Statement by Helen Durham on Cyber Operations at the UN Security Council

Excellencies, distinguished members of the Security Council,

The International Committee of the Red Cross would like to thank the Governments of Estonia and the United Kingdom for the invitation to brief members of the Security Council about the ICRC's views on the risks that cyber operations pose to critical infrastructure and civilian populations, and – importantly – on measure to protect civilians against such threats.

At the ICRC, we are monitoring the rapid evolution of information and communication technologies with great interest, but also with concern. Advances in ICTs are essential for economic development, communication, and also to respond to human needs in times of crisis. The ICRC is exploring the use of new technologies:

- To identify missing persons by analysing large amounts of data;
- To provide guidance to medical personnel in remote heath facilities;
- Or to provide a digital space allowing people in humanitarian crisis to store their most important documents.

As a humanitarian organization, we aim to ensure that we do not expose people to additional harm by using digital tools.

At the same time, the ICRC is deeply concerned that the use of ICT technology as a means or method or warfare poses new threats: to civilian infrastructure, to societies, to humans.

I would like to draw your attention to four points in relation to the use of cyber operations during armed conflict.

First: Cyber technologies risk becoming a catalyser for conflict, humanitarian crises and suffering.

Today, an increasing number of States 'are developing ICT capabilities for military purposes' and 'the use of ICTs in future conflicts between States is becoming more likely'. [1] Over the past years, numerous cyber incidents have occurred and affected civilian infrastructure. Often, these incidents occur in contexts of political tension or armed conflict. Experts and world leaders have warned that cyber operations conducted by States risk escalating political crises into wars – and war means destruction, devastation and suffering of civilians.

The ICRC calls upon you – the world's organ responsible for the maintenance of international peace and security – to work together to ensure international law is respected in cyberspace, that ICT technology does not become a driver of conflict, and that if cyber capabilities are used in situations of armed conflict, civilians are protected.

Second: Cyber operations pose a real threat to civilians – globally.

All States have recognized that ICT activity against critical infrastructure has become 'increasingly serious' and their 'human cost [...] could be substantial'. [2] There is a real risk of 'potentially devastating [...] humanitarian consequences' when cyber operations are conducted against critical infrastructure. The ICRC shares this assessment: cyber operations that disrupt medical facilities, that cut energy, or that interrupt or poison water supplies pose a significant risk to civilian populations. [3]

We would like to further draw the Council's attention to a cyber-specific risk with potentially global consequences, namely the use of indiscriminate cyber capabilities.

Cyberspace is inherently interconnected. As a result, there is a real risk that cyber operations cause widespread – and potentially indiscriminate – harm to infrastructure, to societies, and ultimately humans, either intentionally or unintentionally.

Think, for instance, about the use of self-propagating malware. We have seen malware used in countries affected by crises or armed conflict spreading into ICT systems around the world. They caused damage far beyond their original targets.

Similarly, if so-called 'supply chain attacks' are used to infiltrate ICT systems and distribute destructive malware, we can expect widespread impact on civilian ICT systems.

Malware does not stop at borders – if uncontrolled, it risks spreading and causing harm globally.

This brings me to my third point: International humanitarian law imposes limits on the use of any means and methods of warfare, including ICT capabilities.

Over the past century and a half, States have universally agreed a set of fundamental limits on warfare. This includes, among others, the principles of humanity, necessity, proportionality and distinction. Technologies of warfare are changing constantly – but the basic rules remain the same:

- Direct attacks against civilian objects are prohibited;
- Indiscriminate and disproportionate attacks are prohibited;
- Medical services must be respected and protected.

And there are many more.

In situations of armed conflict, these rules apply to the use of any weapon, means and methods of warfare, whether new or old, cyber or kinetic. For instance, they prohibit the use of destructive self-replicating malware or supply chain attacks when amounting to indiscriminate attacks. Recommitting to respect these fundamental limits 'by no means legitimizes or encourages conflict'. [4]

In light of the rapid development of new technologies of warfare, we support States in their endeavour to further study – nationally and internationally – how and when international humanitarian law applies to, and therefore restricts, cyber operations. The ICRC calls on States to interpret – and apply – existing rules in a manner that ensures adequate and sufficient protection for civilians and civilian infrastructure, ICT systems and data in our ever-increasingly digitalized societies.

My fourth and final point: We need concrete steps to protect civilians in times of armed conflict – by building on existing processes and developing new measures where needed.

Militaries often describe cyber capabilities as an additional 'tool' at their disposal. They rarely, if ever, question that ICT capabilities are subject to the same rules as any other means or method of warfare. Military and civilian leaders are responsible for ensuring respect for international humanitarian law, which applies only in situations of armed conflict.

Our research and experience show that implementing IHL, and protecting civilians, requires clear processes. For example,

- Armed forces need instructions on the legal limits of cyber operations in their manuals or regulations;
- Armed forces need cyber-specific targeting processes, which should build on the experience of States gained in kinetic operations;
- States need to review the legality of cyber capabilities they develop or acquire to ensure that they can be used in compliance with existing rules of international law.

Moreover, the particular risks posed by cyber operations also require cyber-specific measures to avoid or minimize civilian harm. This can include careful reconnaissance to avoid harming civilian networks or infrastructure, command and control over cyber capabilities, and technical measures to avoid malware spreading out of control. [5]

Excellencies,

The inter-connected nature of cyberspace poses global threats that may affect us all. It is the responsibility of States – including in the Security Council – to ensure that information and communication technology does not become a driver of conflict. If cyber capabilities are used in situations of armed conflict, civilians must remain protected by the battle-proven rules and principles of international humanitarian law.

Thank you.