Recently, debate ramped up around the idea of a digital emblem to signal the legal protection of medical facilities in the cyber domain. The International Committee of the Red Cross (ICRC) published an extensive study in which it proposes different solutions to highlight – by digital means – the protection of medical infrastructure during armed conflict and to signal which operations belong to the Red Cross and Red Crescent Movement (see here).
In his recent post, Christian Ohanian fostered debate around the issue. While he recognized that the ICRC’s proposal of a Digital Red Cross “is ambitious and could help support greater security for the digital infrastructure of medical personnel providing critical life-saving care during armed conflict,” he also raised doubts about the effectiveness of such emblem because of the long-standing lack of clarity of the notion of “attacks” in cyber operations. In his analysis, Ohanian bases his arguments on the lack of clarity regarding which cyber operations could constitute the war crime of “intentionally directing attacks against buildings, material, medical units and transport, and personnel using the distinctive emblems of the Geneva Conventions in conformity with international law.”
As I will show first, Ohanian’s argument here is entirely sound. However, for a complete analysis of the need for and functioning of a digital emblem, we must also consider the more specific protection that medical facilities are granted under international humanitarian law (IHL).
Which Cyber Operations Amount to an “Attack”
To constitute a war crime under the Rome Statute of the International Criminal Court, a cyber operation against a hospital must amount to an “attack.” Legal discussions about cyber operations and the definition of “attack” began shortly after the year 2000, with two opposing viewpoints emerging. Under the first approach, argued by Michael N. Schmitt in 2002, a cyber operation was considered an attack only if it resulted in harm to people or physical damage to objects. For example, cyber operations aimed at civilian cyber infrastructure that did not cause damage were not considered unlawful under IHL because they did not meet the definition of an attack. A second approach, offered in 2004 by Knut Dörmann, supported a wider view of which operations fall under the notion of attack and are therefore restricted by the IHL rules on the conduct of hostilities. Under that approach, the notion of attack applies to a wider range of operations, including those that disrupt the functionality of infrastructure without necessarily causing death, injury or physical damage.
Twenty years later, and as Ohanian rightly points out, there are still different interpretations of what constitutes “damage” in determining if a cyber operation constitutes an “attack” under IHL. Some countries, such as Denmark, Israel, and Peru, only consider physical damage relevant in this assessment. In contrast, other countries, including Bolivia, Ecuador, France, Germany, Guatemala, Japan, Italy, and New Zealand, take the view that cyber operations can be considered attacks even without causing physical damage if they disable the target’s functionality. The ICRC also takes this broader view, interpreting the notion of “attack” to include a loss of functionality of the targeted system. The ICRC argues that an operation aimed at disabling a computer or network is an attack under IHL, whether it is achieved through kinetic or cyber means.
In light of this continued lack of clarity, it is true that it would be difficult to prosecute a person for a war crime of intentionally directing a cyber “attack” against a hospital.
Attack is not Essential to the Protection of Medical Facilities
While these differences in definition are relevant, I do not think that they necessarily affect the importance of having a digital emblem and its effectiveness. They only look at one part of the legal protection that medical facilities enjoy. In 2018, I tried to address this debate. Inspired by the article “The Geneva Conventions and Cyber-Warfare” written by Iain Sutherland, Konstantinos Xynos, Andrew Jones & Andrew Blyth, I offered my view on a digital emblem. My main argument was, and still is, that because objects that enjoy specific protection under IHL are present on the Internet, connected through a network, and can be affected by cyber operations during armed conflicts, their protection should be highlighted by a digital emblem. Any entity operating in cyberspace – humans, malware, or artificial intelligence systems – should have a clear understanding of what may be lawfully targeted and what may not. As with any other military operation, any cyber operation during armed conflict should respect the IHL principle of distinction and the protection, in particular, of medical facilities.
Is it relevant that States do not agree on a definition of “attack” in the cyber domain when it comes to protecting health-care facilities? In my opinion, no. Article 19 of the First Geneva Convention (GC I) of 1949 establishes that “fixed establishments and mobile medical units of the Medical Service may in no circumstances be attacked, but shall at all times be respected and protected by the Parties to the conflict.” This second part of the sentence is of utmost relevance under the laws of armed conflict. It goes back all the way to the very first article of the first Geneva Convention of 1864.
Although the 1949 Geneva Conventions do not define an “attack” under IHL (and a definition of attack was given “only” in 1977 with Article 49 of Additional Protocol I to the Geneva Conventions), medical units and their personnel have enjoyed legal protection against a wider range of operations since 1864. The establishment of the red cross emblem is an expression of these fundamental protections.
Reducing this protection only to operations that legally qualify as attacks, and flagging that no common ground exists in defining a cyber attack which might undermine a digital emblem, is risky. Under IHL, health-care facilities shall be respected and protected because they are not military objectives and they are mandated to provide medical care for all wounded and sick, irrespective of which party they belong to. Legal experts, including those involved in the Tallinn Manual 2.0 (rule 131), agree that
the duty to respect is breached by actions that impede or prevent medical or religious personnel, medical units, or medical transports from performing their medical or religious functions, or that otherwise adversely affect the humanitarian functions of medical or religious personnel, units, or transports. It includes, but is not limited to, the prohibition on attacks.
Likewise, the ICRC Commentaries (para. 1799 on art. 19 GC I) explain that “to respect medical units also means not interfering with their work in order to allow them to continue to treat the wounded and sick in their care.” Thus, while medical facilities are certainly protected against “attacks,” they are also protected against other operations that adversely affect or interfere with their operations.
This means that the lack of a common definition of the notion of cyber attack under IHL does not affect the protection of medical facilities during cyber operations. A digital emblem would not add special protection to certain objects nor extend protection to objects that are not yet covered. It would only highlight the protection of certain objects already protected by IHL. If we consider this approach, a digital emblem would simplify the work of cyber operators and legal advisers, as well as the command and control activities in cyber operations, by providing a clear sign to distinguish military objectives from civilian objects.
Awareness and Understanding of a Digital Emblem
I thoroughly agree with Ohanian that a digital emblem can only be successful if cyber operators — members of the armed forces, intelligence agencies, and various non-state organizations — are aware of what it represents and what they are forbidden from doing when they see such an emblem. This must be covered in military training for (cyber) armed forces, and States are obligated to ensure that all their agents and the populations under their control uphold IHL.
In this sense, disseminating IHL to State armed forces, often with the support of Red Cross and Red Crescent National Societies, can play a crucial role in familiarizing armed forces with the international legal provisions that require belligerents to respect and protect healthcare structures during armed conflict, especially when they show the red cross, red crescent and red crystal emblems, whether physically or digitally. Moreover, for a digital emblem to be effective, abuse must be prevented. This, undoubtedly, will be a significant challenge for States as well as Red Cross and Red Crescent National Societies.
The principle of distinction is a key factor in understanding the rationale behind a digital emblem. It plays a crucial role in ensuring that military operations are directed only against military objectives, and not against civilians and civilian objects, in particular not against medical facilities. By signaling the specific and broad protection that medical facilities enjoy under IHL, a digital emblem would help to ensure that the principles of IHL are upheld in cyber operations during armed conflicts.
Protecting and respecting healthcare facilities in any domain remains imperative for all actors involved in armed conflicts. The cyber domain cannot be an exception. The proposal of a digital emblem would be a concrete step to operationalize in cyberspace one of the oldest rules of the laws of armed conflict, namely that all actors involved in cyber operations have a legal duty not to interfere with medical, and also humanitarian, operations that work to alleviate human suffering.
Adriano Iaria is a Humanitarian Advocacy Officer for the Italian Red Cross.
Photo credit: Unsplash