Cyber attacks against medical facilities pose a real risk to humans – in times of pandemics, in times of conflict, at all times

Statement on agenda item "Norms, rules, and principles" within the open-ended working group on developments in the field of information and telecommunications in the context of international security

The International Committee of the Red Cross (ICRC) is grateful for the opportunity to address the "Open-ended working group" during this informal virtual meeting.

At the outset, the ICRC would like to express its appreciation for the Chair's work in revising the initial draft report and in facilitating this important process despite the human and technological challenges that the current pandemic poses to all of us.

The ICRC will briefly respond to two questions that the Chair has put to all delegations, namely how the current global pandemic has affected the cyber threat landscape; and how relevant norm proposals could be reflected in the working group's report.

As many delegations, the ICRC is deeply concerned with the potential human cost of cyber attacks against critical infrastructure that provides essential services to populations, in particular the health-care sector. We have voiced this concern repeatedly in the two formal sessions of this working group – and we note that this concern is shared by many delegations.

Since the second formal meeting in February, the risk of malicious cyber operations against critical infrastructure has become even more apparent. During the current pandemic, cyber attacks, or attempted attacks, have affected the medical sector in several States. These attacks have come at a time when medical facilities and staff are under immense pressure and are needed more than ever. Cyber operations that disrupt hospital computers, medical supply chains, or medical devices pose great risk to those seeking medical care – and this can mean all of us, our families, our societies. If hospitals are no longer functioning, live-saving treatment may not be available.

In the ICRC's view, the real threat of cyber attacks as seen during this pandemic must be a wake-up call. The health-care sector is among the most essential services in every State – not only in times of heath crisis but at all times. Moreover, medical needs are particularly acute during armed conflicts. This Open-Ended Working Group is an important opportunity to address this situation. Together with a group of over 40 global leaders, the ICRC's president has called on you, the States, to work together and assert in unequivocal terms: cyber operations against health care facilities are unlawful and unacceptable.

The protection of medical facilities against cyber attacks is a question of international law and of responsible State behavior. In February, the ICRC proposed a norm emphasizing that 'States should not conduct or knowingly support ICT activity that would harm medical services or medical facilities and [States] should take measures to protect medical services from harm'.

Today, we see an even stronger need to ask you to include in the OEWG report clear statements on the normative framework protecting the health-care sector. In the chapter on norms, rules, and principles, the ICRC believes that this could be achieved in at least two ways. For example, delegations could agree on an additional norm that explicitly focuses on the protection of medical facilities and services. Alternatively, delegations could include an elaboration or specification of existing norms, or guidance on their implementation, that stresses that medical facilities and services qualify as 'critical infrastructure' for the purposes of existing norms.

To conclude, the ICRC would like to reemphasize that cyber attacks against medical facilities pose a real risk to humans – in times of pandemics, in times of conflict, at all times. We call on this Working Group to unambiguously assert that responsible State behavior is incompatible with carrying out or supporting such attacks. Carrying out or supporting cyber attacks against medical facilities would also violate international law. The ICRC urges States to consider this point in the Working Group's report and when discussing the international law chapter in the coming months.