How Can a ‘Digital Emblem’ Help Protect Medical Facilities Against Cyber Operations?

Cyber operations have become a reality of armed conflict. For instance, during the conflict between Ukraine and Russia, there has been widespread use of wipers—malicious codes used to destroy digital assets such as computers, servers, or routers by encrypting or rewriting hard drives or memories—that impacted critical civil infrastructure. More and more states are developing military cyber capabilities, and thus the number and severity of these cyber operations will almost certainly grow. In this digitized environment, medical facilities enjoy specific protections under the law of armed conflict: Medical facilities and their staff must be respected and protected. Belligerents must not conduct cyber operations that harm medical infrastructure, and they must take great caution to avoid incidental harm caused by such operations. In armed conflict, these facilities use physical emblems and distinctive signals—such as the red cross, red crescent, and red crystal—to clearly mark that they are a medical facility and thus must not be targeted or harmed. If using physical emblems and distinctive signals has proved beneficial for the protection of medical and humanitarian operations, is it possible to create a “digital emblem” for use in cyberspace?

The idea of a “distinctive emblem” is not new. In 1864, states agreed in the First Geneva Convention that “ambulances and military hospitals shall be recognized as neutral, and as such, protected and respected by the belligerents as long as they accommodate wounded and sick.” And to ensure that every combatant is able to identify medical facilities, transport, and personnel, “hospitals, ambulances and evacuation parties … shall bear a red cross on a white ground.”           

In November 2022, the International Committee of the Red Cross (ICRC) issued a report entitled “Digitalizing the Red Cross, Red Crescent, and Red Crystal Emblems: Benefits, Risks, and Possible Solutions.” The report presents the idea of a “digital emblem,” or a digital sign to identify—and therefore signal protection of—the computer systems of medical facilities.  In the past two years, the ICRC has worked to develop this idea with research partners and global tech, legal, and military experts.

Beyond purely technical issues, the idea of marking the digital assets of hospitals or humanitarian organizations by means of a digital emblem raises important questions: Would putting a digital emblem on an information technology (IT) system expose it to additional risks? If a digital emblem signals legal protection, who would be bound by such law, and who would respect it? Would the emblem be misused, incorrectly marking all kinds of digital assets as protected? And how naive are we to think this could work?

A digital emblem, regardless of its technical specificities, would be used to identify assets of a digital structure exposed to the outside, including computers/laptops, servers, routers, and firewalls that are connected to the internet. This marking is intended to give those who are carrying out a cyber operation—or those who are trying to identify a possible target—the opportunity to detect the presence of a protected entity. But the digital emblem would also identify assets inside a network, such as servers used to store sensitive information, or operational technology hardware components that are not necessarily connected to the internet and therefore exposed to the outside. Digital-emblem-marked hardware would alert those carrying out a potential cyber operation—even if they have already infiltrated a digital structure connected to the internet—that they are targeting protected assets.  Additionally, the digital emblem on hardware could also help operators distinguish between protected medical facilities and other military or civilian assets that operate on the same network.

A Sign of Legal Protection—Not a Cybersecurity Measure

A digital emblem is not a cybersecurity measure. It is not intended to technically prevent an attack, similarly to how a red cross or red crescent painted on the roof of a hospital is not intended to physically block a missile or shell. Its only purpose is to signal the presence of an entity that enjoys specific protection under international humanitarian law. It cannot replace traditional cybersecurity measures that every medical or humanitarian organization should employ, such as antivirus and intrusion detection systems. It is only a symbolic protection measure.

A digital emblem relies on the idea that those who see the emblem will respect it and abstain from targeting the marked entity. Thus, in order to effectively signal protection, a digital emblem would have to be visible to, and easily identifiable and understood by, those conducting cyber operations. In fact, when we spoke to cyber operators (both state and non-sate), they emphasized that for a digital emblem to achieve its objectives, the operator should be able to probe for a digital emblem without being identifiable as a potential threat actor and thus putting themselves at risk of discovery.      

If Aimed at Professional Cyber Operators, Is an Emblem Needed?     

Why is there a need for a digital emblem to mark entities that are already protected under international humanitarian law? Is it necessary to have this emblem, if it is already widely known that attacking medical facilities is unlawful? Several reasons speak in favor of a digital emblem. Its objective is to help an operator clearly recognize an entity that is specifically protected during armed conflict under several rules of international humanitarian law. The increasing diffusion of digital assets on different platforms (for example, in the cloud), the development of shadow IT (assets unknown to those working on the security of a particular infrastructure), and even the geographic segregation of networks create potential difficulties in attributing the ownership of a specific, potentially targeted asset. Even if an operator employs a structured and disciplined target selection process, selectors (staff dedicated to the identification of suitable targets) may not have all the necessary information. In the fog of digital war, a digital emblem could enhance the ability to recognize—and spare—assets specifically protected under international humanitarian law. 

Some observers may also express concern that digitally marking and identifying medical and humanitarian entities risks increasing their exposure to harmful operations. In the view of many of the experts we consulted in writing the ICRC report, however, the severity of this risk may vary. For many operators, it is already easy to identify medical or humanitarian organizations in cyberspace if they were to deliberately target them, for instance, through network scanning or using dedicated platforms such as Shodan. Therefore, the additional risk of facilitating their identification may be relatively small. The use of a digital emblem might, however, run the risk of greater exposure to operations by less sophisticated actors. But, notably, these less advanced actors have less capabilities to cause harm. 

In any case, the use of a digital emblem would be voluntary and should be assessed in light of each operational context. As in the physical world, if a protected entity realizes that the use of an emblem increases risks rather than mitigating them, the digital emblem, like its physical counterpart, should be easily removable. 

A digital emblem could also prevent larger-scale attacks from affecting protected entities. Think, for instance, of attacks that, through generalized scanning, exploit the presence of a vulnerability to gain access to any computer networks in order to either attack such networks or sell access information. Our analysis of recent cyber operations in armed conflicts also shows that while they have become increasingly geographically and sectorially “fenced,” many still suffer from operational immaturity. Spillover from military targets to critical civil infrastructure has occurred repeatedly in recent years. One example is the cyberattack against Viasat’s SurfBeam2 modems used for connections to the KA-SAT satellite. Civil entities, such as the German wind turbine company Enercon, were also affected, losing connection to their assets. In such situations, a digital emblem could have significant value to avoid collateral damage to medical facilities or operations of the Red Cross and Red Crescent Movement. Indeed, developers of malicious codes, exploits, or other offensive capabilities would be expected to implement the capabilities to identify the presence of the emblem in their codes and thus spare the marked entity from harm. Only time and experience will tell whether this will be the case solely on the part of compliant government entities or whether cyber criminals will also respect the emblem. 

A System Prone to Misuse, or an Avenue for Stronger Accountability?     

Some observers fear that a digital emblem could facilitate the targeting of protected entities and that the emblem would be prone to misuse. It is true that the use of a digital emblem could allow a malicious actor to program malware that could target marked entities at scale and with great speed. However, for such an operation to cause harm, the operator would also need to exploit a vulnerability present in all targeted systems, which probably only the most sophisticated ones have. These would likely be state operators, who are bound by, and trained on, international humanitarian law and legally accountable for their conduct.

In fact, if an entity is able to unequivocally show the presence of a digital emblem on its network, it will be more difficult for an attacker to argue that they were unaware that it was a target enjoying specific legal protection. In this respect, an emblem removes a degree of plausible deniability—or, at least, reduces it to a minimum level—which could facilitate holding attackers to account. In fact, if a digital emblem was to become part of international humanitarian law, it would be a war crime to “intentionally direc[t] attacks against buildings, material, medical units and transport, and personnel using the distinctive emblems of the Geneva Conventions [of 1949] in conformity with international law,” according to Articles 8(2)(b)(xxiv) and 8(2)(e)(ii) of the Rome Statute of the International Criminal Court.

There are numerous other factors that could lead to cyberattacks against infrastructure protected by international humanitarian law, such as errors on the part of operators, carelessness on the part of selectors who do not perform a proper fingerprint (the operational phase during which the assets of a target are identified) before a cyberattack is launched, or simply opportunistic behavior by operators. Obviously, the emblem will not be the solution to all problems and scenarios. If attackers are not willing to look for the emblem, the emblem cannot signal protection. If fingerprinting is not done correctly, the emblem cannot be effective. If malicious codes, especially those with self-spreading modules, do not contain mechanisms to avoid infecting entities displaying the emblem, it cannot provide any protection. However, if a digital emblem were able to prevent some damage to the information and communication technology infrastructure of medical and humanitarian facilities and thereby mitigate adverse consequences for people affected by armed conflict, this digitization project would certainly be worth the effort.     

The Diplomatic Road of Transposing an Analog Solution to the Digital Space                              

In light of the digitization of literally all parts of society and armed conflicts, it is now up to states to decide whether the idea of a digital emblem is worth exploring further, and whether it should be integrated into the international legal framework. This could take the form of an additional protocol to the Geneva Conventions, as was done for the adoption of the “red crystal” emblem, or a revision of Annex I of Additional Protocol I, which regulates the use of “distinctive signals” (light and radio signals, electronic identification) or communications (radio communication, codes). Over the past century, new distinctive emblems and signals were developed to ensure that medical facilities could be identified and protected in times of armed conflict—it might now be time to add a digital emblem.