the result is forced servitude of an adversaries war effort (Article 51, first paragraph, of the 1949 Geneva Convention IV). There has yet to be a precedent established for digital violations of the Geneva Convention.
Forced Servitude
Cyberattacks often use an individual’s human layer as the target of exploitation (The Cost of Cybercrime). States have compelled an individual’s digital identity and authentication to be used to serve a hostile force. States have leveraged that identity, to hold an entire organization’s data hostage for ransom. In 2020, the University of Vermont (UVM) Medical Center reported that for nearly one month, healthcare employees couldn’t use electronic health records (EHRs), payroll programs, and other vital digital tools. Many surgeries had to be rescheduled, and cancer patients had to go elsewhere for radiation treatment. An enterprise in Vermont had been the victim of a covert cyberattack. The perpetrator sent a UVM employee a malware attachment, and when the UVM staffer returned to their workstation, the assailant triggered the attack. Law enforcement was not able to prosecute the attack, because the attack originated outside of national jurisdiction (Rathke). The attack cost an estimated $50 million, and three weeks of work from IT staff to scrub the servers (Weiner). Cybercrimes can force conscription in an evolved way. There is no precedent for the forced servitude of a digital authenticator, but there is for forced enemy conscription (Article 51, first paragraph, of the 1949 Geneva Convention IV). While the methods of forced servitude may be different, the result is not and their actions do not meet Jus in Bello.
Just Short of Prosecution
In 2017, North Korea is alleged to have used a ransomware “Wannacry” on the U.K’s national healthcare system(NHS). The attack exposed a specific exploit within unpatched Microsoft Windows. The attack spread through the NHS’s intranet and affected multiple hospitals operations (The NHS Cyber Attack). The malware denied NHS servers’ the ability to pull up patient information. Resulting in an inability to make appointments, cancelled scheduled surgeries, and caused millions of dollars from the taxpayer to be repaired. An EU investigation revealed the names and addresses of the hackers responsible. They were charged with “affecting systems relating to services necessary for the maintenance of essential services” (Amending Decision (CFSP) 2019/797 concerning restrictive measures against cyber-attacks threatening the Union or its Member States). The Russian malware “NotPetya” unleashed in rural Virginia and Pennsylvania resulted in multiple hospitals turning away patients (Eddy and Perlroth). In 2015, the U.S charged six Russians for using cyberattacks against American hospitals with a “conspiracy to commit an offence against the United States” (Six Russian GRU officers charged in connection … — justice). Because cyberattacks are not currently considered war crimes, this charge does not constitute the same grievous indictment that would have occurred with a physical attack. The GRU officers are not being summoned to international tribunals for their attack, but are at risk of extradition if they visit a country that supports American prosecutors. When perpetrators are caught for a cybercrime, they are not charged with the same degree of seriousness as actions within the physical realm. The Russians and North Koreans were involved with directly attacking civilian apparatuses with no military value.
Digital and Physical Overlap
In 2020, hackers attacked Düsseldorf University Hospital. The attack compromised the digital infrastructure of the hospital, limiting its capacity to take patients and stopped new admissions. Because of the attack, patients were rerouted to other hospitals resulting in the first cyber death. The attackers originally wanted to extort the University for bribery, when they found out that their attack resulted in the death of a patient, they withdrew their extortion and provided the hospital access back to their servers (Hacker-angriff auf uniklinik düsseldorf: Starb Eine patientin Wegen einer Erpressung). Attacks on civilian institutions do not always involve direct death with their methods, but through their actions, the same effect can occur.
Conclusion
Cyber attacks should follow “just war” principles. They should be evaluated by their effect, and not their methods. In the Laws of Armed conflict, a principle distinction is a requirement to not purposely attack civilians and to focus on sparing them from any form of attack (War & Law). There are rules of proportionality (War & Law). Hospital infrastructure keeps patient information, surgical procedures, and medical supplies safe and active. By attacking hospital infrastructure systems, states are disproportionately affecting the civilian population. There needs to be a reconsideration for taking an evolved revision of the Geneva Convention and applying governance to the cyber realm.
Work Cited
1. “Amending Decision (CFSP) 2019/797 Concerning Restrictive Measures against Cyber-Attacks Threatening the Union or Its Member States.” Official Journal of the European Union, vol. 246, no. 12, 30 July 2020.
2. “The Cost of Cybercrime.” Accenturesecurity.
3. Eddy, Melissa, and Nicole Perlroth. “Cyber Attack Suspected in German Woman’s Death.” The New York Times, The New York Times, 18 Sept. 2020, www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html.
4. Finlay, Christopher J. “Just War, Cyber War, and the Concept of Violence.” Philosophy & Technology, Springer Netherlands, 26 Jan. 2018, link.springer.com/article/10.1007/s13347–017–0299–6.
5. Oona Hathaway et al, “The Law of Cyberattack,” California Law Review, 2012 https://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=4844&context=fss_papers
6. “Hospitals and War Crimes: A Patchy Record.” Refworld, United Nations High Commissioner for Refugees, 7 Oct. 2015, www.refworld.org/docid/561cdafb4.html.
7. “The NHS Cyber Attack.” Acronis, © 2003–2021 Acronis International GmbH, www.acronis.com/en-us/articles/nhs-cyber-attack/.
8. Owens, William A., et al. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. National Academies Press, 2009.
9. Rathke, Lisa. “University of Vermont Hospital Network Reveals Cause of 2020 Cyberattack.” The Burlington Free Press, Associated Press, 27 July 2021, www.burlingtonfreepress.com/story/news/local/vermont/2021/07/27/uvmmc-vermont-health-network-hospital-2020-cyberattack-cause-malware-phishing-vermont-hospital/5388399001/.
10. RTL Online. “Hacker-Angriff Auf Uniklinik Düsseldorf: Starb Eine Patientin Wegen Einer Erpressung.” Rtl.de, RTL Online, 17 Sept. 2020, www.rtl.de/cms/hacker-angriff-auf-uniklinik-duesseldorf-starb-eine-patientin-wegen-einer-erpressung-4615184.html.
11. “Six Russian GRU Officers Charged in Connection … — Justice.” Justice.gov, 15 Oct. 2020, www.justice.gov/opa/press-release/file/1328521/download.
12. “War & Law.” International Committee of the Red Cross, 23 Sept. 2021, www.icrc.org/en/war-and-law.
13. “War Crimes.” TRIAL International, 19 Mar. 2021, trialinternational.org/topics-post/war-crimes/.
14. Weiner, Stacy. “The Growing Threat of Ransomware Attacks on Hospitals.” AAMC, AAMC, 20 July 2021, www.aamc.org/news-insights/growing-threat-ransomware-attacks-hospitals.
15. “What Everyone Should Know about Corporations.” Investopedia, Investopedia, 11 Sept. 2021, www.investopedia.com/terms/c/corporation.asp#:~:text=A%20corporation%20is%20a%20legal,own%20assets%2C%20and%20pay%20taxes.
16. Written by Patrick Lin, Director. “Why Cyberattacks Could Be War Crimes.” World Economic Forum, 17 July 2017, www.weforum.org/agenda/2017/07/why-cyberattacks-could-be-war-crimes/.
