The recent wave of cyberattacks against healthcare institutions has led many to ask whether and how such malicious behaviour is regulated internationally. While cyber norms may offer best practices and guidance, it is international law that provides binding obligations which can be invoked against states that support or tolerate such attacks. Recently, the European Union invoked one such obligation – the duty of due diligence. Now, governments must have the will to operationalise it.
Hospitals and other healthcare institutions facing a surge in patients due to the worldwide COVID-19 pandemic are also struggling with another threat: cyberattacks. Hackers have used ransomware and other malicious tools to attack hospitals and other healthcare facilities in numerous countries, including the Czech Republic, France and Spain. Universities, science labs and other facilities conducting research on a coronavirus vaccine are increasingly targets of cyber espionage operations. It is also becoming clear that these attacks are being conducted not only by criminals, but also by states, as suggested in a high level warning by the Czech National Cyber and Information Security Agency (NÚKIB) and the U.S. Secretary of State’s subsequent press statement.
Many states and international organisations have condemned cyberattacks against hospitals and healthcare institutions. The U.S. Secretary of State noted with concern the Czech warning and called upon the actor in question to refrain from disruptive malicious cyber activities. The European Union High Representative for Foreign Affairs and Security Policy called “any attempt to hamper the ability of critical infrastructures” unacceptable, and stated that “[a]ll perpetrators must immediately refrain from conducting such irresponsible and destabilising actions, which can put people’s lives at risk”. Interestingly, however, even among allies, there seems to be no consensus on the applicable framework against which to measure the cyberattacks against hospitals: the United States invokes the “framework of responsible state behaviour in cyberspace, including nonbinding norms regarding states refraining from cyber activities that intentionally damage critical infrastructure”; the Netherlands and United Kingdom point to international law; and the EU stresses specifically the rule of due diligence. So what does the COVID-19 crisis tell us about how states really view the role of international law as part of the cyber stability framework?
Cyber Norms vs. Cyber Law
The current framework for responsible state behaviour in cyberspace – rooted in the reports of the UN Group of Governmental Experts (GGE) and the 2015 Report in particular – covers international law applicable to cyber operations, adherence to voluntary norms of responsible behaviour and the development and implementation of practical confidence building measures. Cyber norms reflect the international community’s expectations regarding state behaviour, but are voluntary and non-binding. Therefore, norms do not seek to limit or prohibit action that is otherwise consistent with international law, but rather to promote good practices and standards of responsible behaviour. Binding obligations are created by international law, which, as the 2015 GGE Report confirms, applies to the use of information and communications technologies (ICT) by states. This includes international norms and principles that flow from sovereignty and states’ jurisdiction over ICT infrastructure located on their territory. In addition to observing these obligations, states must not use proxies to commit internationally wrongful acts using ICTs and should seek to ensure that their territory is not used by non-state actors to commit such acts.
This distinction between norms and law is important, especially in the context of cyberattacks against hospitals. Because these mechanisms serve different functions, only one of them – international law – can regulate and prohibit malicious behaviour in cyberspace in a binding and enforceable way. Norms, on the other hand, aim to incentivise certain behaviour by promoting standards based on political agreement and voluntary adherence. In theory, states should voluntarily adhere to norms based on a cost-benefit analysis and, once enough states are on board, voluntary adherence may at some point harden into a legal obligation. Thus, we look to norms for best practices and as a tool for building consensus around particular solutions, but we look to law for guidance on which conduct is allowed and which is forbidden. Norms cannot replace law in this regard.
Cyberattacks on Healthcare Institutions in International Law
So, what does international law have to say about cyberattacks against hospitals? Are norms really the only framework that regulates such behaviour? The answer is clearly no. Three distinct international legal obligations may come into play when a state conducts cyberattacks against healthcare institutions in another state or allows its territory to be used for such a purpose.
First, cyberattacks attributable to states may violate the target state’s sovereignty. For instance, an attack against hospitals in Czechia, Poland, Spain or any other European country that can be attributed to Russia, North Korea or China may be seen as violating the sovereignty of the target country. While the status of sovereignty as an independent rule is sometimes disputed (particularly by the United Kingdom and the U.S. Department of Defense), several mostly-European governments – including Austria, Czechia, France, Germany and the Netherlands – have come out in favour of the sovereignty-as-a-rule position. Under this view, cyberattacks against healthcare institutions in another state violate that state’s sovereignty because they breach its exclusive right to exercise state authority within its territory.
Second, the 2015 GGE Report confirmed that in their use of ICTs, states must “comply with their obligations under international law to respect and protect human rights and fundamental freedoms”. These obligations include the inherent right to life (Article 6 of the International Covenant on Civil and Political Rights) and the “right of everyone to the enjoyment of the highest attainable standard of physical and mental health” (Article 12 of the International Covenant on Economic, Social and Cultural Rights). It could therefore be argued that cyberattacks against hospitals which lead to medical equipment malfunctions resulting in patient deaths may violate Article 6 of the ICCPR. At the same time, cyberattacks which affect the availability and accessibility of hospital facilities for patients could potentially violate Article 12 of the ICESCR.
Lastly, it is worth noting that the European Union and its officials have consistently pointed out states’ due diligence obligations. In his recent declaration on behalf of the EU regarding malicious cyber activities exploiting the coronavirus pandemic, Josep Borrell stressed that “the European Union and its Member States call upon every country to exercise due diligence and take appropriate actions against actors conducting such activities from its territory”.
The Promise of Cyber Due Diligence
The rule of “cyber due diligence” stems from the obligation of states “not to allow knowingly [their] territory to be used for acts contrary to the rights of other States”, as identified by the International Court of Justice in the Corfu Channel case. It requires states to take concrete steps to stop cyberattacks emanating from their territory as soon as they become aware of them. The extent of the due diligence obligation is currently under debate (for an overview, see, for instance, the study by Joanna Kulesza), in particular with respect to the types of actions required and the need to actively monitor ICT systems for malicious activities. However, it is safe to say that there is an emerging trend towards requiring states to “make reasonable efforts” or apply “reasonable measures” to stop malicious activity and cooperate with the victim state (for further detail, see the author’s comparative study). With respect to cyberattacks against healthcare facilities, it could therefore be argued that a state alerted that these attacks are being conducted from its territory must take reasonable steps, for instance through its law enforcement agencies, to find and arrest the perpetrators of these attacks. And under no circumstances is a state permitted to use individuals or other non-state actors as proxies to conduct such cyberattacks on its behalf.
Can the EU Lead the Way?
In addition to having the potential of being a useful tool for counteracting cyberattacks against hospitals, the obligation of cyber due diligence has a broad application, covering any type of cyberattack that is launched from the territory of a state and infringes upon the rights of other states. Its biggest advantage is that it does not depend on the attack being attributed to a particular state, which is often technically difficult and sometimes also politically undesirable. States often want to avoid revealing the extent of their technical abilities or their intelligence sources. Rather, due diligence is an independent obligation which arises from control over territory and ICT systems located therein. The obligation arises once a state is notified that a planned or ongoing attack has its source in the territory of that state. The target state can then request the cooperation of the state of origin in thwarting the attack. Returning to the earlier example, should the attacks against the Czech hospitals originate from the territory of Russia, China or North Korea, once they are notified, those states would be under a due diligence obligation to stop these attacks from being carried out from their territory.
At the same time, the “reasonableness” criterion protects states from duties or expectations which they cannot bear due to a lack of capacity. In other words, states are expected to undertake only those actions which lie within the scope of their technological and organisational capacities. This link between due diligence and capacity building has been correctly identified, for instance, by the Czech Republic, which stated that a “State’s capacity to adequately exercise its due diligence obligation is intrinsically linked to that State’s cyber resilience capacities. Such factors should be taken into consideration when evaluating the particular measures taken by the acting State”.
By focusing on state and societal resilience, the EU could become a champion of cyber due diligence. It has already taken an early leading role in cyber capacity building – both internally and externally. For instance, through the Network and Information Systems (NIS) Directive, the EU has obliged member states to establish Cyber Security Incident Response Teams and required operators of essential services, including healthcare institutions, to implement cybersecurity and reporting standards. In addition, the EU Cybersecurity Act lays the foundations for an EU-wide cybersecurity certification framework for digital products, services and processes and gives new competences to ENISA, the EU’s cybersecurity agency. Taking a legislative approach rather than simply relying on a political dialogue also helps building uniform and interoperable cybersecurity capacities throughout the whole block.
Operationalising International Law
This discussion shows that states do not have to be defenceless in the face of cyberattacks against healthcare institutions. First, there is a framework of cyber norms and best practices (including the abovementioned EU examples) which states may implement to better protect the cybersecurity of their critical infrastructure. Second, international law offers a clear framework for regulating malicious behaviour, in particular, the obligation to respect the sovereignty of states in cyberspace and not to allow a state’s territory from being used for cyberattacks. It is now up to governments to operationalise this framework. They can do so by, for instance:
- clearly relying on international law (and not only cyber norms or the “framework on responsible behaviour in cyberspace”) when condemning cyberattacks against hospitals or other critical societal functions in the future;
- invoking the international responsibility of states from whose territory such cyberattacks originate; and
- imposing costs on states which fail to cooperate or actively support malicious actors. These costs can take the form of, for example, cyber restrictive measures, for which the EU has adopted a clear framework.
In conclusion: international law does not leave states defenceless. States have the tools to both increase their resilience to and counter cyberattacks against hospitals. Now, they only need the resolve to use them.