A Digital Red Cross: Keeping Humanitarian Aid Safe from Cyberattack
Keeping medical and relief workers safe in a war zone is a profoundly difficult task. In 1864, encouraged by the founder of the organization that would become the International Committee for the Red Cross (ICRC), the Geneva Conventions created a visual standard that attempts to protect aid workers by clearly marking them with a red cross. The red cross emblem has since been joined by the red crescent and red crystal – all emblems marking noncombatants doing humanitarian work in a war zone under the protections of international humanitarian law.
But in the 21st century, digital systems have become targets in conflicts across the globe. From DDOS attacks to data theft and website/social media takeovers, combatants have gone after online systems to hobble an opponent’s military and its supply lines, undermine support for a government or simply embarrass the other side in front of its citizens and allies. Targeted intentionally or not, relief organizations, healthcare systems and medical workers may get caught in the digital crossfire, disrupting their life-saving services and potentially hurting the wounded and the vulnerable whom they help.
The ICRC, as well as the Red Cross and Red Crescent societies from countries around the world and the states that are signatories to the Geneva Conventions, have begun work to develop the virtual equivalent of a red cross or crescent—a digital emblem—that can be used to signal protections during cyber operations. CDT is working to help convene multistakeholder processes to develop the standards and systems necessary to define and deploy digital emblems that can serve protective purposes in digital conflicts. This is both technical and diplomatic work, and requires coordination among different actors with different forms of expertise who share a common humanitarian project.
This past May, CDT helped to organize a hybrid technical workshop, bringing together ICRC legal experts with experts in the technical sector and civil society to explore the need for a digital emblem and the potential for standardization. Technical discussions included the challenges of deploying unambiguous authenticated emblem signals, and communicating emblems in such a way that cyberattackers can receive them without revealing themselves: If potential attackers can’t find out if an online target is actually a hospital without revealing themselves, they won’t bother to look. Participants also recognized the need for accountability mechanisms in the law.
This past October, at the quadrennial International Conference of the Red Cross and Red Crescent, the 196 nation states party to the Geneva Conventions (as well as the 191 Red Cross societies from those nations) resolved by consensus to encourage further research, design and development of a digital emblem.
Technical standardization is a key next step. The Internet Engineering Task Force (IETF) now has an opportunity to move the process along by forming a working group to address humanitarian digital emblems. The group would incorporate voices from the aid community, from the technology world, from governments, and from civil society organizations like CDT.
The requirements for this digital emblem and digital forms of other distinctive emblems and signs are in the process of being specified to guide the standards work. Consensus work can be slow, but important, and there have been two productive “birds of a feather” sessions that have demonstrated broad interest in the work and strong opinions on scope. Requirements may include:
- Authentication by a wide variety of sources—for example, the ICRC doesn’t determine who can apply the existing emblems such as the Red Cross or Red Crescent; instead, that determination is made by individual states worldwide;
- Covert inspection—in order for attackers to recognize and respect this mechanism, checking for a digital emblem shouldn’t be an activity that reveals their identity;
- The need to be both resilient and usable by humanitarian organizations (and their digital services vendors) in zones of conflict around the world—a digital emblem needs to be easy to deploy, much like the red cross is easy to paint. The symbol should also be easy to remove from a digital property when needed.
- The need for the symbol to be voluntarily adopted.
Interoperable standards make it possible to cover a cluster of use cases with a single technical design. International humanitarian law provides an array of protections to a wide range of different activities, from protecting historic artifacts to ensuring civil defense organizations are able to undertake their life-saving activities. This kind of effort may also be applicable in those cases as well.
Of course, no digital emblem will protect an organization from truly malicious actors, including hackers seeking data to ransom or a state-based group that sees collateral damage as a bonus, not a cost. In the physical world, hospitals and healthcare workers have been ambushed or bombed far too often. But a digital system that echoes the protections accorded to physical aid workers would at least give organizations a chance to shield themselves and their work from digital disruption. And, it should provide for potential accountability through international governance mechanisms when medical services are disrupted by cyberattack
This important endeavor could not succeed without the deep interest, engagement and support from the technical community, nation states, the tech industry, academic researchers and the Red Cross movement generally. CDT is proud to work with the ICRC and other stakeholders to help shepherd the digital emblem through the technical standardization process.