LABScon Replay | Are Digital Technologies Eroding the Principle of Distinction in War?
Hi everyone. Thank you for having. Oh. ICRC today, International Red Cross. So just look at who knows, who knows what we do and who we are. Just raise your hand. Okay. So just to refresh the memory. So we are an international organization, a humanitarian organization. We are based in Geneva, Switzerland. So our mandate is to provide
humanitarian help and help victims of armed conflict in relief operations. And when there is a need. So and you start to think about why we are here, right? What is doing humanitarian organization here? So it's because we are seeing with the digitalization of societies there is an increase, a transformation of how the wars are fought. So states are adding more and more digital means and methods to their arsenal. And one of the worst trends we are seeing nowadays is that digital technologies are bringing civilians and private sector technology companies into the battlefield. So when I talk about private companies, I mean cybersecurity companies, technology companies that are bringing into the battlefield. So one of the most important principles in ICRC is international
humanitarian law. This is a body of law. And one of the most important principles in this law is that we define two main groups of individuals and objects. So the first one is the combatants, and the military objectives and the competence are the people that are fighting on behalf of an army. And the second group are the civilians
and then civilians objects. And they should refrain from the resource. They should refrain to a combat to go in the battlefield, and thus they should be protected against the arms and dangers that the war is producing. So this is the principle of distinction. So we have to distinguish between who is
fighting the war and the rest of the population. So and this shift in the digital technologies, so is bringing us to a to a qualitative aspect, 1 to 1 qualitative aspect, one quantitative one. So from the qualitative perspective, so the digitalization of societies is bringing some some effect. One of them is that this lowering the threshold of entering the battlefield. So with some exaggeration, we can say that everyone with a smartphone nowadays can join the battlefield and do something for an army to a conflict. And the
other perspective is that is also modifying completely, modifying the sense of remoteness that we have. So we can sit in our couch and we can participate to to the battlefield on the other side of of the planet. And from a quantitative perspective is that the states can scale up a massive amount of civilians to do what they need to do, like hundreds of thousands of civilians regrouping them in hours, in days to be able to fight for them. And another perspective is the expansion of the attack surface. So the same smartphone
that they can use to attack could be also a victim of of of an attack. So it's not just the smartphone, laptop, computer server, whatever. So the attack surface is way bigger than what we have in the physical world. So this brings us to the civilization. So we call the civilization of the battlefield. So based on that, let's have
a couple of scenarios to better explain the situation and the challenges we are facing here. So the first scenario is about states that may encourage civilians to engage in offensive cyber operations against targets associated with the enemy. So it's the states that is asking its own civilians to participate to a conflict in the digital battlefield. So this has multiple advantages for a state so individual can be easily mobilized and coordinated. So as I said before, you can put together hundreds of thousands of people to fight in your name and you can federate all already existing activists that they can be deployed for, for your purpose and all those characteristics that bring us to this lower cost for entering the battlefield and for the states to fight in the battlefield because they can use the civilians to do this work. So this is the
first scenario we are talking about. The second scenario is that the states may repurpose existing e-government apps or create new ones that will be used for the battlefield. So here we are talking. In about two states that are provide an app that you can use to,
for instance, take a picture of a tank of the enemy and then send them back to a to the to the army, to the Central Command and control and be used for the effort on the on the kinetic side. So this has multiple advantages from the state's perspective because you are tapping into an existing community of digital citizens. So can you imagine if you if you have a new government app that is being used by three or four or 5 million of people that some point, you transform, you enhance this application providing new methods in the application, and then you provide these applications, this new version of applications to already three or four or five million people that are already using these applications. So they are tapping into this kind of situation. So this means that you don't need any training for the people that are using the application because they are already used using these applications. So it's everything. We open download, take a picture, and send the picture. This is a normal gesture we do daily, so no training is required. This also means that there is no latency. You don't
have to train military people on the ground. You just have civilians in the in the digital battlefield that can adapt and use this application in a very quick way. And this means that the civilians are becoming sensor sensors to the army, not just for intelligence purposes, but for any other kind of activity that the state would like to start in in the digital battlefield. This brings us to a third scenario where we have the presence of technology companies, and cybersecurity companies. And so, generally
speaking, private companies are jumping into the digital battlefield. So as you may know, I mean, the majority of the networks are owned or managed by private companies and they are also managing asset that our military asset, not only civilian assets. So when war start those companies, they are inside the battlefield because they are already providing support or they are managing the networks of those governmental bodies. So this may bring us to the characteristic of that. Those companies are defending against deliberate cyber attacks. If you are already providing this kind of situation to a to governmental bodies, you find yourself in in defending against deliberate cyber attacks and you share threat intelligence with government bodies, with states that are at the moment in war. So those are the three scenarios of how civilians and and private companies are involved in the battlefield. And these are,
first a first batch of consideration about the situation that we are expecting we are seeing since the moment. So apt so state sponsored cyber attack is not the only way to assess no more, the only way to assess state capabilities in the digital sphere. So we have a lot of more digital means and method that has to be integrated when we do an analysis of the capacity of a state in these in this sector. The second one is that the private company of civilians are now playing a preponderant role in the conflict.
What I mean with this is that when an army is losing visibility or capability on the on the on the battle ground, they can use civilians to regain this visibility, this capability, and even surpass the capability of a state in the battlefield. So the consideration is that we are assisting a civilization of the battlefield that is is is a trend since the moment now. And this is a worrisome trend because we are bringing civilians into the battlefield. So a second a second package of of considerations that we still lack this cognitive process. So what does it mean? It means that we are far from from the battlefield, but at the same time, we are in the battlefield using digital means. So this is a distance between what we
are leaving and what we are doing. So these kinds of process is something that we are still lacking nowadays, even after 30, 40 years, that we are using it and still lacking of cognitive process. And this brings us to the perception of anonymity where we are running a DDoS attack using a VPN, we think to be anonymous from our couch or we do this and that.
So this is perpetrating the anonymity and with this also the sense of impunity. We think nobody will find me because I'm using all the security measures that I can put in place to not be seen. So another is the performative nudging of the state. What does it mean? Does it mean that the the state, when is there enhancing and modifying application? Is proportionately to be gentle, pushing the civilians to adopt this application that is already on their phone to use this application for for war reason so and these performative because as soon as these new capacity is is put in in a new application and push on the store and then push on the phones is use very quick.
So this is performative so the speed of integration we already said so this very fast how to integrate civilians into the battlefield. And then we have the involvement of private companies that are doing the normal business in peaceful time, that at some point they find themselves into the battlefield. And the third group of consideration is are civilians and private companies directly participating in hostilities? So this is the most important part are people that are doing this kind of business, participating in hostilities. So we see three communities characteristic to be declared as participating in the cities.
So this is just a way to explain you how it is. I am not saying that one scenario or the other is direct participating in stating the three scenarios that were seen before. We can say that depending from case to case could be considered as participating in hostilities.
But normally we should look at these three cumulative aspects. So one is the threshold of harm. So it means that if you run, if you do this act, you provide a you have an impact on the military operation of a party to the conflict. So
there is a real impact of what you are doing. The second one is the belligerent nexus is knowing that if you have designed the act to be to reach the threshold of harm. So if there is a desire of designing this, this act for providing this harm, and the second the third one is that the direct causation I mean, if we can know that from the act that you are doing the the harm is provided by your intervention. So those are the three characteristics. So if you are if you have this three characteristic
in the act that you are performing, you probably participating in in a armed conflict. So there are other characteristics that we have to look at before saying that. One of the other scenario is direct participation in your city. What we are saying is the temporary consideration for such time.
So it does mean that so in our perspective, ICRC perspective, if a civilian is opening an application and taking a picture or doing a DDOS attack and then closing the application, only during that time a civilian could be and say could be considering as participating in hostilities as soon as you closed the application is not is not more considered as participating in stating some critics of our will saying that this is too easy for civilians to go in the battlefield and go out from the battlefield. So a kind of a revolving door, but again, case by case. And then there is the territorial consideration. Are you performing your act from inside the battleground or from outside? So are you doing this stuff from outside the battlefield? So these are all the different perspective that we're going to check. After
all, what are the consequences of everything here? So the first consequence, if you are so directly participating, is that you are not entitled to have the prisoner of war status if you don't have this title because you are a civilian participating in hostilities. You may lose immunity from domestic prosecution. And I explain myself. So let's imagine you are attacking country with your means and at some point the war is over and then some years later you want to travel for for vacation to this country. You could be prosecuted in this country because you participated in hostilities and then you have no immunity for that. So this means also that you lose protection from attacks. And when we talk about attacks, we is not just cyber attack, but also physical attack. So someone that is
participating in society could lose the protection from being attacked, although on a physical on a physical way. So the consequences for the states so states have mandatory it's mandatory for the state to verify if one person that is participating to a soldier is a combatant, is a civilian. So distinguish what we said before, the the principle of distinction for for the for the states. The second one is the obligation of cost and care. So this means that the states have the obligation to help civilians to to provide precaution to the civilians. But this is absolutely in tension with the fact that that states are nudging or pushing civilians into the battlefield, how you can nudge and push civilians on the battlefield. And the same time, be sure to to provide cost and care to the civilian.
The third one is that states have to respect international humanitarian law. And the reason are the law international human rights law. So the right to life and such, such a body of law that is fundamental. Also when we talk about the territoriality of of the
battlefield. And so another consequence is this time for the private companies is that as the civilian is the possible loss of protection from being attacked. So even tech companies that are involved in the battlefield, they could face this situation if they are engaging in DPH for one of the other party to the conflict.
And one very interesting point is that tech and cybersecurity company property may become a military objective. So let's imagine you have a platform for sharing intelligence with the government body that this government is involved in, in a in a in a in a war. And you provide a cyber threat, intelligence to this to this state through a platform. This platform could become NSA could because again, depend from case to case could become a military objective of an army to the conflict. So this platform could be disrupted
by one of the other parties to the conflict. And so this brings us also to the territory consideration that we have seen for civilians. So it depends from my perspective, from international maritime law, there is no difference if you are doing this from inside a battlefield territory or outside. But there are other body of law, like human rights law, that are taking in consideration territorial territorial consideration for for this. And technology and cybersecurity companies could also be considered as an organized armed group. Again here exception and case by case.
But it is possible that the tech companies that is providing a defensive capability or even active defensive capability could be considered as organized armed group by to one of the army, one of the ambit of the conflict. So these you can imagine the consequence of being considered an organized group. These bring us to the conclusion. So the first one about the civilians. So I just put this point
civilian must be aware. So we're not talking anymore here on taking down a server of a ransomware group or snitching to a C2 of a state sponsor of an APT group. So we are talking about participating in a conflict. This is changing completely. The situation where you are involved. You have to be aware of what you're doing when you when you type on your keyboard and be sure what you're doing here, because you can be attacked again with distinction in case by case, but you can have a kinetic and non-kinetic answer to what you're doing.
The second conclusion is for the states. So we stress the fact that the states have to respect the principle of distinction between civilians and combatants is very important and is something that is is very worrisome because we seen a fusion between the two groups. And if you are really bringing civilians into the battlefield, please prioritize harmless form of civilian involvement, like, I don't know, rebuilding, disrupt the connections or setting up servers or whatever, not using civilians for the aim of of of the war. The third one is provide civilians the information. So as soon as the state is
providing all the information to civilians saying, hey, you can do this and that, if you do the other, you take responsibility for your act, At least the state. It could be said that he provided all the information useful for civilians to judge the situation. Logically comply with their duties, so with the natural and human rights law. So we said
before that we see a tension here between the duty and the and what in reality is happening and the obligation, of course, care. We have talked before, so do not involve civilians, had civilians against these civilians of the battlefield and try to reverse the civilian ization of the battlefield. So this trend must be stopped because we are seeing more and more tech companies, more and more civilians into the battlefield and latest for the companies. So
we think that companies need more awareness in training in international humanitarian law. So we had a discussion with several tech companies and cybersecurity companies on this topic and they open their eyes are where we were not aware about this. So this is very important that they start to have an awareness in training and then prevent target mistakes. So when you do offensive offensive security or something like that, just be sure
if you shut down a command and control that this command and control is a military dedicated command and control is not a dual use command and control that is used also for civilian purposes and proactively inform as a company what you are doing to avoid being attacked. So if you are doing protection or whatever, just let the world know what you're doing during the conflict. And you should also develop compliance in your companies and say, Hey, how are we doing the right? How are we now shifting to be a participant in the right to a conflict or not? So you have to be aware what you are doing during this period and then try to lobby to assure that civilian data should be protected as civilian asset. So till now, the civilian
data do not have the same level of protection as a civilian asset. So we advocate of considering civilian data protected as civilian asset, because when you disrupt civilian, you can cause a very harmful situation for civilians. And most important stuff, we discuss all this the other day with an attack against a satellite infrastructure, try to do segmentation of of the asset that you are providing to a government. So if a government wants to have an asset from your company, try to split between civilian body of the government and military body of the government so that when there is a war exploding and someone is trying to attack those assets, is going to focus on the military. One Thank you. One take question. Tomorrow. We have time for questions. Quickly, quickly. Just get your hands. Hi there. Thanks. Really enjoyed the talk. Just one kind of question. It seemed like an
overarching theme in this is that there's sort of a dual use nature to all of this stuff that the you know, like you said, like a cloud provider could be supporting a military, could also be supporting civilian businesses. And from a defenders perspective, you know, threats, although they can be nation state, they can be non nation state, whatever. You might just not care as a defender and you just want to protect your own system. So I guess because that distinction is hard on both sides, I think.
Do you see any room or what specifically would you see like on a maybe on a policy side or regulatory framework side that could help clarify that and help like deal with these dual use technologies in a way that helps distinguish civilian and military objectives? I'm thinking about if you. Thank you for the question and thinking about if you have a contract with the government as from the starting point, you have to define if there is a military asset, is this a civilian asset? So you have to be to be open with the government and saying what the purpose of of of our help here, what kind of infrastructure are we securing? And then it's up to you as a company saying, I don't want to protect a military entity because in case of war, I'm protecting something that can bring me to the battlefield. So this is up to the company having these these capability of distinguish already from the beginning of of the contract and being clear with the government what they're doing. One of the. One of the issues that you kind of have to deal with in both hot and cyber conflicts might be mercenaries. So what are your thoughts on kind of identifying private companies who might be affiliated with governments? That's a good question. I mean, I chair international maritime law does not prohibit
the participation in war. So this is up to an up to everybody to know if they want to participate to a war. I mean, but that you have behaving in a in a manner that you are not entitled to war crimes.
But from this point of view, you have to be aware of the fact that if you are a mercenary participating to a conflict, you can be attacked afterward from one of the parties of the conflict, even in kinetic ways. So we're talking about a kinetic reaction to a cyber operation. So this is up to everyone to do this. We we try to get in touch with those mercenaries, with the groups of people that are cooperating with the one of the other party. Try to explain them. What are the dangers bind into this, to this situation?
Just that they know what they what they are facing. Thank you. Yeah. We take one last. Not more. One more last one, quickly. Get. We have this man from Geneva all the way here. We have to make all the use of its time as we can get.
Go ahead with digital warfare, everyone. Or more and more people have equal access to be a part of war. They don't have to be in a military base. They don't have to grow up and go to boot camp. And I think as a people in general, we have a desire to fight for something.
So you talk about trying to stop this, the civilian ization of warfare, but I think it's the civilians that are that are wanting to be a part of something. Could there be a benefit to having the states provide a way for the civilians to actively defend their country, which might, you know, shoo them away from trying to be offensive and potentially more damaging? And if so, is that even something that's realistic or possible for states to give their citizens a way to defend without also creating a vulnerability for other countries to come in and know what's not defended or what needs to be fixed? Yeah, I mean, I think it's a it's a human being reaction if you want to take part of not from one of the parts of the conflict. I mean you feel engaged in something. But then the other side, what we what I'm showing here is with the digitalization way easier to get into so and this is the lack of cognitive process. So when you think I'm going to participate, just open the laptop and doing something right will be different. If you
have to go physically in the battlefield and taking a gun and participating. So this is the the war that is reframing you for doing this. That's why this is the problem of civilization. So we're bringing more and more civilians into the company because the easy with digital means and we have to think about is, okay, it's easy, but the consequences are exactly the same as participating physically into conflict. That's the main message of of
the talk today is that. Thank you very much, guys. Thank you. Mario, thank you.
2022-11-11 21:22