The Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector

We, the undersigned public international lawyers, have watched with growing concern reports of cyber incidents targeting medical facilities around the world, many of which are directly involved in responding to the ongoing COVID-19 pandemic.

We are concerned that the impact of such incidents is exacerbated by the existing vulnerability of the health-care sector to cyber harm. Even in ordinary times, this sector is particularly vulnerable to cyber threats due to its growing digital dependency and attack surface.

We consider it essential that medical facilities around the world function without disruption as they struggle to respond to the COVID-19 pandemic. Any interference with the provision of health-care, including by cyber means, risks further loss of life as thousands continue to die every day.

We support the International Committee of the Red Cross’ call on States to protect medical services and medical facilities from harmful cyber operations of any kind.

We emphasize that cyber operations do not occur in a normative void or a law-free zone. As recognized by the United Nations General Assembly, international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful information and communications technology environment.

Guided by these considerations, we agree that the following rules and principles of international law protect medical facilities against harmful cyber operations.  We encourage all States to consider these rules and principles when developing national positions as well as in the relevant multilateral processes and deliberations:

1. International law applies to cyber operations by States, including those that target the health-care sector.

2. International law prohibits cyber operations by States that have serious adverse consequences for essential medical services in other States.

3. International human rights law requires States to respect and to ensure the right to life and the right to health of all persons within their jurisdiction, including through taking measures to prevent third parties from interfering with these rights by cyber means.

4. When a State is or should be aware of a cyber operation that emanates from its territory or infrastructure under its jurisdiction or control, and which will produce adverse consequences for health-care facilities abroad, the State must take all feasible measures to prevent or stop the operation, and to mitigate any harms threatened or generated by the operation.

5. During armed conflict, international humanitarian law requires that medical units, transport and personnel must be respected and protected at all times. Accordingly, parties to armed conflicts: must not disrupt the functioning of health-care facilities through cyber operations; must take all feasible precautions to avoid incidental harm caused by cyber operations, and; must take all feasible measures to facilitate the functioning of health-care facilities and to prevent their being harmed, including by cyber operations.

6. Cyber operations against medical facilities will amount to international crimes, if they fulfil the specific elements of these crimes, including war crimes and crimes against humanity.

7. The application of the aforementioned rules of international law is without prejudice to any and all other applicable rules of international law that provide protections against harmful cyber operations.

 

 

The current list of signatories and their affiliations (for identification purposes only) is below. International lawyers who wish to append their name to the statement should send an email to oxfordcyberstatement@gmail.com: