A Digital Red Cross: What Would It Defend Against?
On November 18, 1991, after enduring a three-month artillery assault, the city of Vukovar in Croatia fell to what was then known as the federal Yugoslav People’s Army (JNA) and Serb paramilitary forces. After JNA units took control of a hospital where hundreds of sick and wounded were located, they removed approximately 300 men of whom at least 200 were later murdered at the nearby town of Ovcara. Years later, the Prosecutor at the International Criminal Tribunal for the former Yugoslavia charged those responsible for this atrocity with war crimes.
For over 150 years, the Red Cross, Red Crescent, and later the Red Crystal symbol have endured as indelible images of protection during warfare. We reserve these emblems for people and places that are entitled to a rare privilege of safety and security while providing medical and humanitarian assistance during armed conflicts. The urge to expand their protection to other realms is understandable but requires caution and attention to technical, political, and operational challenges.
A Digital Protected Emblem
Recently, the International Committee of the Red Cross (ICRC) announced an innovative proposal to identify the digital presence of certain humanitarian and healthcare organizations during armed conflict. The hope is that identifying protected digital infrastructure “would make it easier for those conducting cyber operations during armed conflict to identify and spare protected facilities – just as a red cross or crescent on a hospital roof does in the real world.”
The proposal is a creative attempt to protect the digital presence of those humanitarian organizations entitled to the protections afforded by the Red Cross. The digital health of those organizations is essential to their ability to provide services, such as life-saving medical care. Malicious cyberattacks could, among other things, potentially deprive a facility of critical medical information that is necessary to treat patients. The Digital Red Cross proposal represents an attempt to bridge the gap between how International Humanitarian Law (IHL) applies in the physical world with the unique dimensions of the cyber domain. But if a Digital Red Cross system is going to be effective and resilient, threshold legal challenges must be resolved concerning how IHL applies in the cyber domain.
Technical Implementation and Political Considerations
With respect to technical implementation, the international community must agree on how to deploy the symbol. The ICRC, who partnered with research organizations such as the Johns Hopkins Applied Physics Laboratory (APL), has proposed three options: (1) a Domain Name System (DNS)-based emblem – which would be represented as information appended to a domain name (e.g., www.hospital.emblem) for each protected system; (2) an Internet Protocol (IP)-based emblem which could include a particular sequence of numbers in an IP address to signal a protected asset or message; and (3) a potential Authenticated Digital Emblem which would use certificate chains to signal the existence of protected digital infrastructure. Whether one or more of these proposals is viable would require international engagement and consensus.
There are political challenges as well. As the ICRC indicates, any implementation of a Digital Red Cross system to protect humanitarian digital infrastructure during an armed conflict would require a new protocol to the Geneva Conventions that specifically addresses the idea of the new digital emblem. Achieving international agreement on legal frameworks involving anything cyber-related is a fraught task as illustrated by the ongoing negotiations at the United Nations concerning a new cybercrime treaty.
Operational Purpose and Functioning
Yet, even if the technical and political challenges can be overcome, uncertainty concerning a foundational question remains: what conduct is this system designed to defend Red Cross-protected organizations against?
Under IHL, intentionally directing attacks against Red Cross personnel or other physical assets – such as buildings or vehicles – is a war crime. However imperfect, this legal framework provides a fundamental pillar of deterrence upon which the broader, protective humanitarian assistance framework rests. Whether through the intentional targeting of digital infrastructure protected by a Digital Red Cross or through the unlawful misappropriation of the Digital Red Cross to cloak a non-protected digital asset with the protection of the Digital Red Cross, a violation of this new protective framework would need to be supported by the same type of enforcement structure.
As part of its proposal for the Digital Red Cross, the ICRC acknowledges the important role that a regulatory framework will play in the success of the system, stating, “[i]t may be expected that without a regulatory and enforcement system, a ‘digital emblem’ will be less widely known and rules on its use less likely to be respected.”
A consensus has developed that the rules of IHL apply to cyber operations during an armed conflict. How those laws apply is more complicated. Notably, what constitutes an “attack” under IHL in the context of a cyber operation is the subject of significant debate. There is broad agreement that cyber operations that cause physical damage, injury, or death constitute an “attack.” Beyond those scenarios, however, the consensus begins to fracture. Some, such as the ICRC, argue that cyberattacks that disable computers or computer networks should also constitute an “attack” under IHL. But that interpretation is not universally accepted and there is disagreement regarding, among other things, what effects below physical damage to a computer system would qualify as an attack. Some commentators have emphasized that there “is a fundamental problem in trying to view cyber operations” with the same viewpoint as a kinetic attack because it fails to acknowledge the unique “power and value of data and information as both a target and a weapon.”
If the goal of the Digital Red Cross is to build a system that will clearly signal to cyber operators what digital infrastructure is to be spared a cyberattack, inability to clearly define an “attack” significantly undermines that effort. Even if a cyber operator knew which facilities were digitally protected, not knowing what conduct is prohibited limits the deterrent force of the framework. If disabling – but not physically destroying a computer network – does not qualify as an attack under IHL, then a cyber operator during an armed conflict could, in theory, disable the computer network of a Red Cross-protected facility with impunity, compromising the lifesaving care it might provide. Indeed, if a cyber attack must cause a physical effect to implicate IHL, then the scenarios in which the Digital Red Cross would be relevant are unlikely to occur.
The ICRC itself seems to acknowledge the lack of clarity concerning the application of IHL to cyber operations, noting in its proposal that the Digital Red Cross “could also play a role in adapting the existing rules of IHL to the challenges posed by cyber operations during armed conflict.” The ICRC may hope that the advent of the digital symbol will push the collective viewpoint closer to its perspective that a cyber attack which disables a computer or computer network is an “attack” under IHL. But there is also a risk that, without a consensus concerning what qualifies as an attack, any deterrent effect of this system will not carry significant force. And yet, the risks of implementing the Digital Red Cross, including what the ICRC describes as the potential of making it easier for malicious cyber operators to accurately identify and attack Red Cross-protected organizations, will remain.
The Digital Red Cross proposal is ambitious and could help support greater security for the digital infrastructure of medical personnel providing critical life-saving care during armed conflict. It is an important effort that acknowledges and attempts to reconcile the challenges of applying IHL in the cyber domain. But the lack of clarity concerning what qualifies as an “attack” in the context of cyber operations during an armed conflict casts a cloud of uncertainty over whether this system can realistically and effectively help defend Red Cross-protected organizations from malicious cyberattacks.
This lack of clarity could have real world consequences. The murder of hundreds of wounded and sick men after being removed from the Vukovar hospital in 1991 was a horrific but straightforward example of a violation of international law and a war crime. That this conduct was clearly violative of IHL further cemented, even if in a small way, the legal status of protections of the wounded and sick during armed conflict. Where prohibited conduct is far less clear, as in the cyber domain, building a resilient framework of deterrence will be difficult. If anything, one of the most important issues raised by the Digital Red Cross proposal is its stark reminder that the application of a critical aspect of IHL to cyber operations is unsettled. And, as long as it remains that way, important protective frameworks such as the Digital Red Cross system will lack a foundational building block.
Christian Ohanian is a Senior Fellow with the Tech, Law, and Security program at American University.
Photo credit: Pexels