Acting Assistant Secretary-General for Humanitarian Affairs, Ramesh Rajasingham Opening remarks on contemporary challenges on the protection of civilians and humanitarian aspects related to cyber-attacks at Arria-Formula meeting on Cyber-Attacks

Acting Assistant Secretary-General for Humanitarian Affairs, Ramesh Rajasingham Opening remarks on contemporary challenges on the protection of civilians and humanitarian aspects related to cyber-attacks at Arria-Formula meeting on Cyber-Attacks Against Critical Infrastructure

26 August 2020, 15:00-17:00, New York via VTC

Thank you for inviting OCHA to deliver opening remarks on the protection of civilians as it relates to cyber-attacks against critical infrastructure.

As Secretary-General Guterres has noted in his most recent report on the protection of civilians, many armed conflicts continue to be characterized by civilian death, injury and trauma, forced displacement, as well as damaged and destroyed homes, schools, markets, places of worship, hospitals and other essential civilian infrastructure such as electrical and water systems.

Today, the COVID-19 pandemic, which the Secretary-General has called the greatest test that the world has faced since the establishment of the United Nations, compounds this human suffering substantially.

The pandemic has the potential to devastate conflict-affected countries and overwhelm health-care systems, many of which are already weak. In places like Yemen, Afghanistan and Libya, we have seen the extent to which the ability to prevent the spread of the virus, care for infected people and sustain essential health services for the general population has been severely constrained.

Moreover, as the toll of armed conflict and the pandemic compound each other to overwhelm health-care systems in armed conflicts across many parts of the world, attacks on healthcare continue. Since the beginning of the year, the World Health Organization has recorded more than 135 attacks against health care in 13 countries, many of which are facing armed conflict.

Last week, the ICRC reported more than 600 incidents of violence, harassment or stigmatization against healthcare workers, patients and medical infrastructure in relation to COVID-19 cases during the first six months of the pandemic. This took place across 40 countries, of which a number are also facing armed conflict.

In addition, since the start of the COVID-19 pandemic, we have seen a troubling rise in cyber-attacks against hospitals and other healthcare facilities, delaying and disrupting a range of health services when they are needed most.

When armed conflict and the COVID-19 pandemic overlap, protecting medical care, other essential services, and the infrastructure they rely on is more critical than ever. This makes the important theme of today’s Arria-Formula Meeting on “Cyber-Attacks Against Critical Infrastructure” incredibly timely.

As the Secretary-General noted in his 2020 report on the protection of civilians, the digitization and interconnectivity of the healthcare and energy sectors mean that the frequency and impact of cyber-attacks on healthcare, electrical and water infrastructure could become increasingly widespread.

Cyber-attacks against industrial control systems that operate critical civilian infrastructure such as electrical, water, and sanitation facilities can cause significant harm to populations. The energy sector is known to regularly come under cyber-attack. The disruption of electricity grids can deprive large numbers of people of electrical power, as we have seen in Ukraine, for instance. Water treatment facilities are also vulnerable to cyber-attack, with the risk of disrupting the provision of drinking water and leading to shortages in supply.

The increased digitization and interconnectivity we see in the healthcare sector has made it more vulnerable to attack as well. Cyber-attacks have jeopardized healthcare services in places like the UK, the Czech Republic, France, Spain, Thailand and the United States, at times forcing the postponement of surgeries, compromising patient data, and disrupting health services, including the processing of COVID-19 tests. Research in the U.S. has revealed that hospitals facing cyber-attacks and data breaches have seen a rise in the mortality rate of certain patients because of delays in administering tests.

Since the start of the COVID-19 pandemic, INTERPOL has reported a rise in ransomware attacks against hospitals and other healthcare facilities. Research into COVID-19 testing, treatment and vaccines has also proven vulnerable to cyber-attack, with worrisome implications for all of us.

While it may not always be clear whether cyber-attacks are connected to situations of armed conflict, we know that some have taken place in situations of ongoing armed conflict or have affected countries taking part in armed conflict. We also know that, particularly in situations of armed conflict, the disruption of critical civilian infrastructure can have devastating effects for civilians in the immediate and longer term and can also hamper humanitarian activities.

International law sets some important limits on cyber-attacks. The General Assembly has confirmed that “international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful information and communications technology environment.” In addition, an increasing number of States recognize that international humanitarian law (IHL) applies to cyber operations during armed conflicts, without legitimizing or encouraging the resort to force in the first place.

IHL aims to limit the humanitarian consequences of armed conflict. In the conduct of hostilities, it limits the tactics and weapons that parties to armed conflict may resort to, with a view to minimizing human suffering. The fundamental rules of distinction, proportionality and precautions in and against the effects of attack all serve this aim.

IHL also sets out rules that specifically address the protection of medical facilities and other infrastructure vital to civilians. Medical units and transports, such as hospitals, clinics and ambulances, must be respected and protected in all circumstances. In addition, IHL prohibits attacking, destroying, removing or rendering useless objects that are indispensable to the survival of the civilian population, such as drinking water installations.

As the Secretary-General has noted, further reflection is needed to identify ways of reducing the potential human cost of cyber-operations during armed conflict and to work towards consensus on the interpretation of IHL as it applies to them.

The UN Open-Ended Working Group (on developments in the field of information and telecommunications in the context of international security) and the Group of Governmental Experts (on advancing responsible State behaviour in cyberspace in the context of international security) are doing important work to address how international law applies to the use of information and communications technologies (ICTs).

In the context of the UN Open-Ended Working Group, the ICRC recently proposed a new norm of responsible State behavior in cyberspace that would require that States not conduct or knowingly support ICT activity that would harm medical services or medical facilities and take measures to protect medical services from harm.

In May this year, more than 40 international leaders called on governments to take immediate and decisive action to stop cyber-attacks on healthcare in the midst of the COVID-19 pandemic, including by reaffirming and recommitting to the international rules that prohibit such attacks.

In March, and again this month, a large number of international law scholars signed two “Oxford Statements” regarding relevant international law rules and principles relating to malicious cyber operations targeting healthcare facilities and vital vaccines. Both Oxford Statements encourage all States to consider these rules and principles when developing national positions and in relevant multilateral processes and deliberations.

In combination with addressing the application of international law and formulating new norms of responsible State behaviour, governments, the private sector, civil society, academic institutions and other stakeholders have proposed a range of practical measures and options for international cooperation to avoid the human cost of cyber-attacks.

I look forward to hearing today’s distinguished briefers and to the ensuing discussion on ways to protect critical infrastructure against cyber-attacks and how international law and norms of responsible State behaviour in cyberspace serve to protect it.