Hacking Humanitarians? IHL and the protection of humanitarian organizations against cyber operations

For some years, experts have cautioned that the more humanitarian organizations collect data, the more they ‘are exposed to a growing wave of digital attacks and cyber espionage, and have become highly prized targets’. In late January 2020, the issue made headlines: The New Humanitarian reported a ‘sophisticated’ cyber operation against the UN, including the Office of the High Commissioner for Human Rights. While it remains unclear what type of data was affected, the incident underlines that in today’s world, no organization – national, intergovernmental or humanitarian – can consider itself safe from hostile cyber operations. For humanitarian organizations, like the International Committee of the Red Cross (ICRC), digitalization, strengthening cyber security systems and capabilities, and data protection are priorities (see here, orientation 5). And for a lawyer like myself, it raises the question of what international humanitarian law (IHL) has to say about ‘hacking humanitarians’?

Of course, international humanitarian law (IHL) is only one piece of the puzzle. This post is part of a series of reflections on ‘hacking humanitarians’, which started with a first post on the need for humanitarian cybersecurity strategies. Moreover, relevant legal rules against cyber operations may also derive, for example, from other branches of public international law, including from the UN Charter and the privileges and immunities granted to international organizations (see Scenario 04 of the Cyber Law Toolkit). In this post, however, I will only look at how the IHL framework for the protection of humanitarian operations during armed conflict applies in cyberspace. While there have been calls to update IHL ‘in light of new realities spurred by the digital revolution, such as cyber attacks affecting and targeting INGOs’, little thought has been given to what protection existing rules of IHL provide.

I analyze the issue considering two scenarios, both of which – for the sake of our analysis – occur in the context of an armed conflict and the hackers can be attributed to one of the parties. In scenario 1, the relief operations (meaning, for instance, the provision of humanitarian assistance) of an impartial humanitarian organization are disrupted by a cyber operation, for instance by destroying or disrupting the computer systems used in the organization’s logistics or by disabling an organization’s cash assistance operations program. In scenario 2, attackers attempt to obtain confidential data collected by a humanitarian organization, such as personal data of beneficiaries (e.g., biometrics) or confidential reports on how a party to conflict complies with IHL.

As civilians, humanitarians are protected against cyber operations that amount to ‘attacks’

The first and over-arching consideration applies to both scenarios: IHL protects humanitarian personnel and objects against any form of attack as defined in IHL. Belligerents must at all times distinguish between civilians and combatants and between civilian objects and military objectives. Humanitarian personnel are civilians, and objects used in their operations in favor of victims of armed conflicts are civilian objects: neither may be attacked (see here and here). Under the Rome Statute of the International Criminal Court (Articles 8(b)(iii) and 8(e)(iii)), ‘intentionally directing attacks against personnel, installations, material, units or vehicles involved in a humanitarian assistance’ constitutes a war crime ‘as long as they are entitled to the protection given to civilians or civilian objects under the international law of armed conflict’.

When interpreting the general prohibition against attacks on civilians – including humanitarians – in the cyber context, the devil is in the detail. The scope of protection that IHL provides depends on how essential terms – such as ‘attack’ and ‘civilian object’ – are interpreted. There is little doubt that cyber operations leading to the death or injury of humanitarian staff, or to physical damage of objects used in their operations, amount to prohibited attacks. Thus, operations that destroy the computers – or machines controlled by computers – used in humanitarian logistic centers (scenario 1) are prohibited.

In contrast, IHL rules on the conduct of hostilities are less clear regarding cyber operations that do not cause material damage. Different views exist on whether cyber operations that only disrupt the functionality of computer or communication systems amount to an ‘attack’. Moreover, it remains unclear whether data enjoys the same protection as ‘civilian objects’ (for a variety of views, see Tallinn Manual 2.0, commentary on Rules 92 and 100; for some States’ views, see here and here (p. 290-292); for the ICRC’s position on the notions of ‘attack’ and ‘data’, see here).

In the humanitarian sphere, narrow interpretations of these notions may lead to concrete harm. If the view is taken that data does not enjoy the same protection as a civilian object, at least the rules on the conduct of hostilities protecting civilian objects would not seem to prohibit cyber operations that delete or otherwise destroy data collected by humanitarians (scenario 2). However, such narrow interpretation of the law would be difficult to reconcile with the object and purpose of IHL. As it is prohibited to enter the compound of a humanitarian organization and destroy relevant archives or paper files (which constitute civilian objects), the same protection should also apply if that information is kept in digital form.

In addition to the protection granted to all civilians during armed conflict, humanitarian organizations are also protected by additional, specific IHL rules. These will be discussed in the following.

Disrupting the provision of humanitarian assistance (scenario 1)

IHL treaty law applicable in international armed conflict (Articles 70(4) and 71(2) of Additional Protocol I) and customary IHL applicable in all armed conflicts (see Rule 31 and Rule 32 of the ICRC’s Customary IHL Study) prescribe that humanitarian personnel and relief consignments must be respected and protected. This obligation certainly prohibits any attacks against humanitarian operations. In analogy to the obligation to respect and protect medical personnel and facilities, relevant rules should also be understood as prohibiting ‘other forms of harmful conduct outside the conduct of hostilities’ against humanitarians or undue interference with their work (see ICRC’s 2016 Commentary, paras 1358 and 1799). Moreover, parties to armed conflicts are required to agree, allow and facilitate humanitarian relief operations (see, for instance, article 59 GC IV and article 69–70 AP I, Rule 55 of the ICRC’s Customary IHL Study).

Accordingly, the group of experts that prepared the Tallinn Manual 2.0 identified an IHL rule requiring: ‘Cyber operations shall not be designed or conducted to interfere unduly with impartial efforts to provide humanitarian assistance’ (Rule 145). Such cyber operations are prohibited ‘even if they do not rise to the level of an “attack”’ (para. 4 of the commentary on Rule 80).

With regard to scenario 1, this means that cyber operations disrupting the provision of humanitarian relief would be prohibited regardless of the view one takes on the notion of ‘attack’ under IHL (see above). Under IHL, it is immaterial at which stage of the relief operations the disruption would occur; the prohibition thus also includes the manipulation of computer systems used in the planning of humanitarian relief. These rules prohibit compromising, for example, digital tools used for cash interventions.

The obligation to respect and to protect relief personnel and consignments should also be understood as protecting relevant data.

Spying on, stealing, or manipulating humanitarian data (scenario 2)

Hacking, stealing, or manipulating data collected by humanitarian organizations can put the beneficiaries of humanitarian work at risk; and leaking confidential data can have severe implications for the perception and acceptance of impartial humanitarian organizations. Imagine, for example, if data collected by a humanitarian organization on their beneficiaries is hacked and enables the hacking party to identify and (unlawfully) attack political opponents. The consequences for these persons will be severe; and the trust in humanitarian organizations will diminish. Moreover, anger about such attacks may turn against humanitarians.

IHL does not contain explicit rules on the protection of humanitarian data. However, as pointed out above, IHL protects data against ‘attack’ if data is considered a civilian object and it prohibits manipulating or otherwise compromising data if such operation would interfere with the provision of humanitarian relief. Moreover, there are strong arguments leading to the conclusion that other humanitarian data, including data related to ‘protection activities’, is also protected from undue interference.

First, under IHL, impartial humanitarian organizations have a right to offer their services to parties to armed conflicts. These services are not restricted to the provision of humanitarian assistance but include ‘protection activities’ (for more detail, see the ICRC’s 2016 Commentary, para. 816). Once a humanitarian organization’s offer of services is accepted, the party accepting these services must honor this agreement in good faith – and not undermine the organization’s operations by spying on or manipulating confidential data.

Second, if cyber operations undermine the trust in humanitarian organizations and thereby put humanitarian staff into danger, such operations would violate the obligation of all parties to respect and protect humanitarian relief personnel (Rule 31 of the ICRC’s Customary IHL Study).

Third, certain protection activities enjoy explicit protection. For instance, States have assigned impartial humanitarian organizations, such as the ICRC, specific responsibilities in IHL treaties. In international armed conflict, these include, for example, the establishment of tracing agencies to collect information on persons reported missing in the context of an armed conflict, or the right of the ICRC to visit and interview detainees without witnesses (Article 126 GC III; Article 143 GC IV). States parties to Additional Protocol I have committed to grant the ICRC ‘all facilities within their power so as to enable it to carry out the humanitarian functions assigned to it by the Conventions and this Protocol in order to ensure protection and assistance to the victims of conflicts’ (Article 81 AP I). Misappropriating or tampering with data collected by humanitarian organizations can make it difficult – if not impossible – for humanitarian organizations to perform these functions and would likely violate the mentioned obligations.

Fourth, spying on confidential humanitarian data may also violate specific IHL provisions. For example, in today’s world the obligations under the third and fourth Geneva Conventions to grant the ICRC permission to interview the prisoners of war and civilian internees without witnesses should be understood as also protecting the confidentiality of data and reports resulting from the interview. Any other conclusion would deprive the obligation to allow interviews without witnesses of any meaning.

Conclusion

The “UN hack” has brought to the headlines digital threats to international and humanitarian organizations. In an age of increasing reliance on digital tools to organize relief and protection activities, and at the same time a multiplication of digital threat actors, the risk of cyber attacks is real.  While humanitarian organizations have always operated in dangerous environments and faced various obstacles in their operations, cyberspace adds new ones, such as the anonymity of possible attackers and related impunity if operations cannot be attributed.

For humanitarian organizations operating in armed conflict, IHL provides certain legal protections, which are strongest with regard to humanitarian relief operations. However, further research and discussion among States and other parties to armed conflicts is needed to ensure comprehensive protection of humanitarian organizations in cyberspace (for a first important step on the protection of humanitarian data, see here, para. 11). As agreement on the interpretation of existing norms – let alone the development of new ones – will take time, humanitarian organizations are well-advised to consider carefully their collection and use of data, and to quickly work on concrete steps to ensure operational, technical, and legal protections against digital threats.