On July 5 my colleagues and I visited the Left Bank Pediatric Clinic in Kyiv and spoke to Dr. Lidiia Podkopaieva, the facility’s medical director. Half her computers had been knocked out by Nyetya, one of the names given to the data-scrambling malware that had erupted across Ukraine a week earlier. Four X-ray machines, a mammography machine & a CT scanner were knocked offline, she told me, adding that one patient was in the middle of an exam when their scan was destroyed. While no one was hurt, I wondered at the implications. Does what happened at the clinic amount to an attack? And in any case doesn’t it violate international law? It wasn’t just Dobrobut that suffered; several clinics and pharmacies across Ukraine were hit; the disruption even extended to medical facilities in the United States.
Over the next couple of weeks I spoke by phone and email to Scott Shackelford, the chair of the Cybersecurity Program at Indiana University in Bloomington, and Duncan Hollis, a Temple University professor and a former treaty lawyer for the U.S. State Department (who was later interviewed in person by a television colleague.) I encourage you to read the Associated Press story, but those interested a more extended discussion about the intersection of international humanitarian law and cybersecurity may find the following excerpts to be of interest. (Please note that the comments have not been edited for clarity; hyperlinks have all be added by me.)
The first person I spoke to was Shackelford, who I reached by phone. Here’s an excerpt from our conversation:
Q: Where does this fit in — a cyberattack on a hospital — where does this fit in in terms of international humanitarian law?
A: Where does it fit in international law? So there’s a couple of treaties that refer to safety services. So the fact that if any country endangers or disrupts those safety services, then it’s a breach of that treaty. And actually one of those treaties is an International Telecommunication Union convention, or the ITU Convention, that actually refers to the endangerment of safety services, which includes degrading health, and health care facilities. So one area, surprisingly, is the ITU itself, and every country has pretty much ratified that treaty. So you can look to that. You can also look more broadly to international human rights law. Because there’s protections there built in for the right of the person, including their health, their securement in their home, etc. So international human rights law itself can be useful. And increasingly we’ve seen the UN Security Council assert these rights through resolutions. There was a resolution just a few months ago now on protecting civilian critical infrastructure. And it’s true, how we define critical infrastructure really varies country-to-country. But if we look for example at the EU and the US and a lot of the similar regions with regard to how we approach this, all of them include health care and hospitals in their lists of critical infrastructure. So you could see that this is, if nothing else, in breach of these emerging international norms, and the security council resolutions as well, those kinds of attacks. You can come at it from a few different perspectives. You’re absolutely right that attacks like that breach international law in various ways. The trick is of course enforcing those agreements.”
Q: That brings me to the next question, I guess […] It seems like we’re emerging into an area where it’s not unusual, and, in fact, given the indiscriminate nature of the way in which these things spread, it may even be a feature of these kinds of things that hospitals and healthcare agencies and other protected agencies are hit, as a matter of course. I wonder if there’s anything to be said about where norms are going at this point, because — I don’t know if you agree — but they don’t seem to be going in the right direction as far as cyberattacks are concerned.
A: Mm-hmm. The good news is that over the last year-and-a-half, two years now, we’ve had a lot of developments and a lot of positive steps forward on what we think of in terms of international norms for cybersecurity. So that started with the US and China, that spread to the UN group of government experts, which were the more than 15 countries that signed on to international law applying equally online and offline. The G7, even the G20 has had statements in support of certain international norms, including the protection of vulnerable critical infrastructure. As you say, the international community is increasingly regarding this as something that should be safeguarded. The issue, like the same issue with international human rights law generally, is how do we enforce some of those norms when they are breached. This is a complicated issue in cybersecurity because of kind of prevailing problems like attribution, right? I think most of the action right now is how do we operationalize these norms now that we agree on them […]
In a later email exchange, Shackelford and I discussed the issue of what counts as critical infrastructure and how policymakers — particularly American ones — should respond when it is attacked.
Q: We talked about the role of private industry, but I wanted to steer the conversation back toward public policy. Basically I’m relying on you and others to explain why it is that my readers should care about what’s happened in Ukraine.
In particular, I was struck by what Marcy Wheeler wrote recently. I think I alluded to it in our conversation:
https://www.emptywheel.net/2017/06/29/does-maersk-count-as-us-critical-infrastructure/With this in mind, I think that — even if legally there seems to be a lot of convergence around the idea that attacks on civilian infrastructure are still attacks regardless of whether they’re electronic or physical — in the normative space we don’t seem to be going in the same direction. Norms, typically, are policed. Unless I’m mistaken there’s no evidence of that happening recently (for example to my knowledge U.S. officials haven’t even mentioned this attack.) Am I right in my thinking here? And if so, what’re the potential consequences?
A: […] I see two issues in particular here, one of which is rightly highlighted in the link you sent. First is the issue of confusion over what counts as critical infrastructure. As we discussed, this is really in the eye of the beholder. In the US there are 16 sectors, for example, while in the EU it’s roughly half that. And those sectors that are defined are typically quite broad, causing added confusion — movie theatres, for example, are classified as critical infrastructure in the US.
A more important question is, so what? After an industry is designated as ‘critical,’ what’s the next step, and how are nations and the international community positioning themselves to protect these vital assets? The answer is that, in short, it depends. In the US, for example, we dedicated elections as critical infrastructure back in January, but so far that’s hasn’t translated into a meaningful change in US policy on how state and local elections should be conducted (there was a meeting in Indianapolis just this past weekend on the topic that failed to answer these core questions). By and large though, Congress has tried and failed to establish safeguards for critical infrastructure firms (this was part of the Cybersecurity Act of 2012, which was filibustered). In the EU, regulators have more teeth to hold lax firms accountable.
Internationally, there has been progress to leverage international norms to protect critical infrastructure, but this was dependent on leadership from the Obama Administration. Now with the change in administration, progress has stalled, and in fact we seem to be moving backwards in some ways (such as with the laughable idea of a US-Russian cybersecurity unit). The consequence of not having this worked out, though, is that the progress we’ve been making on international cybersecurity norms, especially since 2014, is in danger of eroding, and once this happens it’ll be that much harder to reinstate them in the future. What’s needed is leadership, and right now that’s in dangerously short supply, especially coming from Washington.
Q: What do you think it would take for the Trump administration to regain the initiative here? Rex Tillerson was in Ukraine and he made some oblique reference to the cyberattacks but as far as I am aware there was no condemnation of the attack on civilian infrastructure- much less the hospitals or pharmacies. Should he/could he have taken advantage of his visit to say, for example, “hospitals are off limits” or something to that effect? How do you take these kinds of normative stands?
A: The first step would certainly be statements by leading policymakers, including the President, to help crystallize state practice. This could be followed by other leaders. Unfortunately, this is now more difficult given how isolated the US has become diplomatically. Still, if there were more normative statements from the top, followed up by action (such as law enforcement investigations, etc.), I think we’d see a change in tone and the possibility of a public-private cybersecurity code of conduct being negotiated.
When I first spoke to Hollis, it was over the phone. Here’s an excerpt from that conversation:
“I do think it’s very serious,” Hollis said of the attack on the clinic. He said that a “complicating factor” in terms of thinking about the attack was the question of whether this occurred in wartime or peacetime. “One key question for how bad this is” is whether the situation in Ukraine was considered war or peace. “If it’s a peacetime scenario it’s in some ways more egregious,” he said.
In a later follow-up email, he added:
“I said this because when it comes to ‘armed conflicts,’ we don’t yet have a common consensus on how the existing international humanitarian law works in cyberspace (the Tallinn Manual is a start, but it was an effort by private experts, not States themselves).
“In contrast, when it comes to peacetime, we have the 2015 UN Group of Governmental Experts consensus report (which included the US, Russia, and China) agreeing that responsible States should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure.
“I don’t think there’s any debate that a hospital is part of a State’s critical infrastructure. Thus, if this is a peacetime scenario and Russia was involved, it seems to be a blatant violation of a norm it explicitly accepted (in contrast to the IHL context in which there’s all sorts of interpretative questions about attacks etc […]).”
Back over the phone, he said agreed that Donald Trump’s administration response to this and other breaches had been restrained:
“Compared to the prior administration, this administration has not been as vocal in response to various cybersecurity incidents.
“Do I regard this seriously? I can’t speak as to why we aren’t seeing that articulated [as strongly as with previous administrations.]”
“We’re in this era right now that’s almost a constitutional moment for cybersecurity and cyberspace […] I do think it’s important that when we see this behavior that’s unwanted or wrong, that you should speak up. That’s how norms get made. When you’re silent in the face of bad behavior, that does sort of imply that that’s permissible.”
A few days later a television colleague had a follow-up interview with Hollis at his office in Philadelphia. Here’s an excerpt from the conversation:
Q: How strict are the international rules around protecting hospitals and medical personnel? Do they apply to the online world as well? Are there any exceptions?
A: “It’s pretty clear now that international law applies in cyberspace. There was a time when that was debated but a number of countries including Russia, China, the United States agreed in 2013 that […] international law applies in cyberspace. The tricky thing is there are different rules […] whether we’re in peacetime or wartime. If we’re in peacetime, states have agreed that they should not target critical infrastructure through cyber operations or cyber means, and so that would seem to be clearly violated with what happened, particularly to the Ukrainian hospitals, a result of these most recent attacks. If we’re in a wartime situation [and] there’s a whole set of rules, whether it is an international armed conflict or [non-international armed] conflict, there is also a prohibition on targeting hospitals or what they call medical units with an attack. But ‘attack’ is a term of art. So when we use the term cyberattack in the technical community, that can mean someone trying to steal your email password to someone trying to get into a medical device or getting into the Internet of things, through using them for distributed denial of service attacks. When we’re in the international law space, attack is a very precise term that involves violent effects. Think death and destruction. And so the big question here is what happened two weeks or several weeks ago in Ukraine, was that something that would qualify as an attack. Cause if it was an attack it would clearly violate international law because there’s no question: Medical units and medical personnel are supposed to be immune from that sort of behavior.”
Q: This happened mainly in Ukraine. Is this really relevant to people in the United States? Why or why not? Should our government be talking about this?
A: “I think it’s tremendously important. For starters most of the dramatic effects occurred in Ukraine but it did affect the shipping in the United States where ports were destabilized until they could get control of it, and the reality is the technique used here, which was a mix of both fairly sophisticated malware of which allegedly the National Security Agency had originally used in some ways, plus some other pieces of malware, that’s something that can be repurposed, right, so just because it’s being used in Ukraine now doesn’t mean it couldn’t be used against the United States in the future.”
Q: How can medical facilities or hospitals better prepare if an incident like this were to happen like this again?
[…]
“I think what we’re seeing here is an incremental, gradual escalation of what’s possible when it comes to cybersecurity. I think it’s important to not over-claim or overdramatize. There is sometimes a tendency for hysteria to say that cyber can do all these magic things, it’s not that [if] you think it, [it] can happen in cyberspace, and the reality is up until now most of the harm from cyber operations, whether they’re state-sponsored or by criminals or others, is economic. You’re not able to run your business, you’re not able to get access to your bank accounts for some time period and that has economic effects. What you see when you target something like a medical unit, like a hospital is the effects go beyond the mere economic and they start to affect people’s health and that is a serious matter.
“One of things we’re still wrestling with is the rules do not fit perfectly to the new technology and that’s the next stage, do we need new rules as we go forward in this space? Because we’re seeing every month, every year the threat landscape keeps getting more complicated and the threats keep getting bigger, and is the existing set of rules we have enough? That said there is clearly a set of rules that say you cannot hack hospitals.”
Also worth a read: this post by Michael Schmitt and Lt. Col. Jeffrey Biller on the Blog of the European Journal of International Law.
