Cyber Operations Against Medical Facilities During Peacetime
Many legal questions arose after the recent cyber operations against the health sector throughout the world, but there is still little legal conversation at the international level on how to approach these malicious acts that often have dire consequences.
Published by The Lawfare Institute
in Cooperation With
Editor’s Note: This article does not reflect the views of the American Society of International Law or its members.
In the face of the coronavirus pandemic, governments around the world have tried to compensate for insufficient hospital beds and intensive care units by nationalizing private medical facilities and relying on military ships and improvised evac hospitals. At a time when overcrowded medical and testing facilities struggle with shortages in supplies and a huge influx of patients, hacker groups have exploited their inattention to cybersecurity. During the current crisis, cyberattacks are proliferating in the United States and across the globe, the most serious being reported in the Czech Republic, Spain and France. These operations were intended to disable health services—as well as research and testing facilities—by crushing computers and networks of healthcare providers, delaying medical procedures and accessing personal data. These aims were visible during the attacks against the Czech University Hospital Brno, the U.S. Department of Health and Human Services, and the World Health Organization.
At this stage, no formal attribution has been made publicly for any of the attacks. Though some of the recent cyber actions might be governed by domestic laws of the target states, in this post I will examine only cross-border malicious acts on medical facilities and the applicable international law instruments. Rather than examining cyberattacks on medical facilities during wartime and incident international humanitarian law provisions, I will focus on the legal consequences of operations against U.S. and European hospitals during the current pandemic.
Applicable International Law
The recent cross-border cyber intrusions raise various questions on the international landscape. What international legal provision is triggered if a person loses his or her life as a consequence of a cyber operation that shuts down ventilators? What sanctions regime is applicable? Can such a cyber operation be qualified as an attack under jus ad bellum?
While international humanitarian law provides comprehensive protections for medical facilities and personnel during armed conflicts, international law safeguards seem to be more limited during peacetime. Experts highlighted the importance of general rules and principles in addressing cyber intrusions against foreign states’ health infrastructures, in particular the general prohibition of the use of force, the principle of sovereignty and the principle of nonintervention.
The general prohibition of the use of force in Article 2(4) of the U.N. Charter is widely regarded as including state-sponsored cyber operations that could amount to a use of force. Most states regard the threshold for the use of force lower than that required for an armed attack, as does the International Court of Justice (ICJ). The U.S. embraces a different view, namely that the armed attack threshold is the same as that for the use of force. (U.S. Department of Defense, Law of War Manual, para. 16.3.3.1.). Determining if a cyber operation reaches the level of an armed attack under jus ad bellum is challenging in practice, but relevant, as it represents the sine qua non condition of the right to engage in self-defense.
International law is clearer when cyber operations reach the threshold of an armed attack. While I do not intend to cover acts that rise above this level, the core principles of attribution are somewhat similar. In general, cyber acts of private actors are attributable to states only if they qualify as state organs or are lawfully empowered to exercise governmental authority. To date, three main types of state-proxy relationships have been identified: delegation, orchestration and sanctioning, that is, approving or permitting (Maurer, p. 152). Article 8 of the International Law Commission’s Draft Articles on Responsibility of States for Internationally Wrongful Acts (Draft Articles) assimilates de facto actions by persons or entities acting on the instructions of, or under the direction or control of, a state in carrying out the conduct, as state-sponsored actions. The same approach is reflected by the Tallinn Manual 2.0, which also relies on the Draft Articles. The determinant element of the direction or control of a state for the purposes of assessing the wrongfulness of state action and state accountability lead to the adoption by the ICJ of an “effective control” test of a state over non-state actors.
Attribution is crucial for establishing state accountability for conduct that affects other sovereign nations. If the attribution test is too narrow, even if a state clearly violates international law provisions, a targeted state has limited to nonexistent remedies. Such a test would hamper deterrence, send a message of impunity, and inspire targets to use proxies and become attackers themselves. A broad test, which would hold a state accountable for any attack that used a network within its jurisdiction, is also unreasonable.
Often articulated as a vague principle, the principle of sovereignty is violated when external actors influence or interfere in the domestic structures of another state. To date, no international tribunal has compared a physical violation of a state territory to a violation by cyber means. The Tallinn Manual 2.0 consecrates the general application of sovereignty to cyberspace, and exercise of internal and external sovereignty over cyber activity, actors and infrastructure, available on a state territory. The authors of the Manual unanimously view state-sponsored cyber operations involving a physical intrusion against another state as violations of sovereignty, but they agree only partially that this is also the case for remote operations causing physical damage or loss of functionality.
Due diligence derives from the principle of equal state sovereignty and translates into the duty of a state “not to allow knowingly its territory to be used for acts contrary to the rights of other States.” In cyberspace, this reflects states’ exclusive legal authority over their cyber infrastructure and activity associated with it, as well as jurisdiction of the persons engaged in cyber activity. Due diligence may offer cyber victims the possibility to seek legal recourse if states fail to ensure that their infrastructure is not used to harm the sovereignty of other states. Although it is an obligation of conduct, failure to exercise preventive cyber diligence could constitute an internationally wrongful act—though there is no consensus on the content of the due diligence obligation nor the scope of preventive measures.
From the Westphalian sovereignty, which implies binding rules of conduct between states, comes the principle of nonintervention, and respect for territorial integrity. The U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security confirmed the application of international law to the information and communications technologies environment, including the principle of state sovereignty and its deriving principles, such as protections against foreign intervention.
Under the Obama administration, the Department of Defense expressed discontent with the concept of nonintervention under the Tallinn Manual 2.0, and with the absolute representation of violations of sovereignty as internationally wrongful acts, a position they reiterated under the Trump administration in early 2020. In a 2019 report, Chatham House proposed a solution to deconflict contradictory state views on the enforceable and binding nature of the principle of sovereignty in international law, identifying the overlaps between violations of sovereignty and nonintervention. That solution argues that the customary international law prohibition on intervention is more crystallized than the vague principle of sovereignty, but the main difference between violation of the nonintervention prohibition and other breaches of sovereignty is the element of coercion. The verification of the condition of coercive behavior in relation to the sovereign functions of another state may also clarify the scope of nonintervention. There are, however, situations when low-scale cyber operations do not imply any coercive behavior (as understood under ICJ case law), but are still unlawful.
Which international principle is therefore applicable to a cyber operation on a medical facility during peacetime?
Many scholars tried to identify the conditions that qualify a cyber operation as an armed attack. The Tallinn Manual includes acts that injure or kill persons or physically damage or destroy objects in the broad concept of use of force. This interpretation would cover cyber operations that result in human deaths by deactivation of ventilators and other life support equipment. Per a contrario, the prohibition of the use of force would not apply to less serious cyber intrusions against medical or testing facilities with less severe consequences——like the attack on March 13 against a hospital and an associated testing facility in the Czech Republic. Recent reports and Interpol warnings show a surge in low-level cyber operations during the ongoing pandemic against hospitals, clinics and pharmaceutical companies—which mostly consist in spreading false information about cures, prevention measures and stocks of medical supplies.
In an analysis of the contextual determination of necessity and essentiality according to the law of state responsibility, the director of the Tallinn Manual Project examined the seriousness of cyber operations against medical infrastructure. In his view, the gravity of these operations depends on alternative systems that ensure continuation of medical treatment, and on determination of medical infrastructure as “essential” in the specific context. The U.K. endorses the possibility of applying the principle on nonintervention to cyber actions against “essential medical services.” In most views, a cyber intrusion against ordinary hospitals, patients’ databases or laboratories would not impact national care during ordinary times. However, given the shortages and the reconversion of medical infrastructure during the current crisis, the threshold for the “essential character” would likely shift. While an infectious disease hospital and a coronavirus testing facility are expected to be considered indispensable medical services during the ongoing pandemic, the legal effects of deaths occurring as indirect consequences of cyber intrusions remain unanswered.
The attempted attack against the Paris Hospital Authority, the largest hospital network in Europe, was aimed at overwhelming hospital computers and disabling health services, research and testing. Delaying treatment for serious conditions or redirecting patients to another hospital can significantly reduce their chances of survival. A similar effect can occur regarding mismatched or deleted laboratory results, or postponement of surgeries, as was the case after the attack in the Czech Republic. While the interdependency between cyberattacks and human deaths in peacetime is new for legal scholars, recent studies show increased mortality for up to three years following cyberattacks against hospitals.
According to the Tallinn Manual 2.0, internal sovereignty—namely the exclusive authority to govern a given territory—is breached if foreign operations compromise “data or services that are necessary for the exercise of inherently governmental functions.” The Manual adds that it is irrelevant whether this function “is performed by the State itself or has been privatized.” Therefore, states should use their prerogatives to respond to cyber intrusions regardless of whether the victims are public, private or nationalized hospitals due to a national state of emergency.
State Responsibility and State Liability
The law of state responsibility addresses accountability for internationally wrongful acts. In case of a cyber operation against medical infrastructure, appropriate assurances and guarantees of non-repetition—as safeguarded by the Draft Articles—are not very reassuring. If the internationally wrongful act has caused material or moral damage, however, the responsible state must provide appropriate reparations for the injury— in the form of restitution, compensation and satisfaction (Draft Articles, arts. 31, 34). Although the majority view is that the Draft Articles apply to the cyber domain, some scholars argue that international law on state responsibility for kinetic attacks is inadequate to address state responsibility for cyber operations.
A relevant aspect is that the Draft Articles apply only to unlawful and attributable state actions, while harmful consequences of unlawful activities remain uncovered. To fill this gap, a new category of “cybertorts” was proposed, which highlights the complementary relationship between the law of state responsibility and a principle of state liability for transnational harms. For example, an act of cyber espionage on medical facilities would not violate per se a state’s international obligations in the majority view, but the potential harm that results by disclosing medical data, patient data or test results shall constitute an internationally wrongful act and trigger the applicability of the law of state responsibility (Crotoff, p. 600).
Possible Consequences and Responses
The U.S. Defense Department, as early as 1999, argued that if an unauthorized computer intrusion can be attributed to agents of another state, the victim nation should “at least have the right to protest, probably with some confidence of obtaining a sympathetic hearing in the world community.”
If a cyber act cannot be attributed to a state and there is no demonstrated violation of international law, the target state can resort to three types of reactions. First, states can use mechanisms for international cooperation (such as constructive dialogue), traditional methods of peaceful settlement of disputes (such as negotiation, mediation and mechanisms for the adjudication of disputes), or resort to competent international organizations. Second, states can employ acts of retorsion spanning from diplomatic measures—in the form of protests or démarches, the “naming and shaming” practice—or withdrawal of favorable trade practices. Third, states can use exceptional mechanisms of self-protection, such as invoking the state of necessity, distress, force majeure in order to engage in more concrete responses.
In case of a violation of international law through unlawful cyber operations, which can be attributed to a state, there are two possible reactions.
First, target states can engage in peaceful countermeasures. While retorsion mechanisms are lawful, but politically unfriendly, countermeasures would be unlawful in other circumstances and for goals other than to restore a situation of lawfulness. Countermeasures do not, however, need to mirror the nature of the underlying internationally wrongful act that legitimizes them. Therefore, the assessment of proportionality can be sometimes challenging. Restrictions on the execution of countermeasures include the obligation to refrain from the use of force, a similar dilemma of this threshold in cyberattacks. Moreover, countermeasures may not affect states’ obligations regarding the protection of fundamental human rights. This condition is crucial during the ongoing pandemic, as the effects of countermeasures on the civilian population, whether under the form of cyber or noncyber actions, might be disproportionate to the goal of persuading governments to comply with their international commitments.
International law legitimizes only states to use countermeasures. Therefore, targeted medical facilities have no legal grounds to develop operations in response to cross-border cyberattacks. This is true if victims act in their own capacity. If governmental powers authorize or direct them to act in response to the cyberattack, previously discussed rules of attribution will be applicable. The future will reveal whether these deterrence mechanisms, developed for the physical world, are as credible in the cyber domain. In absence of clear rules to distinguish lawful from unlawful state behavior in cyberspace, target states are reluctant to respond firmly to harmful cyber operations and usually resort to minimal public action.
Second, the use of the “hack-back”—that is, retaliation of the victim of a cyberattack against the attacker—is questionable with existing international law. Only cyber operations attributable to states are able to violate other states’ sovereignty. These “private self-defense” practices pose serious risks to states’ foreign policy, as they are able to provoke additional collateral damage and trigger escalation of back-and-forth private attacks.
Other International Law Considerations
Cyber espionage and data theft are old foes. While some voices argue that international law does not per se prohibit espionage, it is true that it does not provide for clear answers on the legitimacy of extraterritorial espionage during peacetime or any correlations with the principle of sovereignty. The Tallinn Manual does not offer a homogenous conclusion either, but the dominant view is that unlawful information gathering by espionage is similar to a physical intrusion that constitutes a violation of sovereignty. Therefore, although espionage technically is not prohibited under international law, constitutive acts of this practice—such as illegal interference in hospital and health institute databases—may qualify as physical intrusions.
Few scholars covered cyber deterrence under international economic law or under the dispute settlement mechanism provided by the World Trade Organization (WTO) framework. The WTO’s trade rules do not specifically accommodate cyber activity. It is yet to be determined whether an economic espionage claim under the WTO agreements can be successful. In absence of comprehensive international regulations on state-sponsored economic espionage, some states resort to unilateral measures. First, unilateral trade sanctions on states performing economic cyber espionage can theoretically be justified under national security exceptions in WTO agreements. Second, states could also use their regional and bilateral economic agreements to address and sanction state-attributed cyber intrusions.
In a recent cyber operation against a U.K. vaccine research firm, hackers successfully encrypted files and copied sensitive data—including research on a vaccine for the 2019 novel coronavirus. The aim of cyber operations against healthcare sites is often to access sensitive personal medical data and either receive a payment for not disclosing it—as was the case in 2019 and 2020 where some healthcare providers paid random for fear of losing their data—or sell the information to third parties.
During the unfolding crisis, scenarios on human rights violations through cyber means are not hard to imagine, the most obvious being the trigger of the “kill switch.” Currently, cybersecurity of hospitals, testing facilities and medical devices is not only an issue of privacy but also part of the right to life, guaranteed under the International Covenant on Civil and Political Rights (ICCPR) and the right to health, safeguarded by the International Covenant on Economic, Social and Cultural Rights (ICESCR). While the U.S. signed and ratified the ICCPR, it has not ratified the ICESCR to date. States, having the obligation to ensure safeguards and security to their citizens, may be liable to them for their cyber vulnerabilities. The challenge, therefore, is to establish if states are accountable to the hospitalized individuals who were injured or lost their lives as a consequence of a cyber act that could have been prevented. The next challenge is to integrate the state obligation to provide cybersecurity in this context within the scope of the right to life, the right to health, or the right to freedom and security, in order to further trigger the relevant reparation mechanisms provided by regional and international human rights instruments. If the due diligence obligation discussed above will be interpreted as including a governmental duty to ensure backup power generators, analog testing databases and similar strategies, the scope of human rights in the artificial intelligence era will expand exponentially. Regarding the right to health, the U.N. Committee on Economic, Social, and Cultural Rights argues that the precise nature of medical services “will vary depending on numerous factors, including the State party’s developmental level,” which may well exculpate the lack of backup plans. The Committee not only addresses due diligence of the host state but also mentions that foreign malicious intruders are subject to international human rights law, as “States parties have to respect the enjoyment of the right to health in other countries.”
Regional Approaches and Sanctions Regimes
The strongest existing framework on transnational cybercrime is the 2001 Council of Europe Convention on Cybercrime. Although it creates international law obligations for states to enact domestic law and render mutual assistance, it is not particularly valuable for state-sponsored cyber operations. Regarding mutual assistance in judicial matters, the main challenge for effective investigation, prosecution and, eventually, extradition of proxies is gathering sufficient evidence and meeting the dual criminality criterion. In the 2013 Guidance Notes, states amended the definition of “critical infrastructures” and included “systems and assets, whether physical or virtual, so vital to a country that their improper functioning, incapacity or destruction would have a debilitating impact on … public health or safety.”
In 2017, the Council of the EU adopted the EU Law Enforcement Emergency Response Protocol, aiming to coordinate governments, agencies and companies that address cross-border cyberattacks. Council Decision (CFSP) 2019/797 and Council Regulation 2019/796 established a sanction regime against cyberattacks in the broad sense. To be subject to sanctions, such an operation shall have a significant effect and constitute an external threat to the EU or its Member States. Natural and juridical persons operating in the EU remain subject to national jurisdiction. The language of CFSP 2019/797 includes cyberattacks against “services necessary for the maintenance of essential social activities,” in particular the sector of “health (healthcare providers, hospitals and private clinics).” Therefore, if the latest cyber acts against public health facilities can be attributed to foreign persons or entities, these will be subject to the following sanctions regime.
Sanctions can be imposed against persons and entities who are directly responsible for the harmful cyberattack, who provided some sort of support or are otherwise involved in the operation. These measures include entry and transit bans on persons traveling to the EU as well as funds and economic freezes on persons and entities. Moreover, persons and entities within the EU are prohibited from making funds available to those listed.
The U.S. sanctions regime is not too different from that of the EU, but the former is less challenging, as reaching political consensus across individual EU Member States is not an easy process. The U.S. sanctions regime was initially covered by Executive Order 13694 in 2015—and was later expanded by Executive Order 13757 in 2017—detailing the scope of cyber actions that are subject to sanctions. The U.S. already has imposed sanctions against non-state actors, including Russia’s military intelligence service (GRU) and some Iranian-based companies. Similar to the EU framework, the broad designation criteria include persons or entities originating or located outside U.S. territory, which engaged directly or indirectly in a harmful cyber operation. The later order exemplifies some unlawful purposes, such as harming or compromising “the provision of services … that support entities in a critical infrastructure sector” but also misappropriation of trade secrets through cyber-enabled means for commercial advantage.
Both the EU and the U.S. sanctions regime are likely to cover foreign cyber operations on medical facilities during peacetime, whether for the purpose of compromising public health efforts or for misappropriation of the latest vaccine research. Moreover, both regimes specifically target individuals and entities rather than states, which can be more useful deterrence and sanctioning mechanisms than publicly “naming and shaming” an entire country and its population. The success of the new EU sanctions regime and its deterrence power are still to be tested.
Host states of targeted medical facilities, whether in the U.S. or Europe, should firmly condemn malicious actors engaged in unlawful cyber conduct. Such declarations could act as strong deterrents against foreign intrusion, likely to amount to internationally wrongful acts, such as prohibited intervention. Moreover, repeated and concerted disapproval messages would contribute to clarifying state practice on application of the principles of sovereignty and nonintervention to cyber operations designed against public health efforts during peacetime.
What Does the Future Hold for Cyberlaw in the Health Sector?
Extreme examples of flawed cybersecurity in the healthcare sector precede the current pandemic. Increased collaboration within the EU, on a transatlantic level or between U.S. authorities, could significantly mitigate emerging cybersecurity risks and critical vulnerabilities. Medical devices rely on international supply chains for their consumables and on manufacturers for software maintenance and testing. The more interconnected these devices will operate in the artificial intelligence era, the more risks can emerge.
While most states seem to agree on the application of general international law to international cyber operations, the precise translation of the rules developed in the physical world to cyberspace is widely debated. Some governments are reluctant to embrace the principle of due diligence and its corresponding obligations, while others hesitate to firmly respond to cyber operations conducted by state proxies for fear of escalation. In the absence of a strong body of international cyberlaw or political consensus on future cooperation frameworks, private actors like medical facilities are often left to create their own defenses.
As European experts observed recently, coercion clearly remains a core objective of sanctions. While the exact consequences of a cyber operation are relevant for determining the threshold for an armed attack or for triggering a lawful state response, the purpose of the cyber operations seems to mean less for international law. Lacking a clear legal provision, the gravity of a cyber operation and the applicable legal responses against a medical facility are assessed contextually, in relation to the consequences and the uncertain “essential character” of the medical facility. After the Netherlands’ statement on the abuse of the current crisis by malicious cyber intruders, the U.S. Department of State issued a warning about attacks against the healthcare system. These public warnings are valuable for revealing that these issues are considered on the international landscape, but to date, these cyber operations seem to volatilize with impunity, exacerbating the already overwhelmed medical facilities in a time of crisis.