Opening an ICRC Delegation for Cyberspace

With humanitarian organizations becoming more active in and reliant upon new technologies and the digital domain, they have evolved from simple bystanders to full-fledged stakeholders in cyberspace. They also become vulnerable to adverse cyberoperations that could impact their capacity to protect and assist people affected by violence or armed conflict whilst having to grapple with digitally-enabled harm to affected populations, whether induced by others or its own practices.

This post explains why the ICRC is opening a Delegation in Luxembourg dedicated to cyberspace and why it is necessary for the ICRC, and the humanitarian sector more broadly, to explore and engage in policy, legal, and technological efforts to prevent and mitigate digitally-enabled harm and to safeguard humanitarian organizations from digital threats. It also emphasizes how the Delegation will be a concrete tool to identify digital challenges and threats while ensuring that innovation supports instead of undermining operations.

The ICRC, and the entire humanitarian sector, has been undergoing a significant digital transformation in recent years, which has created both opportunities and risks. On the one hand, people affected by humanitarian emergencies are increasingly connected, and humanitarian organizations are developing and offering digital humanitarian services, such as digital-identity-based cash programmes, information and connectivity as aid, or platform-based services for people on the move. On the other hand, unauthorized access to or extraction of humanitarian data by malicious actors, to gain operational advantages or for other non-humanitarian purposes, can create significant risks for the dignity and safety of vulnerable people whilst undermining the work of humanitarian actors, by eroding trust in their work, acceptance of their presence, and in some cases their very security.

In the past months, organizations across the Red Cross and Red Crescent Movement and the broader humanitarian sector have also seen their activities severely disrupted by cyber operations. The hack of the Central Tracing Agency, for example, impacted over half a million people’s personal data, further risking endangering many already vulnerable individuals if misused. These incidents, as well as targeted disinformation campaigns against humanitarian organizations, risk eroding the fundamental and necessary trust in impartial humanitarian organizations, potentially jeopardizing access to people in need as well as the security of humanitarian workers.

These cases inscribe in, and are affected by, larger geopolitical and technological trends, such as greater low intensity competition via cyber means. As such, these call upon humanitarian organizations to consider cyberspace as an operational domain with considerable influence on the populations they assist and their operations, but also to further explore, prepare, and address a range of organizational and technical challenges – some of which already laid down in previous articles – to ensure they are able to safely and responsibly navigate the realm of cyberspace.

The impetus behind the Delegation for Cyberspace is grounded in the conviction that the ICRC and the humanitarian sector need to respond to the opportunities and challenges brought by digitalization, notably in conflict settings, and anticipate those that will continue to emerge with its expansion. The ICRC needs to explore new ways to support, enable, and protect its digital footprint, which is made up primarily of the data that affected populations entrust it with. Understanding what adherence to the fundamental principles of neutrality, impartiality, and independence of exclusively humanitarian action means in a digital world, and adapting its operating modalities and technology choices accordingly, is a key component of this. The Delegation for Cyberspace is also investing in key cooperation initiatives to explore and navigate these questions.

Such reflections include asking if, how, when, and with which cyber actors to engage in bilateral confidential dialogue on the negative impact of cyber operations on civilian populations and on humanitarian action? How to avoid creating (new) digital risks of harms? How to transpose the ICRC’s privilege and immunities in the digital space, in particular its ability to ensure continued exclusive control over the humanitarian data it holds and needs to operate? Or how to ensure that its use and reliance on digital technologies do not jeopardize its reputation or the perception of its neutrality, impartiality, and independence in a context of increasing geopolitical tensions and fragmentation?

This is essential for the ICRC to gain and preserve the trust of affected populations as well as interlocutors, to continue to have access to affected areas, also by digital means, to ensure that affected communities access essential humanitarian services, and to ensure the acceptance and safety of its own staff. It is also crucial in order not to lose the trust the ICRC needs to continue its traditional action in the physical world.

Neutral, Independent, and Impartial Humanitarian Action in Cyberspace

We have been highlighting for some time that choices of technology and technology suppliers is sensitive. The tech sector is known to be a (in most cases unwilling, unaware, or unintentional) vehicle for and enabler of surveillance, whether within or outside of applicable legal frameworks. Using a technology known to be under the control, or within easy reach, of a government or non-state actor that has stakes in a conflict has implications for a humanitarian organization’s capacity to operate, to preserve the confidentiality and humanitarian purpose of the data it is entrusted with, and to protect the trust and acceptance of the people it serves and of parties to the conflict it depends on for access and security.

Tech companies are also increasingly perceived as politicized and non-neutral in both their acts and positioning. For instance, some technology companies have had differential content moderation policies concerning violence provocation against certain parties to conflicts – which have, in return, designated the said company as a “terrorist and extremist organization”, exposing their clients and users to criminal charges and severe consequences. Other tech providers have decided to self-exclude their services from certain territories or countries, sometimes stopping sales or software updates to individuals and companies there.

For a neutral, impartial, and independent organization, relying exclusively on commercial digital technologies and infrastructures that are designed, owned, and controlled by non-neutral actors could undermine the perception of their own neutrality, and ultimately impact their operations. Moreover, if these same technologies and infrastructures are used by governments or government-related entities that are the target of cyber operations, during or outside of conflict, could lead to the ICRC being ‘caught in cross fire’.

In this sense, the Delegation will also explore possible comparisons between the security implications of ‘digital proximity’ with targets with ‘physical proximity’ with targets. Is using the same technology infrastructure of (whether legitimate or not) targets of cyber operations similar to having physical proximity to a military installation for an ICRC office? What alternatives might there be?

The initiative starts from a pragmatic understanding that, in today’s interconnected world, and in the current status quo vis-à-vis supply chains, compromises need to be made. A radical re-think of current set-ups would be costly and unrealistic. The objective, however, is to look at the longer term, take stock of the current direction of technology offering driven by the tech sector, on the one hand, and, on the other hand, the key principles that enable humanitarian organizations to work. On the basis of this understanding, the objective is to then map areas where technology offering is driving in a different direction from where the humanitarian sector will need to be in the longer term to be able to operate, to experiment and test around possible alternatives for the longer term, and to help the humanitarian sector take the informed strategic decisions for the future.

Why a Delegation, and why in Luxembourg?

A delegation is an official representation of the ICRC in a specific country. The choice to align the ICRC entity that interfaces with cyberspace with this organizational structure capitalizes on known concepts with which the institution and external stakeholders can easily connect. It also reflects the ICRC’s approach to cyberspace: Cyberspace, in this sense, is not (just) an area in relation to which the ICRC is an observer analyzing the conduct of others in cyberspace as if the organization had no direct stakes. The ICRC is a stakeholder in cyberspace. As it increases its digital footprint this will increasingly be the case, and the organization will increasingly be affected by power dynamics that are unfolding in that space.

Luxembourg has been exploring the geopolitical dimensions of being a ‘cyber host State’ for some time, with the development of purpose-built infrastructure, that the government made available to host third countries and International Organizations under diplomatic-type arrangements. Without precluding further similar initiatives in other countries in the future, the interest and support for the responsible embracing of technology in the humanitarian sector provide important conditions for an exploratory project of this type.

What will the Delegation Actually Do?

Somewhat unlike a classic delegation, the Delegation for Cyberspace has primarily an exploratory and pilot role: its key objective is to serve as a safe space to test and prepare the ground for the support, protection, and deployment of digital services to affected communities on a global scale.

Considering the complexity and novelty of the above objectives, as well as the potentially wide-ranging implications of ‘getting it wrong’, the objective is to further explore and understand what neutrality, impartiality, and independence mean in a digital context, and if and how this connects with ongoing debates on ‘digital sovereignty’. It involves creating a neutral, impartial, independent and exclusively humanitarian (or ‘sovereign’) and secure testing ground where the ICRC can carry out Research and Development (R&D) – for instance on a ‘digital emblem’ – and in which it can safely engage in necessary operational dialogue and debates without the risks attached to ‘real’ operational contexts.

Technological Priorities for a Humanitarian Prerogative

The Delegation aims to conceptualize, design, and set up the safe, neutral, impartial, and independent infrastructure that we will serve as a testing ground for various R&D initiatives. This will include, for example, integrating an important R&D project developed at the Zurich Polytechnic (ETHZ) aiming at more deliberate, efficient, secure, and traffic routing on the internet through a protocol known as ‘SCION’ with the aim of ensuring that neutrality, impartiality, independence, and exclusively humanitarian use of data are enabled when routing of data. It will also look into “Free and Open Source Software” (FOSS) to enhance its operational autonomy and independence.

The Delegation will also focus on accelerating progress on pressing issues, such as the development and testing of biometric technology that addresses the challenges and risks for affected persons, identified in the ICRC biometric policy and to ensure that they can be used in a responsible manner.

Finally, the Delegation will also seek to create and maintain opportunities for the upskilling of the humanitarian sector, offering relevant trainings to better familiarize with the complexities and realities of this operational space and make sure humanitarians can integrate its specificities in their reflections and operations.

With the setting up of its Delegation for Cyberspace, the ICRC wants to open a space for further dialogue and collaboration with any interested and pertinent digital stakeholders.