In February this year, Microsoft President and Chief Legal Officer Brad Smith took the stage at the RSA security conference in San Francisco to make the case for a “Digital Geneva Convention” that protects civilians from state-sponsored cyber attacks. Given that main intent of the last Geneva Convention (1949) was to protect civilians and non-combatants during warfare, this call to action—a Geneva 5.0—is both timely and welcome.
The nature of conflict has changed throughout history. Today, cyberspace has emerged as the latest front, as both state and non-state actors perpetuate another of history’s certainties, namely the weaponizing of advances in technology. The growing scale and scope of cyber-attacks and their potential to impact the safety and security of civilian populations – witness the recent widespread havoc wreaked on healthcare and other civil infrastructures across the world by the WannaCry attack – highlights the pressing need for international law to reflect this new reality.
Smith’s bold vision gives vital impetus to the effort to create innovative and comprehensive protocols for responsible development and deployment of cyber capacities. it speaks to the importance of establishing norms against targeting critical infrastructure that the wellbeing of societies depends on—much of which is in the hands of the private sector—a commitment to non-proliferation of cyber weapons, and international processes for dealing with cyber-attacks aimed at civilian populations.
As this work gains traction, it will have implications for a wide variety of state, commercial, and international organizations working in diverse contexts. Here, we examine what this means for those involved in humanitarian action, given the particular vulnerabilities of the people they work to help.
Defining new territories, rights, and protections
First, technology companies. Many of them do essential work in supporting humanitarian action, often in very complex circumstances. As such, they are key stakeholders in ensuring that the implications of the work they do and the technologies they deploy for humanitarian purposes are well understood and given proper attention, operating to the baseline of “do no harm.”
Implications of a Digital Geneva Convention would, however, be unprecedented for the private sector in that technology companies would be required to take on a stronger role in the existing international state system and its global institutions, like the United Nations, in helping to define matters of human rights and humanitarian protection in the digital age.
Current international law protecting civilian populations is based on state sovereignty and 20th-Century modalities of warfare. And yet, the world has changed in fundamental ways. The internet doesn’t respect international borders. Nation states are deploying the capabilities of hackers as if they were traditional combatants. Identity theft, cyber-attacks on critical infrastructure, and misinformation campaigns are the weapons of war on today’s digital battlefield. And civilians are often caught, unprotected, in the digital cross-fire.
The technical know-how, resources and reach of the private sector are a requisite for making sense of this new theatre of conflict in terms of where and how it takes place, and for whom this matters and why. Tech companies – alongside states, humanitarian actors and civil society—will need to help define what actions constitute cyber threats or attacks, and therefore who should be afforded rights and protection under international law. Their role is also critical in building the capacity of humanitarian organizations to understand how to navigate this complex threat landscape to ensure that already vulnerable people are not further exposed.
We know that many tech companies are already highly aware of these issues, and taking steps to address them. But the urgency of the situation calls for more concerted international action, given that those same issues are manifesting themselves right now.
Re-tooling humanitarian assistance
Second, the humanitarian system will have to re-think the way it carries out its work with populations already affected by “conventional” war and natural disasters.
Already, aid agencies and NGOs are developing and deploying communication, information and data-related activities and services that, themselves, constitute new forms of humanitarian assistance. Information, once used as a means by which to coordinate the delivery of food, shelter, and health services in the aftermath of an earthquake, for example, is now a life-saving commodity and, some would argue, a human right for populations affected by natural disasters and conflict such as refugees and IDPs.
However, there is no comprehensive and commonly-accepted guidance on the use of information communication technologies and the information they generate in humanitarian contexts to ensure proper safeguards against unintentional harm to affected populations who are, themselves, already vulnerable.
New frameworks are urgently needed to ensure sure risk is mitigated and core humanitarian principles (like neutrality, impartiality, independence, humanity) are not compromised in carrying out humanitarian information activities.
Indeed, there is growing evidence to suggest that humanitarian information and data-related activities and services are unwittingly exposing vulnerable populations to new threats in fragile contexts:
Experimentation using call detail records (CDRs) for contact tracing purposes during the Ebola outbreak in West Africa has raised important ethical questions around human subjects research, responsible data practices, and proportionality. Mobile connectivity initiatives in Syrian-refugee hosting countries established through hastily formed networks, or HFNs, highlights the need for robust network security measures to protect asylum seekers from electronic exploitation by parties to the conflict. Publishing real-time data on the conditions, routes, and profiles of asylum seekers in the Horn of Africa region can inadvertently provide valuable resources from which smugglers and human traffickers can benefit.
The longer these practices continue to be carried out in the absence of regulations and safety and security measures, the more we risk failing to protect vulnerable populations from harm. This, itself, is arguably a whole new dimension of humanitarian cyber threat, which is not adequately accounted for in current policy frameworks, and should be front and center of the Digital Geneva Convention dialogue.
The Digital Geneva Convention initiative is an exciting call to action for defining new rights and responsibilities and re-tooling the existing system to cope with the realities of the 21st Century. It’s a great opportunity that we can’t afford to miss.
* * * * * * * * * * * * * * * * * * * * * * * *
 Research in Nairobi, 2015. On file with author.
About the Authors.
Joseph Guay is an Associate at The Policy Lab. Based in San Francisco, he manages the Lab’s research on humanitarian innovation and technologies. He has supported the development of information management solutions for a number of humanitarian operations in South Sudan, Iraq, the Horn of Africa Region, Nepal, Myanmar, and in the context of the Ebola pandemic. [email protected]
Lisa Rudnick is a Founding Partner at The Policy Lab. Based in Geneva, she is experienced in the peace building and security sector. She has worked with the UN and NGOs on community security and policy and program innovation in humanitarian contexts in Africa, Asia, and the Middle East. [email protected]