Digital safe havens: sheltering civilians from military cyber operations

7 July 2021

Analysis by Isabelle Peart | Law and the Future of War

An argument for establishing digital safe havens under international humanitarian law to protect civilians from cyberattacks

In September 2020, police in Germany commenced a homicide investigation into the death of a patient who was diverted away from a hospital due to a cyberattack. Although a prosecution was ultimately unsuccessful, this event revealed the grave danger cyberattacks can pose to the public. With more and more States investing in military cyber capabilities, and conducting military operations in cyberspace, this threat to the civilian population is heightened. It is generally accepted that principles of international humanitarian law apply to military cyber operations during armed conflict. However, international humanitarian law as it stands may place civilians at greater risk of harm in the context of military cyber operations. This is due to the doctrine of dual-use objects and its application during cyber conflict.

Military objectives and ‘dual-use’ objects under international humanitarian law

Under article 52(2) of Additional Protocol I, attacks must be strictly limited to military objectives. Further, under article 58(1), parties to a conflict are required to take necessary precautions to ensure that civilians and civilian objects are protected against the dangers posed by military operations. Traditionally, in kinetic warfare, this could be achieved by separating civilians and civilian objects from the targeted military objective as much as possible, to spare them from the effects of attacks.

However, cases will arise in which an objective serves a dual military and civilian purpose. In such cases, State practice indicates that a ‘dual-use’ object may amount to a military objective. For example, the Trial Chamber of the International Tribunal for the Former Yugoslavia found in the Prlić case that the destruction of a bridge, used as a supply route for both civilian and military purposes, could constitute a military objective (at para. 1582).

In the context of cyber operations, the Tallinn Manual 2.0 has characterized cyber infrastructure used for both civilian and military purposes as a potential military objective (at page 554). This characterization creates a real risk to civilians during military cyber operations considering the interconnectedness of civilian and military infrastructure. For example, it has been estimated that 98 per cent of US government communications, including classified military communications, travel over civilian networks. The scale at which military and civilian networks are integrated means that the separation of these networks is considered unfeasible (at page 219).

Although a ‘dual use’ object is a military objective, a proportionality assessment must be conducted to ensure the attack does not cause disproportionate harm to the civilian population. This offers some protection to civilians. For instance, the Tallinn Manual 2.0 considers it is unlikely that the entire internet would constitute a military objective, even though it is used for military purposes (at page 446). Nonetheless, the risk remains that civilian cyber infrastructure will be incidentally damaged due to its interconnectedness with military cyber infrastructure.

The solution: A digital safe haven agreement

To reduce the risk of civilian harm during military cyber operations, States should adopt a ‘digital safe haven’ agreement to protect certain computer networks from being targeted during cyber operations. As discussed by Robin Geiß and Henning Lahmann (at page 394), a digital safe haven would be the virtual equivalent of a demilitarized zone, as set out in article 60 of Additional Protocol I. Rather than separating networks into civilian or military, States should isolate essential civilian networks and protect them from any military interference through an internationally binding agreement. To be effective, such an agreement would need to impose two key obligations on States: first, that States must not conduct military operations against designated networks and data systems, and secondly, that States must not use designated networks or systems for military purposes.

To gain access to the digital safe haven, States would be required to isolated protected networks and data systems. For example, military data would not be allowed to sit on the same server as protected data. When determining what networks should be protected, at first, a more conservative approach should be adopted to ensure the digital safe haven is successful and efficient. Although areas such as financial systems and power grids can be considered essential for civilian populations, protected systems should initially be limited to medical networks, such as the digital infrastructure of hospitals.

Limiting the areas protected by a safe haven agreement would mean that the haven is less susceptible to abuse by States. Further, given the recent surge in criminal cyberattacks against hospitals, isolating medical networks would additionally provide the hospitals with the opportunity to strengthen their cybersecurity through measures such as improving data encryption.

As demonstrated by the events in Germany in September 2020, disruptions to medical networks can have immediate and deadly consequences for civilians. Although medical infrastructure is already protected under international humanitarian law, the introduction of an international agreement establishing a digital safe haven would bolster this framework and provide additional protection to civilians. By removing military activities from medical networks, a digital safe haven agreement would ensure that these networks can never lawfully be the object of an attack.

This essay was originally published as a post on the ICRC Humanitarian Law & Policy Blog on 1 July 2021 and won an international essay competition run by the International Committee of the Red Cross and the Geneva Academy.