Protecting Civilians against Digital Threats ICRC’s Humanitarian Cyber Diplomacy in the “EU Bubble”
The surge of cyber and information operations in armed conflicts is not new. Yet, the use of digital tools in warfare poses increasing challenges, including the risk of disrupting essential services such as medical, electrical, water and sanitation facilities. As the guardian of IHL, the ICRC uses its expertise to promote the protection of civilians against digital threats.
On 17 January, Belgium, as President of the Council of the European Union (EU) and the European External Action Service (EEAS) hosted a meeting bringing together EU Cyber Ambassadors and Commanders.
Bringing together States, humanitarian organizations and experts is one of the key recommendations of the ICRC Global Advisory Board on Protecting Civilians against Digital Threats in Armed Conflict. We welcome the interest of Belgium and the EEAS, and we encourage them to continue developing this IHL reflex when it comes to discussions on cyber
Increased civilian participation in digital operations
During the discussion, Tilman Rodenhäuser, the ICRC's legal expert on cyber, addressed concerns and recommendations related to the growing civilian involvement in the digital battlefield. This dangerous trend poses multiple risks as it blurs the principle of distinction, a core tenet of IHL requiring a clear line between civilians and combatants, with only the latter being lawful targets.
Hacktivists, cyber security professionals and hackers conducting cyber operations in ongoing armed conflicts must comply with international legal limits, including the limits imposed by IHL.
Suppose you are a civilian conducting a cyber operation. In that case, it is likely you never heard of IHL before and have no idea about your obligations and the dangers you face.
Civilians actively participating in hostilities, even via digital operations in armed conflicts, are required to apply IHL and are prohibited from targeting civilian objects or disrupting essential services like hospitals and banks.
They also risk losing their protection from attacks when they "take a direct part in hostilities" and become temporarily lawful targets. This also increases the risks of being incidentally harmed for civilians and civilian objects located near those participating in the hostilities.
Avenues to mitigate harm
Eight golden rules for hackers
In response to the rise of civilian hackers' activities in armed conflict, the ICRC published "Eight rules for civilian hackers during war, and four obligations for States to restrain them" in October 2023. This initiative lists existing IHL rules and reflects concisely the principles of distinction and precaution. It also stresses the specific protection IHL provides for medical personnel and facilities and humanitarian personnel and objects, objects indispensable to the survival of the civilian population, release of dangerous forces, and the prohibitions to spread terror among the civilian population or to incite violations of IHL. Finally, it recalls the important rule of non-reciprocity in IHL.
The reactions of civilian hackers to this work varied, with recently some positive signs coming from a group announcing that they abided by the rules in a recent operation.
In parallel, the ICRC's Global Advisory Board (GAB) on Digital Threats during Armed Conflict issued 25 recommendations to Belligerents, States, Humanitarian Organizations and Tech companies to protect civilians against digital threats.
When it comes to the participation of civilians in digital operations, the ICRC – in consensus with high-level leaders and legal, technical, policy and security experts – argues that civilians should not be encouraged to take a direct part in hostilities through digital means. Clear warnings should be provided to civilians about the risk of losing protection against attack and advice on practical measures civilians may take to protect themselves.
Drawing on the common obligation for all States to respect and ensure respect for IHL, the GAB recommends raising awareness of legal rules not only towards civilian individuals but also concretely towards tech companies. In addition, it is recommended to regulate the market of tech companies developing tools – such as digital apps – with potentially harmful objectives.
What can the EU and its Member States do?
The EU has developed a Cyber Diplomacy Toolbox and recently revised its Implementing Guidelines. This makes the EU – and its 27 Member States - relevant actors in global discussions on Cyber Diplomacy and a key target of the ICRC humanitarian diplomacy. The Toolbox ensures a joint EU diplomatic response to malicious cyber activities within the EU's Common Foreign and Security Policy (CFSP) aimed at preventing conflict, mitigating cybersecurity threats, and ensuring greater stability in international relations.
Among various commitments, it underlined the EU's dedication to supporting measures that advocate for responsible State behavior in cyberspace and regional confidence-building measures to reduce the risk of conflicts stemming from the use of ICT technologies. Ongoing workstreams on cyber issues span EU policy, legal and defence domains, as outlined in the recent EU cyber defence policy. In further developing and implementing the different initiatives, the EU's strength in unifying 27 Member States is important as it can provide the capacity and tools necessary to respect and ensure respect with IHL and to protect civilians against digital threats.
The EU has been consistent in a number of its communications and conclusions, for instance, in the EU cyber posture and the earlier mentioned EU cyber defence policy , in "reaffirming the application of international law, including International Human Rights Law and International Humanitarian Law, to States' actions in cyberspace".
In this sense, Member States are encouraged to keep developing an IHLreflex when it comes to cyber defence discussions and specifically are recommended to build resilience against digital disruption by strengthening cyber security. As different EU initiatives, such as the EU Cyber Solidarity Act and the Cyber Resilience Act, are underway, the ICRC urges states to interpret and apply existing rules of IHL to ensure adequate and sufficient protection for civilians, civilian infrastructure, and civilian data. To further this work, we published four short papers to guide the ongoing debates on "when and how IHL applies to the use of information and communications technologies by States".
Our @TRodenhaeuser is in #Brussels to discuss how States can ensure respect for #IHL in the digital domain and protect civilians from digital threats.— ICRC Brussels (@ICRC_bxl) January 19, 2024
Learn more 🔽 https://t.co/tmIxqaavLr
PS. Did you know we even have 8 golden rules for hackers? 💻 https://t.co/ayoh3uT9Xw pic.twitter.com/LWsYnWJ2zr