Defending the Health Sector: How Cyber Operations Transgress International Laws and Norms


As cyber operations against healthcare providers and emergency responders increase during the COVID-19 pandemic, it is critical to consider all possible avenues for stemming these attacks and their effects.  The first two CyberPeace Labs examined the nexus between the COVID-19 Infodemic and cyberattacks, including the technical elements of the attacks and effective responses, the third lab considered at the legal and normative side of these attacks. Moderator: Duncan Hollis, Professor of Law at Temple Law School. Experts: Jan Neutze, Senior Director of Digital Diplomacy, Head of the Cybersecurity and Democracy Team, Microsoft; Marietje Schaake, President of the CyberPeace Institute; Michael Schmitt, Professor of International Law at University of Reading; and Tilman Rodenhäuser, Legal Advisor at the International Committee of the Red Cross.

CyberPeace Lab Highlights

1)    COVID-19 is creating new opportunities for people who want to do harm through cyber operations, including by attacking healthcare providers and facilities. Participants identified five key types of attacks against the healthcare sector in the current context: attacks on hospitals, attacks on research and development facilities, attacks on the WHO itself, attacks targeting government agencies, and attacks where cybercriminals posed as the WHO in phishing campaigns.

2)    These attacks affect real people across the globe: patients, doctors, and medical staff on the front lines of the pandemic. Jan Neutze, Senior Director, Digital Diplomacy, Microsoft, stated that Microsoft has identified COVID-19-related cyberattacks in every country in the world, highlighting the truly global scope of the issue. While the impact is widespread, the panel also highlighted that this is not the first time cyber operations have targeted or significantly impacted medical facilities, citing the WannaCry attacks as one key example.

3)    Accountability, including consequences, for the perpetrators of these attacks is critical. Marietje Schaake, President, CyberPeace Institute, noted the importance of creating more understanding and clarity about how these attacks are carried out in order to support a more informed political debate about accountability and consequences, as well as to better empower people to protect themselves.

4)    Existing laws include a range of protections for the healthcare sector, but there are outstanding questions about the scope and applicability of these protections. Some of the most robust, well-established protections for hospitals and medical personnel are grounded in international humanitarian law (IHL). But these protections are only relevant in areas experiencing armed conflict, noted Tilman Rodenhäuser, representing the International Committee of the Red Cross (ICRC). Outside of conflict zones, domestic or general international law may also apply. But in each case, explained Michael Schmitt, Professor of International Law at the University of Reading, important factual and interpretive questions also arise.

5)    The role of non-binding norms in this context presents several important considerations. Rodenhäuser raised the point that non-binding norms – such as the one proposed by ICRC to protect medical facilities – may be less politically contentious and, therefore, can be adopted more quickly than law. This rapid adoption may be valuable in light of the speed of change in cyberspace. In addition, norms can serve as a key step towards creating international accountability, noted Schaake, particularly in the absence of more solidified political will. Moreover, the inclusion of non-state actors such as civil society organizations and the private sector in norms discussions will help to address the current misalignment between distribution of power and accountability measures.

“Digitization has seen a huge redistribution of power that has not been met with a similarly redistributed oversight and accountability mechanism.” – Marietje Schaake

While norms may serve as an important complement to legal obligations, there is also a risk that restating established law as voluntary norms may undermine existing protections, warned Schmitt. In addition, the fact that norms may be adopted faster is counterbalanced by the fact that they don’t have specific remedies and trigger no consequences beyond simple acts of retorsion (e.g., expulsion of diplomats). What’s more, the ability to opt for norms may allow states to avoid the more difficult work of coming together to discuss serious issues related to the interpretation (and consequences for violation) of international law. 

6)    To improve the current situation, the international community should focus on galvanizing the political will to operationalize and enforce existing international law. Schaake stated that it’s most important to focus on existing international law, where there is room for better application and opportunities to build coalitions. She warned to be cautious when pushing for new rules; because the global balance of power is not in favor of democracy, a new structure may be shaped in the image of authoritarian regimes. 

7)    Whether new legal instruments are needed to improve the current situation depends on the interpretation and application of existing law. In considering whether new legal instruments are required to improve the current situation, panelists noted that states need to articulate their views regarding existing law in order to move forward. One view is that existing law is sufficient to address current challenges but that a restatement or further codification of these rules may be a useful exercise and increase accountability. 

In order to provide such a codification of existing law, states must clearly articulate their interpretations of the law. Similarly, this clear articulation of state views would also be needed in order to determine the gaps that a new legal instrument may address.

8)    Aligning standards and operational norms with legal protections is also critical. Schaake urged that it is not enough to look at legal protections; we also need to consider and align technical standards and norms. For example, if operational and technical standards for medical equipment are not up to date, then hospitals will import weaknesses through their procurement. 

9)    In order to operationalize international law and norms, the community must embrace multi-stakeholderism, deepen existing capacity building efforts and ground discussions in evidence, specificity and the human impact. In considering how best to operationalize laws and norms, panelists called for more effective multi-stakeholderism and support for capacity building. Neutze urged the international community to be more effective in bringing together both states and private sector in order to leverage the true power of multi-stakeholderism. Schmitt also echoed support for a multistakeholder approach, stating that participation from the private sector, including Microsoft’s call for a Digital Geneva Convention, has served to accelerate important conversations in a positive way. 

Both Schmitt and Rodenhäuser also emphasized that capacity building regarding knowledge of laws and norms is key to their operationalization and enforcement. Increasing knowledge about laws and norms can support better alignment with culture and values which further strengthens their observance and can help to set up a constructive dialogue when norms are violated. In addition, Neutze called for support of existing capacity building efforts like the Global Forum for Cyber Expertise (GFCE) and the need to focus on increasing impact rather than creating new initiatives.

“On the capacity building side, I think it’s really important to make sure that we really start to double-down on some of the things that have already been developed rather than consistently and constantly inventing new things…Figuring out how we bring more impact to those initiatives – be it through private sector commitments, governments or civil society expertise – I think is what we need to pursue.” – Jan Neutze   

Greater specificity in discussions about cyber law and norms is also needed. In particular, Schmitt stated that discussions among states and non-state actors need to be more granular in order to lead to meaningful action, identifying specific rules of international law when calling out violations.

“The discussions among states and non-state actors need to become more granular.” – Mike Schmitt

Schaake emphasized that cyber space is a human space, and requires a refocus towards the victims in order to take the debate out of the exclusive realm of policymakers and tech experts. A robust accountability framework will ground discussions in evidence and can support greater pressure for compliance and consequences for violations.

Next Story CyberPeace Lab: Protecting the Health Sector against Cyberattacks