Jun 20 2019

The Human Cost of Illicit Cyber Operations

Hostile cyber operations continue to cost governments and private organizations billions in lost, recovery efforts, and require additional investments in cyber security. All too often, this financial impact is the sole concern and primary headline in the news. However, the aftermath of these illicit operations frequently goes beyond monetary loss, disrupting the delivery of essential services to the population and causing physical effects.

To date, there have been no reports of a cyber attack having caused death. An age where that is no longer a fact is likely right around the corner. Frankly, it seems only by sheer luck that we’ve avoided this reality to this point. Take for example, the prolific WannaCry ransomware attack in May 2017. The malware affected more than 200,000 computers across 150 countries. Of the affected organizations, the National Health Service (NHS) in England and Scotland was one of the hardest hit. The delivery of essential medical services was directly affected.

In November 2018, the International Committee of the Red Cross (ICRC) convened a panel of scientific and cyber security experts in order to develop a realistic assessment of cyber capabilities and their potential human cost. The overall goal was “the analysis of the technical possibility of…cyber operations” causing “death, injury, physical damage”, or affecting “the delivery of essential services to the population or the core internet services.”

Now, six months later, the 80-page report on the humanitarian consequences of cyber operations, addressing technical, policy, and international implications, is available to the public. You can read it here: The potential human cost of cyber operations

The experts focused four areas of concern: infrastructure vulnerabilities, the potential for overreaction post- hostile cyber operations, cyber tool proliferation, and attack attribution for the purpose of applying international law. The result is an “evidence-based understanding of the risks of cyber attacks for the civilian population”.

The panel concluded that cyber operations against critical infrastructure are increasing, with healthcare, nuclear plants, electrical grids, biomedical devices, and core Internet services at risk. They also concluded that the “increased ‘attack surface’” of these essential delivery mechanisms “has not been matched by a corresponding improvement in cybersecurity” – a sobering thought. Moreover, the proliferation of tools used to carry out such attacks is difficult to control and, despite improvements in digital and network forensics, attribution remains difficult and unreliable.

That said, the report should not be seen as all doom and gloom. It reaffirms the application of International Humanitarian Law to cyber operations. Simply, “any State that chooses to develop or use cyber military capabilities for either defensive or offensive purposes must ensure that these capabilities do not violate IHL”. Furthermore, actionable, realistic recommendations pervade.

So, what do the ICRC and expert panel see as the way forward?

First, rules and norms that apply specifically in cyber space must be adopted through a new international treaty or become customary international law so that all entities have a standard to adhere to. An international agreement would include prohibitions against attacking civilian infrastructure, Internet core and other systems, electoral processes, and other services whose disruption could have global effects. The militarization of cyber space must be prevented. Self-spreading malware is made expressly illegal. Finally, technical developments, such as digital watermarks that identify protected systems and the segregation of military and civilian networks, are essential to ensuring adherence to the aforementioned.

The fact is that cyber warfare, unlike its kinetic cousin, is a still a very grey area. States exhibit difficulty in developing an agreeable definition of an ‘attack’. Few, if any, States review the legality of their cyber capabilities, and confusion exists as to which objects, forming part of the cyberspace infrastructure, constitute military objectives and would not be protected against attack – like certain power grids.

I applaud the ICRC’s commitment to exploring this difficult issue and inviting great scientific and cybersecurity minds to the table. It is difficult to think of a more important conversation to have concerning our cyber future as we, at break neck speed, continue to connect everything but the kitchen sink…
Image courtesy of Delta Faucet Company