ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS REPORT ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Report prepared and edited by Laurent Gisel, senior legal adviser, and Lukasz Olejnik, scientific adviser on cyber, ICRC THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Table of Contents Foreword............................................................................................................................................. 3 Acknowledgements ............................................................................................................................. 4 Executive summary ............................................................................................................................. 5 Introduction....................................................................................................................................... 10 Session 1: Cyber operations in practice .………………………………………………………………………….….11 A. Understanding cyber operations with the cyber kill chain model ...................................................... 11 B. Operational purpose ................................................................................................................. 11 C. Trusted systems and software supply chain attacks ...................................................................... 13 D. Cyber capabilities and exploits ................................................................................................... 13 E. Evolving nature of the threat actors and the growing attack surface ................................................. 14 F. Cyber vs kinetic attacks ............................................................................................................ 15 G. Attack and defence .................................................................................................................. 15 H. Importance and challenges of attribution...................................................................................... 17 Session 2: Cyber attacks that could affect the delivery of health care ................................................... 18 A. Cyber attacks that could affect hospitals (or other medical facilities)................................................. 18 B. Cyber attacks affecting medical devices ...................................................................................... 19 C. Cyber attacks affecting biomedical devices .................................................................................. 20 D. The challenge of fixing vulnerabilities in medical devices ................................................................ 20 E. Resilience of the health-care sector to cyber attacks ..................................................................... 21 Session 3: Cyber attacks that target critical civilian infrastructure or that may otherwise affect the delivery of essential services to the civilian population ........................................................................ 23 A. Specific features of cyber attacks against industrial control systems ................................................ 23 B. Threat actors: number, purposes, resources, capabilities, and evolution ........................................... 24 C. Attack testing .......................................................................................................................... 25 D. Risk and quantification .............................................................................................................. 26 E. Risk reduction and resilience ..................................................................................................... 27 F. Incident notification and response ............................................................................................... 28 Session 4: Cyber attacks on the internet core or that may have other systemic effects .......................... 29 A. Cyber attacks on DNS servers ................................................................................................... 29 B. Distributed Denial of Service (DDoS) attacks ................................................................................ 29 C. Attacks against cloud service providers ....................................................................................... 30 D. Practical results of attacking internet services and their dependencies ............................................. 31 1 THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Session 5: Cyber operations during armed conflict .............................................................................. 32 A. Peace time, armed conflicts and grey zones................................................................................. 32 B. Cyber space as an operational domain of a predominantly civilian nature ......................................... 32 C. Vulnerability disclosure, secrecy and deterrence ........................................................................... 33 D. Cyber operations as means and methods of warfare: circumstances of use, aim and expected effects.. 34 E. Potential military cyber operations that take advantage of the medical condition of an enemy. ............. 35 F. Cyber operations and expected incidental civilian harm ................................................................. 36 Session 6: The protection afforded by existing law, and possible avenues to reduce the human cost of cyber operations................................................................................................................................ 37 A. Conflict classification and questions of attribution .......................................................................... 37 B. The notion of “attack” ................................................................................................................ 38 C. Challenges in anticipating the effects of cyber attacks ................................................................... 38 D. The persistence of malware once released .................................................................................. 39 E. Potential avenues to reduce or avoid human harm ........................................................................ 39 Annex 1: Agenda ............................................................................................................................... 43 Annex 2: List of experts ..................................................................................................................... 49 Annex 3: Background document ......................................................................................................... 51 2 THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Foreword One of the main aims of international humanitarian law (IHL) is to protect the civilian population from the effects of military operations. Cyber warfare is the subject of growing concern, and there is no consensus around the question of how IHL will protect civilians against its effects. But what are the effects of cyber warfare on civilians? Since most known operations have been conducted outside conflict settings, the potential human cost of cyber operations in armed conflict is a matter of risk analysis. To move towards a realistic assessment of the potential human cost of cyber warfare, the International Committee of the Red Cross (ICRC) invited scientific and cyber security experts from all over the world to share their knowledge. In a three-day meeting, experts analysed some of the most sophisticated known cyber operations, regardless of whether they occurred during conflict or in peacetime, focusing on the risk that cyber operations may result in death, injury or physical damage, affect the delivery of essential services to the population, or affect core internet services. The meeting included participants working for global IT companies, cyber threat intelligence companies, computer emergency response teams, a national cyber security agency, participants with expertise in cyber security (including that of hospitals, electricity grids and other services), participants with expertise in the development and use of military cyber operations, lawyers and academics. The rich discussions provided a nuanced picture of the risks that cyber warfare can entail for the civilian population. One of the main fears of those working on cyber warfare and IHL is perhaps the idea that in cyber space, the principle of distinction will be difficult if not impossible to uphold. Yet, the expert meeting showed that the global digital infrastructure that can be targeted through cyber operations is in fact rather resilient to widespread effects. While a number of the cyber attacks analysed were indiscriminate, many others have been precisely targeted from a technical perspective. Nonetheless, while many systems are resilient, others are particularly vulnerable, and health-care systems are among those. Furthermore, the threats are evolving at a faster pace than anticipated, and the most sophisticated cyber capabilities may be largely unknown. Another area of concern highlighted in the meeting is the risk of proliferation of cyber tools, because they may linger in digital systems and can potentially be accessed from anywhere in the world, modified and reused. In the view of the ICRC, many of the operations described in the report would be contrary to IHL if carried out during armed conflict.