Published by The Lawfare Institute
in Cooperation With
This article proposes the creation of an international organization modeled after the International Committee of the Red Cross (ICRC) to provide assistance and relief to vulnerable citizens and enterprises affected by serious cyberattacks. Companies that have signed onto the Tech Accord principles would form the core of the organization, thereby filling an important gap in an increasingly volatile geopolitical environment. In this article, the term “cyber-ICRC” is intended to be suggestive of the role that such an organization might play but not to imply any kind of formal connection to the ICRC. Moreover, we emphasize that the proposal outlined in this article has not been vetted by anyone at the ICRC and is not endorsed by the ICRC in any way.
In the spring of 2018, Microsoft initiated the Cybersecurity Tech Accord, a public commitment for its member technology companies “to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.” More specifically, member companies commit to following a set of principles. By late September 2018, over sixty other companies had joined the accord and have signed on to its principles.
The Tech Accord is apparently one result of a speech at the United Nations given in November 2017 by Brad Smith, Microsoft´s President and Chief Legal Officer, in which he called on companies to effectively act as a “neutral digital Switzerland, to protect people around the world.” (Time mark 22:00.) In the vision that Smith laid out, companies would emulate the neutral role of medical personnel during wartime, which was the foundational principle underlying the development of the ICRC. Just like medics treated vulnerable civilians regardless of allegiance, the technology industry should “assist anyone who is injured anywhere [in cyberspace].” (Time mark 21:15.)
The idea of an ICRC for cyberspace has been floated before. In 2015, Duncan Hollis and Tim Maurer called for the establishment of a “global cyber federation”—a network of non-governmental assistance organizations. By making use of existing Computer Emergency Response Teams (CERTs), Hollis and Maurer argued, a cyber federation could provide “neutral, impartial and independent assistance to the Internet and its users” in the service of improving safety and security in cyberspace.
The Tech Accord and its rationale offer an important opportunity to reexamine and renew calls for the creation of a mechanism for assistance in cyberspace modeled after the International Committee of the Red Cross. Tech Accord companies would form the core of such an organization, which would advance the realization of the accord´s principles.
The History of the ICRC As Precedent
The development and status of the ICRC is remarkable in many ways, and carries important lessons for cross-border assistance efforts in cybersecurity. The origins of the ICRC go back to the Battle of Solferino in 1859. Henri Dunant, a Swiss businessman, witnessed the carnage of French and Austrian soldiers, many of whom died on the battlefield without medical assistance. Dunant’s activism brought together five Swiss citizens in a private organization that was to become the nucleus of the ICRC. Together, they called for better care of wounded soldiers during battle and protected status for medical personnel in order to do so. The group subsequently convened a conference, invited representatives from several national governments and successfully persuaded them to sign the first Geneva Convention of 1864, putting the group’s principles into a legal framework.
These were the beginnings of a small, private organization that would transform into the world's largest humanitarian network, providing assistance and relief to victims of all sorts of tragedies, from earthquakes to armed conflicts. Over time the ICRC expanded its role and established trusted relationships with governments while, under its umbrella, national relief societies were formed. Dunant´s vision eventually evolved into the highly effective and credible Red Cross system—a network of national and international relief and assistance organizations. The Committee and the national societies of the Red Cross and the Red Crescent are formally independent of government control, although societies have to be recognized by the state in which they are operating. While formal independence may not guarantee actual independence on the ground, formal independence provisions help to ensure that societies are seen as trustees rather than as agents of any government.
Today, the ICRC provides independent, neutral humanitarian assistance and protection to victims of armed conflict and other violence. It also has a critical role in the promotion of respect for international humanitarian law. Over the course of its relatively brief history, the ICRC has established itself as one of the most trusted international actors, gaining access to places no one else can go to promote humanitarian behavior. It has been able to do so because it acts in a neutral, impartial and independent manner, and is willing to carry out its mission in confidence if that is a necessary condition of gaining access. Regardless of the causes of an attack, the ICRC focuses exclusively on its humanitarian relief mission and the needs of victims.
An ICRC for Cyberspace
The mission and evolution of the ICRC provides a historical precedent for the creation of a similar organization for cyberspace. Signatory companies of the Tech Accord are in a unique position to form and advance an ICRC-type organization for cyberspace.
Reflecting the mission of ICRC in cyberspace, a cyber-ICRC would focus on providing assistance to victims of major cyberattacks or incidents wherever needed around the world as well as helping affected citizens and enterprises recover from cyberattacks and their impacts. The ICRC accepts natural and man-made disasters as facts of life, and seeks to mitigate subsequent harm rather than prevent such events. Similarly, a cyber-ICRC would seek to mitigate the effects of cyberattacks rather than prevent them. Recovery and assistance in response to harm caused by cyberattacks or experienced during cyber incidents would form its core mission, and, in particular, cyber-ICRC personnel would not focus on politically sensitive matters such attribution of the incident or collection of intelligence information on behalf of governments.
In this regard, a cyber-ICRC would have a different role than the ICRC in its humanitarian efforts: The ICRC does talk to national governments privately when it uncovers evidence of unlawful conduct of representatives or agents of those governments. But a cyber-ICRC investigating a cyber incident in Nation A would not be authorized to conduct an investigation in Nation B, even if it was believed that Nation B was responsible for the incident. Because the focus of the cyber-ICRC’s efforts would be recovery rather than attribution, information relevant to the latter would be collected only incidentally to the primary mission of facilitating recovery.
A cyber-ICRC could also fill an assistance gap that is particularly felt by victims who lack the capacity or resources to respond to or recover from cyberattacks. As the number of Internet users grows substantially in the next few years (a total of 5 billion by 2020 by some estimates), there is a special need to expand assistance networks in the developing world.
A cyber-ICRC would focus its work on cyber incidents of significant consequence. Accordingly, if a civilian entity were to suffer serious cyber harm, it would be eligible to request assistance from a cyber-ICRC. Because assistance would be reserved for significant events, a threshold would need to be effectively established. What qualifies as a significant event can, of course, differ across countries, sectors and organizations and will need to be discussed further.
Assistance would be provided only if the victim(s) of cyberattacks agreed to allow personnel from the cyber-ICRC to provide such assistance, and if the host government (i.e., the government that exercises jurisdiction over the harmed civilian entity) consents as well. Beyond the immediate focus of relief and recovery in response to serious cyberattacks, the scope of the organization´s mission would have to be carefully calibrated as to not jeopardize its neutrality, access and effectiveness. Over time, the organization could also take on activities such as education and outreach—a role that emerged as the ICRC itself evolved.
Tech Accord companies would form the core of the organization, providing resources and personnel as necessary. Based on the Tech Accord commitments, Microsoft and other companies are in a good position to work towards establishing such an organization in collaboration with other like-minded entities. One significant aspect of the Tech Accord is that it involves some companies that are not based in the United States. Because cyberspace is relatively insensitive to national borders, the international purview of Tech Accord companies can only be a plus in the face of increasing tendencies towards U.S. isolationism globally and in non-cyber realms. A cyber-ICRC based on the participation of the Tech Accord companies could also sustain itself financially without significant government support.
Designing an organization focused on relief and recovery from cyberattacks leaves open a number of questions, including the following:
What criteria should be established as a threshold for responding to a call for assistance from the cyber-ICRC? Who gets to formally determine the criteria?
Given how often successful cyberattacks occur around the world, the demands for assistance from affected entities are likely to far outstrip the supply of expertise. A set of formal criteria establishing a sufficiently high threshold for assistance is therefore necessary to align demand and supply more closely. As an example, one such criterion might be the extent to which a cyberattack has broad and dangerous effects on the civilian population of a targeted nation.
Who decides if the criteria established above are met in any given instance?
Should it be the cyber-ICRC itself that decides that the criteria have been met in any given request for assistance? Or should individual Tech Accord companies have the right to decide for themselves before they will agree to support or participate in a humanitarian mission? (Duncan Hollis, in “An E-SOS for Cyberspace,” suggests that factors such as severity, nature of the affected entity and scope of impact could play into such criteria. He also suggests that incidents without a malevolent actor behind them should also be within scope.)
What should the relationship be between the assistance organization and the host government of affected civilian entities?
In particular, how and to what extent, if any, should operational activities of cyber-ICRC personnel be subject to observation by host governments? Given possible demands of host governments for observation as a condition for access, what principles should govern such observation?
What are appropriate data protection standards?
What kind of information is likely to be handled by a cyber-ICRC? How should this data be protected? How can protection standards be guaranteed? To whom should information gathered in the course of providing assistance be provided? What kind of information would make a cyber-ICRC a target for attack itself? How could such a risk be mitigated?
To what extent and under what circumstances should the activities of a cyber-ICRC remain non-public?
Is the effectiveness of the organization best advanced by publicizing its activities and the entities to which it has extended assistance? Or is effectiveness best advanced by keeping assistance requests and activities confidential? Could the cyber-ICRC disclose some cases publicly and keep others confidential (according to requests)? Should the organization issue a yearly report about its activities? What circumstances and principles should determine the scope and nature of information disclosed to the public?
How should the neutrality of a cyber-ICRC and its activities be safeguarded?
What should be the organization's guiding principles for its day-to-day activities? What kind of relationships with governments would best ensure the organization´s neutrality and global access? This question is closely related to the institutional make-up of the organization, which is discussed next.
What should be the structure and status of the organization?
A number of options along this regard bear further investigation. Perhaps the most likely in the short term is a stand-alone private organization. Because of the primacy of private sector technology companies in the proposed cyber-ICRC, it is advisable that the cyber-ICRC not be established under United Nations leadership given the government-centric approach and politicized nature of governance discussions in UN forums.
What should the organization's membership look like?
Should the organization’s membership be exclusively private-sector companies? Should other non-government entities play a role (e.g., the Internet Engineering Task Force, national Computer Emergency Response Teams, Computer Security Incident Response Teams, Information Sharing Organizations)? What would be the relationship with other industry initiatives such as the Charter of Trust (initiated by Siemens and other companies)?
How and to what extent can Tech Accord companies (and their personnel) be insulated from possible retaliation for their participation in or support of cyber-humanitarian efforts?
If the cyber incident in question is an attack against an entity in Nation A by Nation B, cyber-relief efforts aimed at helping Nation A would have the effect of mitigating the attack by Nation B. That fact may lead Nation B to take retaliatory action against the relief-providing entity, which could be either the cyber-ICRC itself or the Tech Accord companies providing the response. In physical humanitarian relief operations, for example, ICRC personnel are often threatened by belligerents on the ground, so in that sense, the situation is comparable. Measures aimed at limiting possible retaliation against cyber-relief workers (and their companies) would help provide reassurance about their participation.
Who would be responsible for providing on-the-ground assistance?
One option is that personnel from one or more Tech Accord companies could do the actual work on the ground. Alternatively, the cyber-ICRC could have a permanent cadre of cyber-relief workers that deploys when necessary, the personnel costs of which would be covered by Tech Accord companies. A third option is a reserves model in which the bulk of relief-providing personnel are primarily employed by Tech Accord companies in other capacities (i.e., in regular jobs), but, when a cyber relief mission is engaged, are seconded to cyber-ICRC efforts and act on behalf of the cyber-ICRC—Medecins Sans Frontiers (Doctors Without Borders) operates on a roughly similar model.
How, if at all, can Tech Accord companies reassure the entities being assisted that they will not take advantage of the vulnerable position of those entities to sell products or services?
The involvement of Tech Accord Company X in assisting an affected Entity A provides opportunities to influence Entity A’s judgments regarding the purchase of future products or services. Tech Accord companies would have to pledge not to take advantage of such opportunities, but it is unlikely that such a pledge would entirely reassure recipients of assistance in this regard.
What criteria determine the appropriate end of the cyber-humanitarian mission? And who decides if those criteria are met in any given instance?
It is unrealistic to expect that a cyber-ICRC presence could continue indefinitely, and yet an assisted entity would have substantial incentive to want that presence to continue as long as possible. Thus, some criteria must be established to define the end of a mission. And, as with the decision whether to deploy relief personnel, some party must decide when those criteria are met in any given instance.
In his speech to the United Nations, Brad Smith addressed the question of industry responsibility to protect the world from cybersecurity threats saying, “As someone who comes from a company like Microsoft, who spent almost a quarter of a century working in the tech sector, I would absolutely be the first to say that in fact we have the first responsibility. After all, we build this stuff.” (Time mark 15:50.) We concur with this sentiment, and believe that a logical next step forward is to consider the establishment of a cyber-ICRC along the lines described above.
The open questions we discussed are hard to answer, and are merely illustrative of myriad other questions that must be addressed satisfactorily before a cyber-ICRC can be realized. And, of course, the Tech Accord was not set up with the intent of obligating participating companies to engage in the roles described in this article—in fact, this article proposes a substantial expansion of mission for those companies. Assuming that the questions above can be answered adequately, a willingness to support a cyber-ICRC with funding and, more importantly, with expertise would go a long way in generating tangible and visible results in the quest for a safer and more secure cyberspace.