20140703

What if a Red Cross was attacked - in cyber?

Lately the word on the street has been: "Any news on the Energetic Bear?" It's all about an entity that likely is state sponsored and from Eastern Europe, according to media.  Both F-Secure and Symantec have published reports on the matter. The Energetic Bear, according to media, systematically targets hundreds of Western oil and gas companies, as well as energy investment firms. This made me think - What if a state or state sponsored entity did the same to a Red Cross (or similar) institution?

Far as I can tell, the Energetic Bear and their SCADA-targeting cyber weapon named HAVEX so far have been mentioned to be targeting the energy sector´s SCADA systems. But when you read  the reports from F-Secure and Symantec the picture is a lot different.

Few seem to be talking about the fact that also hospitals, financial institutions, telcos and other branches depend on both SCADA systems - and power. 
This makes the whole Energetic Bear case more worrying. Have all gone blind on watching "the energy silo"?

But what if...

Then this article did catch my eye: "Big cyber hack of health records is only a matter of time" - sure I agree totally, but again when media writes about cyber attacks they go the easy way and pick the privacy angel. Of course that angle is important, but what if a cyber attack on a hospital was targeted to the hospital´s SCADA systems? This could, as Karl Rauscher writes, "leave doctors scrambling in the dark, machines failing, and patients dying in their beds". It is to me very hard not to agree with Mr. Rauscher, and this is the center of gravity regarding targeted advanced attacks on health institutions; it will be about life and death.  Information theft and privacy violations will likely not be the main intent of an aggressor wanting to disrupt a hospitals capabilities to operate as a hospital. And mind you, such an attack will occur without the health institution even knowing who hit them. 

And then...the questions

Hospitals (and similar) are in times of war protected under the Geneva Convention - would a cyber attack on a hospital (and similar) be a violation of this Convention? Should, for example, hospitals have special labeling on the Internet? A kind of cyber Red Cross on their communication lines and end point infrastructure?
When cyber vectors are used in war, would an attack that affects a hospital be a violation of the Convention and should it then be punished?
The Cyber domain is ​​recognized as fighting domain, similar to the land, sea and air domains. So to me the first thought is to say that we must think as we are used to in our analog world.
Actually the "Markers in Cyberspace virtual group" have been discussing Internet marking for years and College of Europe has the issue mentioned in "Technological Challenges for the Humanitarian Legal Framework".


Discussions are fine, but this has, in my opinion, to be addressed by a global entity - and there is not many to choose from.

Just to make it worse

Very recently NATO updates cyber defense policy as digital attacks become a standard part of conflict and Article 5 will also apply in cyberspace. This is good news, but if an asynchronous actor makes the cyber attack against a hospital - or other societal entity, then what? By whom and how should the attacker be taken out and punished? Can states "hack back" towards an unknown entity? Should the attacker, if caught, later be tried by The International Court of Justice? 
And even more; is it an act of crime or an act of war? For how long can governmental bodies and NATO discuss "who owns the mayday" before countermeasures are implemented?
I can say only one thing for sure; when this happens -  the fog of war will be thick.

A very experienced police officer with international operations on his CV said this when I raised the cyber attack and hospital issue; "The Geneva Convention was made to fit an industrial war between nations. That does not occur any longer, in short; the Convention is outdated and should be refreshed."

[As always, the posts here are the author's alone. Nothing on this blog is reflective of any of the author´s employers, past or present.]