PerspectiveCyber Operations against Medical Facilities During Peacetime

In the face of the coronavirus pandemic, governments around the world have tried to compensate for insufficient hospital beds and intensive care units by nationalizing private medical facilities and relying on military ships and improvised evac hospitals. Adina Ponta writes in Lawfare that at a time when overcrowded medical and testing facilities struggle with shortages in supplies and a huge influx of patients, hacker groups have exploited their inattention to cybersecurity.

During the current crisis, cyberattacks are proliferating in the United States and across the globe, the most serious being reported in the Czech Republic, Spain and France. These operations were intended to disable health services—as well as research and testing facilities—by crushing computers and networks of healthcare providers, delaying medical procedures and accessing personal data. These aims were visible during the attacks against the Czech University Hospital Brno, the U.S. Department of Health and Human Services, and the World Health Organization.

At this stage, no formal attribution has been made publicly for any of the attacks. Though some of the recent cyber actions might be governed by domestic laws of the target states, in this post I will examine only cross-border malicious acts on medical facilities and the applicable international law instruments. Rather than examining cyberattacks on medical facilities during wartime and incident international humanitarian law provisions, I will focus on the legal consequences of operations against U.S. and European hospitals during the current pandemic.

The recent cross-border cyber intrusions raise various questions on the international landscape. What international legal provision is triggered if a person loses his or her life as a consequence of a cyber operation that shuts down ventilators? What sanctions regime is applicable? Can such a cyber operation be qualified as an attack under jus ad bellum?