Cyber attacks on COVID-19 vaccine production are not quite a war crime

Hacking virus research labs to steal their secret recipes is just industrial espionage. But cyber attacks against vaccine production and distribution would be a war crime -- if we were at war.

covid-10-vaccine-syringe.jpg

Image: Emin Baycan

As the fight against the coronavirus pandemic has progressed through the research phases to the production of working vaccines against COVID-19, the cyber attacks have followed.

These attacks are nothing new, but they've changed focus.

In March and April there were attacks on the US Department Health and Human Services, attacks on one of Czechia's biggest COVID-19 testing laboratories, and attacks on the World Health Organization and, it seems, Chinese government agencies too.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The Vietnamese government-linked hacking group Ocean Lotus targeted officials in Wuhan, where the virus was first recorded, and the Chinese Ministry of Emergency Management.

Australia and the US, as well as other nations, spoke out against such attacks.

"As Australians and the international community band together to respond to COVID-19, we are concerned that malicious cyber actors are seeking to exploit the pandemic for their own gain," Australia's Ambassador for Cyber Affairs, Dr Tobias Feakin told ZDNet in April.

"History will judge harshly those exploiting this crisis for their own objectives."

But more recently we've seen phishing attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, as well as tax and customs officials, and the manufacturers of cold chain equipment.

All in all, companies in Germany, Italy, South Korea, Czechia, greater Europe, and Taiwan were targeted in that one campaign.

Three state-sponsored hacker groups from Russia and North Korea have targeted seven COVID-19 vaccine makers. China and Iran have also been accused of attacks.

Johnson & Johnson's CISO said healthcare organisations are seeing cyber attacks from nation-state threat actors "every single minute of every single day".

Shouldn't all this be illegal? Well yes, of course the hacking is illegal. But shouldn't this disruption of medical supplies during a pandemic be a more serious crime? Yes, and in some circumstances, it would be. But not all.

'It's against the Geneva Convention!'

The Fourth Geneva Convention, or in full the "Convention (IV) relative to the Protection of Civilian Persons in Time of War, Geneva, 12 August 1949", is very clear on this sort of thing.

"Civilian hospitals organized to give care to the wounded and sick, the infirm and maternity cases, may in no circumstances be the object of attack, but shall at all times be respected and protected by the Parties to the conflict," it says in Article 18.

"States which are Parties to a conflict shall provide all civilian hospitals with certificates showing that they are civilian hospitals and that the buildings which they occupy are not used for any purpose which would deprive these hospitals of protection."

Article 20 goes on to say that "personnel engaged in the search for, removal and transporting of and caring for wounded and sick civilians, the infirm and maternity cases, shall be respected and protected".

Skipping ahead to Article 23 -- the ones in between are about transporting the wounded and sick by land, sea, and air -- we get to the protection of medical supply lines.

"Each High Contracting Party [state which is a party to the convention] shall allow the free passage of all consignments of medical and hospital stores and objects necessary for religious worship intended only for civilians of another High Contracting Party, even if the latter is its adversary," it says.

"It shall likewise permit the free passage of all consignments of essential foodstuffs, clothing and tonics intended for children under fifteen, expectant mothers and maternity cases."

There are some limits to all of these rules, of course.

One example is that a nation at war can't just import medical supplies via its enemy to avoid producing them itself, thereby releasing some of its own production capacity for the war effort.

Another is that things like hospitals have to be used solely as hospitals, not "to commit, outside their humanitarian duties, acts harmful to the enemy". That's in Article 19.

Minor additions have also been made since 1949, to extend and clarify the protections.

The overall message is therefore clear: Civilian hospitals and medical facilities, their staff, and their medical supply lines, are all off-limits.

The first and second Geneva Conventions relate to the treatment of wounded and sick combatants on land and sea, respectively. The third relates to the treatment of prisoners of war. Again the message is clear: Once combatants are injured or sick or captured, and out of the game, their medical care is not fair game.

For fans of Hogan's Heroes, "the Geneva Convention" they refer to in that WW2 sitcom is the predecessor of the 1949 convention, the much less-comprehensive "Convention relative to the Treatment of Prisoners of War" of 1929.

Need more convincing? Check out the Customary International Humanitarian Law Database. It lists not just the international treaties but also the relevant national laws and military operations manuals.

'But we're not at war!'

The thing is, though, the Geneva Conventions and all these other rules only apply during armed conflict. No war? No Geneva Conventions.

So what about in peacetime?

In a 2015 report [PDF], the snappily-named United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) agreed to 11 norms of responsible state behaviour in cyberspace.

One norm requires states to "guarantee full respect for human rights", but with a tag that says this includes "the right to freedom of expression", it's clear that this is about interfering with the use of the internet itself.

Another norm bans states from conducting or supporting any act which "intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public".

But do medical research facilities count as critical infrastructure? Australia certainly thinks so.

In an official commentary [PDF] on current UN negotiations dated April 16, 2020, Australia noted "with concern" the reports of cyber attacks on critical infrastructure "including healthcare/medical services, facilities and systems, and crisis response organisations".

"During a pandemic, it is hard to think of an infrastructure more critical than hospitals and health services," Australia's cyber negotiator at the UN Johanna Weaver told ZDNet.

Australia's Critical Infrastructure Centre, part of the Department of Home Affairs, also classifies the health system as critical infrastructure.

Indeed, in March this year a parallel organisation to the GGE, the equally snappily-named UN Open Ended Working Group in the field of information and telecommunications in the context of international security (OEWG), indicated that this belief would be made more formal.

The initial "pre-draft" of its report [PDF] says that "states should not conduct ICT operations intended to disrupt the infrastructure essential to political processes or harm medical facilities".

A joint proposal [.docx] from Australia, Czechia, Estonia, Japan, Kazakhstan, and the US aims to sharpen that, adding the words: "the OEWG underscored that all states considered medical services and medical facilities to be critical infrastructure for the purposes of [the] norms".

More broadly, an analysis in March this year by legal advisers from the International Committee of the Red Cross noted that "international law prohibits all states from intervening in the internal affairs of other states".

"The UK, for example, has expressly stated that this prohibition may also cover acts such as the 'targeting of essential medical services'," they wrote.

They also noted that attacks on computer systems essential for the maintenance of public health and safety are banned by the 2001 Budapest Cybercrime Convention, to which 65 nations are signatories.

In the view of most nations, therefore, this latest round of cyber attacks is, or at the very least should be, against international law.

But so what?

If we were at war, charges of committing war crimes could eventually end up being prosecuted in The Hague. But we're not at war. And in peacetime, the 11 norms are constantly being breached.

Some states don't just permit the misuse of networks in their territories, they actively encourage it. Some states suppress free speech online. Some states actively disrupt the critical infrastructure of others.

And of course, these cyber attacks on vaccine logistics are happening right now.

So far all we've seen happen with such illegal conduct is coordinated diplomatic action. Perhaps during a pandemic, it's time to put a bit of stick about.