Authors: Dr. Tilman Rodenhauser, Thematic Legal Advisor, ICRC HQ
Raji Gezahegn, Legal Advisor, ICRC Delegation in Ethiopia
Around the world, societies are digitizing. The African continent is no exception. In fact, it is a front runner in certain areas, such as mobile-money services. There are great opportunities in the digital transformation of societies, including for the delivery of health services, mobile banking, communication, educational resources, e-government services and new infrastructure projects. However, there are also risks that these services be disrupted through the malicious use of information and communication technology (ICT) by States and non-State actors. This risk is particularly acute for States with rather weak cyber security systems – according to the ITU 2018 Global Cyber security Index many African states are among them.
‘Cyber Security’ is a flagship project of the African Union’s Agenda 2063. Experts argue that African States should consider a range of measures from coordination and cyber capacity building at national, regional, and global level, to developing a robust international legal framework to protect States and their citizens from digital threats. In this post, we argue that cyber operations are increasingly being used in armed conflicts, African States should embrace the applicability of international humanitarian law in cyberspace as a safeguard against the harmful effects of hostile cyber operations conducted during on-going or future armed conflicts. While African States may not be involved in these conflicts, cyber operations – in particular unlawful indiscriminate attacks – risk spreading beyond the confines of one conflict affect African States incidentally.
The risk of human harm through cyber operations
Cyber operations pose a real risk of human harm. Cyber security experts warn against a ‘humanitarian crisis in the making’. This risk is particularly important when critical infrastructure is targeted through cyber operations. Attacks against medical infrastructure (seen around the globe during the COVID-19 pandemic, including in South Africa) or water and sanitation systems can affect the health and lives of citizens. Attacks against electricity providers (as witnessed in Johannesburg in 2017) or against mobile money systems can cause significant societal and economic disruption.
In a recent statement of the African Group in the United Nations Open-Ended Working Group on ICTs, 54 African States framed the threat as follows:
“A number of States are developing ICT capabilities that could be used for malicious and offensive military purposes. These technologies easily proliferate to non-state actors. All these developments coincide with increasing tensions at the international levels and a new arms-race. The risk of harmful ICTs attacks against critical infrastructure is both real and indeed very serious.”
This assessment corresponds with the International Committee of the Red Cross’ (ICRC) warning that with an increasing number of States developing military cyber capabilities, ‘the use of such capabilities is likely to increase’.
International humanitarian law as a protection framework in cyberspace
International humanitarian law (IHL) is the field of international law that applies during armed conflicts. Most IHL rules aim to protect civilians and civilian infrastructure against the effects of hostilities. Of course, in the Geneva Conventions of 1949 and their Additional Protocols of 1977 States defined these rules having in mind armed conflicts fought with conventional weapons – but the drafters had sufficient foresight to explicitly include rules making clear that IHL also applies to future weapons, means or methods of warfare (see article 36 Additional Protocol I). While some States have raised questions about the applicability of these rules to cyber operations, In 1996, the International Court of justice stated that the established principles and rules of humanitarian law applicable in armed conflict apply ‘to all forms of warfare and to all kinds of weapons’, including ‘those of the future’. Undoubtedly, this includes cyber operations during armed conflicts. Similarly, the ICRC has long held the view that IHL ‘limits cyber operations during armed conflicts just as it limits the use of any other weapon, means and methods of warfare in an armed conflict, whether new or old’.
In the debate around the applicability of international law in cyberspace, legal experts and policy makers – including in Africa – may wonder whether IHL should be their priority. After all, in many States armed conflicts are fought with guns, not with laptops and malware. Are cyber operations not taking place at a ‘safe distance’ from African States?
In cyberspace, this approach would be dangerous. Because of the interconnected nature of cyberspace, attacks carried out against one State affects many others – wherever they are located and irrespective of whether they are involved in the conflict. For example, malware such as WannaCry or NotPetya infected computers in many countries at peace, first in Asia or Europe before spreading around the globe and also affecting African States. Having strong international rules applicable to cyber operations during armed conflict and insisting that IHL is respected should be a cyber security-concern for all States – for their own protection.
IHL prohibits the development and use of malware that targets civilian objects (including what is sometimes called ‘critical civilian infrastructure’) or that spreads automatically and affects military and civilian targets without discrimination. Likewise, parties to conflicts are prohibited from carrying out an attack – including through cyber means – that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated. These are but two examples of the rules that all States have an interest – and an obligation – to see respected.
The way forward: speaking law to power
In 2018, States established two United Nations processes on ICT security (the Open-Ended Working Group and a Group of Governmental Experts). In both processes, States are mandated to study the legal framework governing cyberspace. While States’ views diverge on questions such as whether a new treaty governing cyberspace is needed, especially those States that risk being intentionally targeted or becoming unintentionally affected by cyber operations should have a strong interest and obligation in stressing that existing rules of IHL apply and restrict cyber operations during armed conflicts. In 1977 already, States agreed that IHL cannot ‘be construed as legitimizing or authorizing any act of aggression or any other use of force inconsistent with the Charter of the United Nations’. Indeed, IHL must not be regarded as undermining United Nations Charter but as an additional layer of protection for civilians and civilian infrastructure.
“Dr. Tilman Rodenhäuser is a legal adviser at the International Committee of the Red Cross (ICRC). The views expressed on this blog are his own and do not necessarily reflect those of the ICRC. Prior to joining the ICRC in 2016, Tilman has worked with the German Red Cross, the think-tank DCAF, the NGO Geneva Call, and the United Nations, with missions in Africa and the Middle East. Tilman holds a PhD from the Graduate Institute of International and Development Studies in Geneva and recently published the monograph Organizing Rebellion: Non-state armed groups under international humanitarian law, human rights law, and international criminal law(OUP, 2018). He has also published various articles in renowned international journals and received different awards for his work. He can be reached at email@example.com”
“Raji Gezahegn a legal adviser at the International Committee of the Red Cross (ICRC). The views expressed on this blog are his own and do not necessarily reflect those of the ICRC. Prior to joining ICRC, Raji worked as Lecture of Law for several years. Raji holds two graduate degrees in Public International Law and International Human Rights Law from Addis Ababa University and University of Essex respectively. He can be reached at firstname.lastname@example.org “