with support from
Strategies for Reconciling International Humanitarian Law and Cyber Operations
DR. PETER MAURER is the President of the Basel Institute on Governance and former President of the International Committee of the Red Cross
As the global community adapts to hybrid warfare, reconciling international humanitarian law (IHL)—which seeks to limit the effects of armed conflict—with the growing prevalence of cyber operations is of critical importance. Whether at or below the threshold of war, cyber operations like data breaches can impact the ability of humanitarian organizations to protect civilians, thereby increasing the potential human costs of conflict. Cyberattacks on critical infrastructure such as energy grids, telecommunications networks, or digital hospital systems can also undermine the well-being of civilians in a variety of ways. While some organizations such as the International Committee of the Red Cross (ICRC) have affirmed that existing IHL is applicable to cyber operations in situations of armed conflict, the rules currently in place may be inadequate. Increased digitalization offers many advantages to humanitarian actors, but as the ongoing war in Ukraine demonstrates, there are a range of emerging risks—such as the overlaps between civilian and military infrastructure that put critical civilian networks in danger of attack—that are compounded by the proliferation of cyber operations. Dr. Peter Maurer, President of the Basel Institute on Governance and former President of the ICRC, spoke with FP Analytics about the challenges and opportunities related to upholding IHL in the age of hybrid warfare.
Listen to the full Q+A with Dr. Peter Maurer
FP Analytics (FPA): How is the growing prevalence of cyber operations alongside kinetic warfare affecting humanitarian operations?
Dr. Peter Maurer (PM): The combination of kinetic and cyber operations is heavily affecting humanitarian actors on the ground. Cyber operations can cause collateral damage that affects cyber-based services to people and therefore have heavy impacts on humanitarian operations and civilian populations. Humanitarian operators on the ground have increasingly gone digital over the past 10, 15 years, delivering digital services to people in terms of analytics and advice on where to go, where to find safe places, etc. Humanitarian agencies collect data on beneficiaries that are of interest to belligerents. They also conduct logistical operations that are heavily rooted in cyber support—making both humanitarian operations and civilian populations more vulnerable to cyber operations.
There is also another challenge, particularly in the context of Ukraine. Cyber-based misinformation, disinformation, and hate speech are increasingly affecting civilian populations and humanitarian operations. The trust between beneficiaries of humanitarian aid and humanitarian organizations is shattered by misinformation and disinformation, as is the trust between governments and their populations. And this is highly disruptive.
And I would add: We see cyber operations affecting civilians and services to populations outside of the context of armed conflict. The traditional categories that were so well understood by civilians, by the militaries, and by humanitarian organization—like “What is the battlefield?” “Where is the battlefield?” “Where are military and civilian actors and humanitarian organizations?”—all of these categories that are so crucial to humanitarian operations and the work on the ground become fluid. Battlefields enlarge, and the technician doing the technical work on a cyberattack becomes eventually a direct participant in warfare even if his place of production is far away from the battlefield.
FPA: What are humanitarian organizations doing to improve their civilian protection efforts and safeguarding, and what more can they be doing?
PM: In today’s world, there are minimum precautions: education, training, beefing up your cybersecurity system as a humanitarian organization or as a civilian affected by cyber or hybrid operations in conflict. But there is certainly more to do. You need to discuss the legal frameworks in which you are trying to operate and engage with states and with belligerents, to clarify what, in your view, is the protective element of IHL and what should be respected in cyber operations.
Then there is, of course, a lot of technical know-how on how to operate on the ground. Humanitarian organizations are not traditionally very digitally literate. This needs to be improved, but it can only reasonably be improved through partnerships with digital actors, with digital companies and specialists. You need to rely on partnerships. And this, of course, raises the dilemma of how neutral you can be depending on the partnerships you are engaging with.
I have seen how important it is to have decentralized systems that are less vulnerable to attack than centralized cybersecurity systems. It is important to connect your operation to the people on the ground and to raise awareness of the dangers of cyberattacks on civilians and humanitarian operators. There is a panoply of work that ranges from internal to external policy, diplomacy, system design, and capacity building that needs to be done.
FPA: What can the international community do to better help humanitarian organizations in complex cyber contexts?
PM: The best support that a humanitarian organization can have from the international community is some minimal consensus on not attacking civilian populations and humanitarian organizations. For centuries, that has been the essence of humanitarian work.
Now, I am not naive. We are not living in a world in which consensus is immediate, and today’s great power competition adds to divisiveness. We most likely will not find the necessary consensus—backed by action—that will maintain a neutral and impartial humanitarian space in digital operations any time soon.
What states can do still is develop best practices to instruct their militaries to not attack humanitarian and civilian organizations and populations. In today’s world, there are countries cognizant of the danger of intruding into a neutral humanitarian space via digital operations, countries that are instructing their military operators not to do so and to look for consensual agreements with humanitarian organizations on the ground so that practical arrangements to deliver assistance can be reached. But this is not a norm at present.
FPA: Why is safeguarding critical infrastructure from cyberattacks so important for civilian protection? And how does critical infrastructure fit into existing IHL?
PM: There is almost no aspect of society today that is not affected or supported by digital infrastructure. Attacks on critical infrastructure immediately lead to chain reactions and to enormous vulnerabilities among populations. Attacks on networks, on the cyber-based delivery of services, therefore, affect civilian populations heavily.
At the same time, countries that have great networks and have already digitalized their services to populations become important entry points for humanitarian organizations. Let’s take the example of Ukraine. The country has developed its digital infrastructure over the past 10, 15 years enormously. Because it has this digital infrastructure, humanitarian responders were able to, for instance, deliver services to individuals affected by the conflict. What would have been goods on trucks delivered to people today can be transfers of cash onto cellphones and into the bank accounts of affected populations. This demonstrates how important it is to maintain this infrastructure during an armed conflict.
Of course, regarding IHL, it is critically important that we build infrastructure that respects the principle of distinction—the distinction between military and civilian infrastructure and military and civilian actors. Using military digital infrastructure for services that also serve civilian populations makes that infrastructure attackable under IHL. I think the conflict in Ukraine has sensitized us as to how important it is to have a truly civilian digital infrastructure that is protected by law. You can build these systems preemptively before tensions and wars escalate in a way that makes them better prepared for possible conflict.
FPA: With those challenges in mind, how could IHL be adapted or expanded to encompass the challenges of cyber warfare?
PM: We need multiple strategies to adapt IHL to today’s hybrid kinetic–cyber realities. The first entry point I would suggest is making logical legal interpretations from concepts that we have all agreed upon. The Geneva Conventions are full of these concepts: the conduct of hostilities when we condition it to distinction, proportionality, and precaution. Through interpretation, we can basically make them applicable to cyber operations in today’s conflicts and this would certainly help. We have to recognize, however, that the Geneva Conventions were drafted at a time when we were looking at kinetic warfare first and foremost, and therefore there are unquestionably gaps and lack of clarity in the law. You need to do legal work to fill those gaps in the law and create new norms or at least to deliver manuals that instruct militaries on how to interpret the law regarding cyber operations.
Hopefully, one day these efforts will lead to a further development of IHL in a contractual sense. I fully support the idea of a “digital Geneva Convention,” for example. The question is how fast we will be able to convince 196 state parties to agree. Pending further progress on these issues we must rely on the unilateral, bilateral, or regional development of manuals, tools, and instructions to militaries in order to facilitate the protection of civilians.
FPA: Are there any other issues you feel are crucial to this topic?
PM: First, the concept of collective action should be introduced into the discussion that we are having over the interpretation and expansion of IHL. Collective action is the effort among governments, the private sector, civil society, and the military to reach understandings over civilian protection.
Second, we have to accept that there is no one body of law that will be applicable to hybrid warfare. We have to take into account human rights law, IHL, and eventually broader counter-terrorism and terrorism legislation and consensus to find the best principles for dealing with the dilemmas presented by hybrid operations. Finally, there is an open question of how artificial intelligence will help us deal with complexity, whether artificial intelligence will help us find better processes and actions on the ground during conflicts.
Dr. Peter Maurer is the President of the Basel Institute on Governance, a Senior Fellow of the Graduate Institute of International and Development Studies in Geneva, and the former President of the International Committee of the Red Cross, a position he held from 2012 to 2022. Before his post at the ICRC, he was Secretary of State for Foreign Affairs in Switzerland from 2010 to 2012 and Ambassador/Permanent Representative of Switzerland to the United Nations from 2004 to 2010. He began his career in the Swiss diplomatic service in 1986 with various positions in Switzerland, South Africa, and the United States.
Shelley McKinley
Developers Collaborate to Secure Software Ecosystem Amid Digital Threats
The war in Ukraine has shown that the tech industry has a meaningful role to play in enabling developers to strengthen defenses from cyberattacks.
David Agranovich
Detect, Disrupt, Deter: The Multistakeholder Threat-Disruption Model
The tech industry was first to push back as cyber mercenaries launched influence operations, malware development, and espionage, but governments are catching up.
David van Weel
A Proactive Approach to the Cyber Domain Strengthens NATO’s Deterrence and Defense Posture
Responding to the growing threat of hostile cyber operations requires a mindset shift toward greater civilian–military cooperation as well as more engagement with the private sector.
Stéphane Duguin
Tracing Cyberattacks in Times of Conflict: The Hard Path to Cyber Peace
Transparency and rigorous data collection are essential to credibly tracking cyber operations during the Russia–Ukraine war— as are being neutral and facilitating redress for all victims.