Harmful, malicious and hostile cyber activities against international institutions, entire populations and vulnerable groups are appalling, regardless of whether they are committed by state or non-state actors. It is time to talk restraint when it comes to cyberattacks and information operations targeting international organisations and personal data.
The compromise of personal data and confidential information on the servers of the International Committee of the Red Cross (ICRC) in January 2022 invites international attention to two systemic, yet underattended international cybersecurity issues: personal data breaches and attacks targeting international organisations.
Time to Talk International Personal Data Protection
The cyberattack against ICRC exposed the personal data and confidential information of over half a million highly vulnerable people, including those separated from their families due to conflict, migration and disaster; missing persons and their families; and people in detention.
The topic of international personal data protection is in the long-term programme of work of the International Law Commission. It is a difficult topic to try to negotiate or codify, given the different standards of, and approaches to, personal data protection applied by the major powers, including the United States and the European Union. However, regional instruments and domestic law widely acknowledge the need to provide protections against abuse of personal data, especially sensitive personal data, such as data pertaining to health, biometrics and political or religious views. Ironically, the ICRC data affected by the recent attack is not necessarily considered sensitive under domestic law: the issue of populations vulnerable due to their status as refugees or detainees has a predominantly cross-border character and has thus escaped thorough consideration by domestic privacy advocates.
There are other reasons to address the nexus of personal data and cyber operations at the international level. Many states and corporations have been victims of data breaches conducted by other states or their proxies. Exfiltration of passenger, patient, voter and employee databases has, in several instances, been followed by leaks. The US Office of Personnel Management (OPM) suffered two intrusions in 2014-2015, leading to the exposure of more than 20 million government employee records. In April 2016, the Turkish Citizenship Database was hacked in an apparently politically motivated cyberattack; over 46 million records were lost. Also in 2016, the servers of the Philippine Commission on Elections (COMELEC) were compromised, leaving 55 million voters at risk. A day before Knesset elections in 2020, 6.5 million names and ID numbers of Israeli voters, including where people were set to vote, were published online. Perhaps the largest single compromise of government data was the 2018 Aadhaar incident, which exposed 500 million records from an Indian biometric database.
Whole populations have become pawns in political contests between states amid the absence of political determination to seek (or provide) international remedies against compromises of the personal, if not societal, right of informational self-determination. The right of an individual to control the disclosure and use of their personal data has become intertwined with the freedoms of expression and information as well as reasonable expectations of security. While data breaches are subjected to scrutiny in an increasing number of jurisdictions, exfiltration and publication of personal data by states and their proxies is a separate issue that cannot be effectively resolved by domestic efforts alone.
There is perhaps no need to repeat in any international instrument the principles of personal data protection that assist controllers and processors, as well as national supervisory and enforcement authorities, in determining the measures necessary to adequately secure personally identifiable information. International personal data protection guarantees do not necessarily have to depend on who owns or controls personal information. Instead, discussions could focus on additional measures to prevent exfiltration of personal data, especially sensitive personal data, personal data of certain categories of internationally protected persons, the personal data of highly vulnerable people or personal data exfiltrated in bulk (national population, voter or other databases).
There is an opportunity for advocates of the right to privacy in the digital age (such as Brazil and Germany), states that have strongly condemned data breaches (Finland, for instance) or jurisdictions with advanced personal data protection guarantees (such as the European Union) to invite a discussion of the need for international guarantees against certain data breaches and their implications. There is evident public harm in the compromises of still inadequately secured national databases and public e-services, especially those that are mandatory to use and to which no meaningful offline alternative exists. The issue is not just one of trust: the subsequent use of such information can have adverse effects not just on individuals but on whole groups and classes of people. Also, even when such data is not immediately used by hackers, exfiltration exposes it to the risk of secondary exposure by other threat actors. Furthermore, protection of personal data should not depend on where it has been stolen from, or by whom, as long as the theft involves potential public harm. Politically motivated targeting of corporations, social media platforms and other online services, either directly or as instruments in further operations, should not be tolerated or endorsed.
What steps can be taken to deal with this problem set? There are a multitude of diplomatic fora to which these discussions may be taken. States could flag these issues under relevant General Assembly and the Human Rights Council processes. Experts and policymakers could consider drawing the attention of international and regional privacy and data protection authorities to such breaches. Perhaps these developments would constitute a reason to revisit the need to address international personal data protection by the International Law Commission. The nexus of malicious and hostile cyber operations and personal data is also topical for the Open-ended Working Group on security of and in the use of information and communications technologies. Discussions of information influence operations involving personal data or international organizations could also be relevant in the light of the recent Pakistani-initiated resolution on Countering Disinformation for the Promotion and Protection of Human Rights and Fundamental Freedoms. Reminders of international guarantees against discrimination and loss of privacy could be complemented by discussions of restraint against exfiltration of personal data, requirements to surrender such data and requirements to provide assistance in investigation and mitigation of such breaches. Why not make a separate political commitment to condemn theft of personal data, using the blueprints condemning theft of intellectual property?
Additional Commitments to Protecting International Organisations
The ICRC data breach isn’t just significant because it’s a personal data breach. Deriving from the Geneva Conventions and its Additional Protocols, the ICRC’s mandate to protect and help people affected by armed conflict and violence grants the ICRC an international legal status akin to that of international intergovernmental organizations. Albeit an atypical international organization, ICRC complements the long list of international organisations that have fallen victim to malicious and hostile cyberattacks or information operations in the past few years. In 2016, a World Anti-Doping Agency (WADA) database containing athletes’ confidential medical data was broken into. In 2018, Le Monde reported that a backdoor had been inserted in the computer network at the African Union Headquarters. The UN and its specialised organisations have also been subject to several intrusions. A 2018 cyber operation against the Organization for the Prohibition of Chemical Weapons was intercepted and reported. In 2020, during the COVID-19 pandemic, WHO staff reported receiving phishing emails mimicking messages from Google web services but containing malicious strings. And a breach of UN IT infrastructure that came to light in 2020 affected dozens of servers in three separate locations holding a range of data, including personal information about staff and lists of user accounts. UN Security Council officials have also been targeted directly by spear-phishing attacks. The list of targeted international institutions is long and includes other UN entities and several institutions of the European Union.
Cyberattacks and information operations targeting or impersonating international organisations are trending. Whether they are committed by states, their proxies or non-state actors, they merit attention and effective restraint. International organisations provide proven and sustainable ways to arrange international cooperation and solve daily, acute and long-standing issues. They constitute the backbone of efforts to reduce international tensions and find peaceful solutions to international disputes. As such, keeping them out of harm’s way can be perceived to be in the interest of all states.
A discussion about how to prevent malicious and hostile cyberattacks and information operations against international and intergovernmental organisations is long overdue. Some scholars have suggested that there is no general rule of international law that specifically prohibits interference with the cyber infrastructure of an international organisation. Others have underscored that information and interference organisations have high prohibition thresholds, bringing up issues similar to the dilemma of effective remedies against cyberattacks below the threshold of use of force. Still others, however, emphasize the potential of the privileges and immunities afforded to international organizations under international law to provide some protections and remedies against certain cyber operations.
Where to Start?
If, after addressing the issue, states indeed find excuses for committing such acts under international law, restraint – to the effect of guaranteeing the ability of such organisations to perform their tasks – would be a widely welcomed addition to existing voluntary and non-binding commitments. To help states to find their hearts under established international law, scholarly discussions focusing on these issues would also be a timely contribution.
The commitments that states have made towards other states in terms of cooperation and assistance should be extended to international organisations. In particular, pledges not to target computer emergency response capabilities could also serve as a blueprint for agreements not to target international and regional organisations. The applicability of international law deserves to be re-emphasized in this context, perhaps with reference to relevant rules and standards. Furthermore, as states condemn cyberattacks against their own, or allied states’, servers or infrastructure, such statements could also be issued on cyber operations that target international organizations or vulnerable groups.
The ICRC has been adamant about ensuring that use of ICTs doesn’t become a driver of conflict and that, if cyber capabilities are used in situations of armed conflict, civilians are protected. Faced with cyberattacks and information operations, international organisations generally focus on their mandates and tasks rather than advocate for their own safety and security. It is up to the international community, and especially governments, to provide guarantees against malicious and hostile use of ICTs to harm intergovernmental organisations and populations.
About the Author
Eneken Tikk is affiliate researcher of the Erik Castrén Institute of the University of Helsinki and the Executive Director of the Cyber Policy Institute. She is co-editor of the Routledge Handbook of International Cybersecurity (2020) and the editor-in-chief of the International Journal of Digital Peace and Security.