Note to Nations: Stop Hacking Hospitals
Why now is the time for global cyber-norms to protect health infrastructure.
In the early morning of March 14, the public announcement system of the Brno University Hospital in the Czech Republic broadcast an urgent message to all staff: Shut down your computers. As physicians and other health care workers responded to the coronavirus pandemic, the hospital was hit by a cyberattack. Brno, which houses one of the country’s biggest COVID-19 testing labs, had to take its entire IT system offline, cancel surgeries, and move patients to other hospitals.
The cyberattack threatened not only the lives of patients but also the broader fight against the coronavirus. Though the attack was thwarted quickly, it was a canary in a digital coal mine. Just one day later, on March 15, a cyberattack hit the U.S. Department of Health and Human Services—aiming to overload its servers. Hackers linked to Iran have reportedly been targeting World Health Organization staff since March 2 with phishing attacks as the organization has been in the midst of its response to the crisis. Russia, China, and North Korea are each taking advantage of the pandemic in their cyber-espionage operations—sending coronavirus-related phishing attempts to spread disinformation and gain access to servers—and U.S. officials have warned about foreign information campaigns stoking the flames of the crisis by sowing fears about a nationwide quarantine and spreading conspiracies that the virus originated with the U.S. military.
At a moment when medical systems are straining to respond to the coronavirus, the world must finally take steps to protect health infrastructure from cyberattacks. To do so, leaders can leverage the burgeoning movement to create so-called cyber-norms—shared international rules to build trust and stability online. Like those who decades ago created restrictions on attacks against those caring for the ill and wounded in war, we must today institute shared rules against attacks on critical infrastructure to protect our health care systems before it’s too late.
Cyberattacks on hospitals are not new. In 2017, an attack widely attributed to Russia debilitated much of Ukraine’s systems, including health care providers. The NotPetya malware used for the attack, ransomware that demands bitcoin payments to regain access to affected systems, also struck health care systems in Europe and the United States. In 2017, the Erie County Medical Center, a major hospital in Buffalo, New York, suffered a cyberattack that cost nearly $10 million as a ransom message demanding bitcoin popped up on over 6,000 of its computers.
[Mapping the Coronavirus Outbreak: Get daily updates on the pandemic and learn how it’s affecting countries around the world.]
Yet the rules regulating behavior in cyberspace are still underdeveloped. Powerful states have found cyber-operations useful tools and are reluctant to add too many restrictions on them. The Stuxnet worm, for instance, is widely believed to have helped the United States severely damage the Iranian nuclear program. But there hasn’t been what people call a cyber-Hiroshima—an event so horrifying that it creates widespread international revulsion against cyber-operations. The coronavirus may change that.
Because there are so few restrictions on state behavior in cyberspace, many international organizations are looking at ways to provide some necessary stability. At the United Nations, for example, two groups now work on developing rules for cyberspace. The Paris Call for Trust and Security in Cyberspace also seeks to build common principles for cyberspace and counts 78 states, around 350 civil society groups, and nearly 650 private sector actors among its signatories. Meanwhile, the Cybersecurity Tech Accord, the Siemens Charter of Trust, and the Global Commission on the Stability of Cyberspace have all sought to produce and promulgate cyber-norms to protect electoral infrastructure, emergency response teams, and, crucially, critical infrastructure. Until now, however, geopolitical divides and a lack of U.S. leadership have led to a fragmented norms ecosystem and prevented any one process from being widely adopted by all the key actors. What these cyber-norms all have in common is an emphasis on critical infrastructure, including health systems. These efforts can serve as a foundation to protect hospitals and health systems during the coronavirus pandemic. In armed conflict, a simple symbol—the red cross, red crescent, or red crystal—is supposed to protect those who wear it while caring for the wounded and the sick. The Geneva Conventions, which are legally binding and grew out of a norm-based movement, forbid targeting anything marked with these emblems.
Yet in cyberspace, there is no comparable symbol: Ones and zeroes in code cannot wear a red cross. Although the International Committee of the Red Cross has argued that humanitarian law applies in cyberspace, it is clear that this argument has not gained much traction, especially in peacetime. Cyber-norms may help. If some states make or reaffirm clear commitments to protect health infrastructure from cyberattacks, that could offer some protection for these systems while building momentum for others to do the same.
To be sure, such norms would not be a cure-all. They are not backed by the force of international treaty. There is the ever-difficult challenge of enforcement. Norms are also mostly focused on behaviors of states—nonstate actors such as criminal groups that are callous enough to endanger sick people will hardly care about international law, much less international norms.
But, as this pandemic has reminded us too many times in the last few weeks, the world cannot risk making the perfect the enemy of the good. Even U.S. President Donald Trump, who is not known as a champion of multilateral alliances, is likely to see that a limit against attacks on hospitals and health systems would give states one less thing to worry about. It would also allow hospital administrators, doctors, and nurses to focus a little more on the crises at hand. Facing a shared global threat, states may be able to overcome disagreements that have prevented consensus in recent years. To do this, leaders could focus narrowly on the norm to protect critical infrastructure to garner pragmatic international agreement on an issue that would protect everyone’s strained health care systems.
The time has come to strongly promote global rules against cyberattacks on critical infrastructure such as health care systems. In addition to protecting the well-being of health care workers and patients, such an agreement would have one more benefit. Norms have historically served as foundations for greater cooperation, such as the norm to protect those caring for the wounded and the sick in war. At a moment when the international order is shaking and nationalist cries are gaining strength, an example of global agreement may beget more such cooperation. A cyber-norm may not prevent the worst of this global pandemic, but it could be a pragmatic step toward both protecting our health care systems and fostering necessary cooperation in a time of crisis.