Cyber attacks are a known threat: Now is the time for preventive action

Statement to Arria Formula Meeting on Cyber Attacks Against Critical Infrastructure

26 August 2020

Thanks to the Government of Indonesia – and especially to Ambassador Djani – for the invitation to address you today.

When the ICRC is invited to speak with the Security Council, I normally report on the plight of civilians in the most acute humanitarian crises. Today is different. I am addressing the real and growing threat posed by cyber attacks against critical civilian infrastructure, and I call on you to prevent what some experts consider a 'humanitarian crisis in the making'.

Over the past years, cyber operations against critical infrastructure have caused significant economic harm, disruption in societies, and tension among States.

While the ICRC cannot confirm any cyber operations with human casualties, we are increasingly concerned about the destructive effects of cyber operations, such as:

  • Electricity supplies and water systems cut off in war-affected countries;
  • Hospitals services halted in the middle of a global pandemic;
  • An attempted attack against a petrochemical plant; and
  • Especially alarmingly, cyber attacks against nuclear facilities.

Among the countless malicious cyber operations that are reported daily, cyber attacks against critical civilian infrastructure stand out due to the significant risk they pose to human life.

If hospitals cannot provide life-saving treatment in the middle of a health crisis or an armed conflict, whole communities will suffer. If electricity supply is interrupted, there is a real risk that water, health care, and other essential services will be disrupted. And if even nuclear facilities are not considered off limits, we risk seeing severe and widespread humanitarian consequences.

Excellencies,

The frequency of sophisticated cyber attacks against critical civilian infrastructure is increasing and evolving faster than anticipated only a few years ago. While most operations have been conducted without an apparent link to conflict, we are concerned that cyber capabilities used in future conflicts will cause graver consequences, in particular for civilians.

The use of cyber operations during conflict is no longer a hypothetical scenario.

Over the past years, several States have stated publicly that they used cyber operations in military operations. As an increasing number of States are developing military cyber capabilities, the ICRC expects that their use is likely to also increase in future conflicts.

The ICRC welcomes the Security Council's increasing engagement on the topic of harmful cyber operations – alongside the important discussions in the two General Assembly-mandated processes. Ensuring the maintenance of international peace and security in a digitalizing world – and protecting civilians from harm during conflict – is a pressing task that States must address now. It is not too late to take effective preventive measures.

Preventive measures are needed on several levels.

To start, averting human harm caused by cyber operations needs a strong legal framework. The ICRC has called on States to reaffirm and clarify the legal framework that protects critical civilian infrastructure against cyber operations, in particular during conflict.

In May this year, I joined a group of global leaders to call on all governments to work together and assert in unequivocal terms: cyber operations against health-care facilities are unlawful and unacceptable – in times of crisis, in times of conflict, at all times. This public call responded to an increase in cyber operations against medical facilities during the COVID-19 pandemic.

Beyond health systems, there is a need for greater clarity on the legal framework governing cyber operations against critical civilian infrastructure – water and sanitation systems, electricity supply, installations containing dangerous forces.

This concern is especially acute in times of conflict:

International humanitarian law restricts all means and methods of warfare, be they new or old, cyber or traditional. Its core rules are concrete, practical, and well-established. There should not be any doubt on the prohibition to attack civilian infrastructure, to attack medical facilities, during conflict, whether through bombs or cyber means.

The ICRC calls on all States to protect civilians and civilian infrastructure against the effects of cyber operations during conflict, in accordance with international humanitarian law.

The ICRC also emphasizes that the rules of the UN Charter on the prohibition of the use of force, and on the maintenance of peace and security are of utmost importance in cyberspace. However, in the event of war IHL is effectively the last layer of legal protection for victims of conflicts. Its applicability is also without prejudice to the question of whether additional rules or legal instruments are required to govern cyberspace.

Excellencies,

Even a strong legal framework is not by itself sufficient to effectively shield civilians and civilian infrastructure from hostile cyber operations. Confidence-building measures, capacity building efforts, and a broad range of technical and operational measures are needed. No State can succeed in this alone. Instead, broad collaboration among States, as well as between States, the private sector, and academia is essential. Private companies and academia drive innovation in cyberspace – they have valuable perspectives to contribute.

As the President of a humanitarian organization whose work is critical to millions of victims of conflict around the world, I am acutely aware of the challenges in managing a safe digital transformation. At the ICRC, we strive to use new technologies to work more effectively and to deliver improved services for affected community members. However, we are aware that even humanitarian organizations are not spared from malicious cyber operations. In addition, we are acutely aware of the critical need to protect data in order to maintain the trust of affected communities in neutral, impartial and independent humanitarian action.

Our teams work tirelessly to ensure the safety of our digital infrastructure, to protect us and communities affected by conflict that benefit from the ICRC's work. We train our staff on cyber security. We also aim to build partnerships across sectors to develop innovative solutions to strengthen our data and operational security. To respond to humanitarian needs in 2020, the ICRC needs a safe and trusted 'digital humanitarian space' in which our operational information, and most importantly the data collected from individuals, is secure.

In response to the rapid pace of technological change, the opportunities this brings for humanitarian organisations and the acute data protection challenges facing the sector, the ICRC with the Brussels Privacy Hub, has just released the second edition of its Data Protection Handbook. Developed together with humanitarian organisations, data protection authorities, academia, civil society and the tech sector, the Handbook provides key guidance on the interpretation of core data protection principles in humanitarian action. The Handbook is already widely used in the humanitarian sector and we trust States will find its guidance equally valuable.

To conclude, the ICRC congratulates Indonesia and its co-sponsors for continuing the important discussion on harmful cyber operations with the Security Council. The ICRC encourages all member States to act on the legal, policy, and operational level to prevent cyber operations from causing harm to critical civilian infrastructure. Cyber attacks are a known threat: now is the time for preventive action.