Table of Contents
Abstract#
ICRC analysis establishing that International Humanitarian Law protections extend to cyberspace—digital attacks on humanitarian organisations violate international law and may constitute war crimes.
Summary#
Written in response to the 2022 ICRC data breach affecting 515,000 people, three senior officials document how cyber operations, data breaches, and disinformation cause real-world harm. The report proposes protective measures including a digital Red Cross emblem and sovereign humanitarian cloud infrastructure separate from commercial providers.
Key Findings#
On the 2022 ICRC Data Breach#
The authors write from direct experience:
“In 2022 alone, the Red Cross and Red Crescent Movement members have been targeted in different ways, from a sophisticated data breach affecting personal data of over half a million people, to information operations that put their staff at risk, or ‘Distributed Denial of Service (DDoS)’ operations making websites or servers unavailable.”
The consequences were operational:
“One of the consequences of the 2022 breach of data hosted by the ICRC was that servers had to be taken down, systems rebuilt, and for several weeks services to locate missing family members could only continue at minimal levels, at times going back to using pens and paper.”
On Real-World Harm from Digital Attacks#
The authors document how digital operations cause physical harm:
“If computer systems or databases used by impartial humanitarian organisations are disrupted by cyber operations, their relief work necessarily slows down, becomes dysfunctional, and cannot reach people at scale – or at all.”
And on disinformation:
“Even if disinformation and threats of violence against humanitarian personnel are spread online on social media and other digital platforms, their negative impact is felt offline. In places affected by armed conflict, tensions are high, rumors spread easily, and false information falls on fertile ground.”
On IHL’s Three-Layer Protection#
The analysis documents three layers of legal protection under International Humanitarian Law:
| Layer | Protection |
|---|---|
| Civilian protection | Humanitarian premises, materials, and personnel must not be attacked (Additional Protocol I, Arts. 51-52) |
| Facilitation obligation | Agreed humanitarian operations must be allowed and facilitated by parties to conflict (Additional Protocol I, Art. 70) |
| Respect and protect | Humanitarian operations and personnel must be respected and protected from harm (Additional Protocol I, Art. 71) |
On Applying IHL to Cyberspace#
The authors argue these protections extend to digital operations:
“Directing such operations against impartial humanitarian organisations is prohibited… such operations will likely violate the obligations to allow and facilitate humanitarian activities and to respect and protect humanitarian operations.”
On data breaches specifically:
“If such operations involve manipulating, encrypting, or destroying humanitarian data, it would unduly interfere with humanitarian relief efforts and be prohibited.”
And a critical point on espionage:
“Even breaching humanitarian data without damaging or misusing it may be difficult to reconcile with the letter and spirit of IHL. For instance, spying on impartial humanitarian organisations would compromise the confidentiality of information, a key working modality for the ICRC.”
On War Crimes#
The analysis notes that attacking humanitarian organisations may constitute war crimes:
“Depending on the circumstances, attacking humanitarian organizations may even amount to a war crime – including in the digital sphere (see articles 8(2)(b)(iii); 8(2)(b)(xxiv); 8(2)(e)(iii) Rome Statute of the International Criminal Court).”
Proposed Solutions#
The authors propose multilayered responses:
Legal and Policy#
“We must strive towards a clear understanding of the real harm that digital threats against impartial humanitarian organisations cause and build a robust political understanding that they are unacceptable and, in fact, unlawful.”
Operational#
“Impartial humanitarian organisations have an important responsibility to adopt and implement appropriate cyber security, data protection and up-to-date strategies and processes to ensure resilience of their operations.”
Innovative Measures#
The authors propose new protective mechanisms:
- Digital emblem — A cyber equivalent of the Red Cross emblem to signal protected status in digital space
- Humanitarian cloud — Sovereign cloud infrastructure for humanitarian data, separate from commercial and government systems
- Delegation for Cyberspace — Safe environments to develop and test digital humanitarian services
- Disinformation preparedness — Increased capacity to manage false information campaigns
The Disinformation Threat#
The analysis specifically addresses online information operations:
“If the perception of their work changes, fueled by online or offline disinformation, humanitarian personnel can quickly be unable to leave their offices, distribute life-saving assistance, visit detainees, or bring news to people who have lost contact with a family member.”
And on legal limits:
“It is clearly unlawful to use social media – or any other media – to incite violence against civilians, including humanitarian personnel.”
Why This Matters Beyond Humanitarian Work#
This analysis establishes important precedents for any organisation handling sensitive data:
- Legal framework exists — IHL provides a model for arguing that attacks on critical civilian digital infrastructure violate international law
- Data breaches have physical consequences — The ICRC case demonstrates how cyber attacks translate to real-world harm
- Disinformation is a security threat — Online campaigns directly endanger personnel safety
- Sovereignty through infrastructure — The humanitarian cloud proposal shows how organisations can reduce dependency on commercial providers
The core message applies universally:
“For as long as people affected by armed conflict need impartial and independent humanitarian relief, those who provide it must be safeguarded, including against new threats.”
The Authors#
| Author | Role | Expertise |
|---|---|---|
| Tilman Rodenhäuser | Thematic Legal Adviser, ICRC | PhD in international law; expert on IHL and cyber operations |
| Balthasar Staehelin | Special Envoy for Foresight and Techplomacy, ICRC | Strategic engagement on technology and humanitarian action |
| Massimo Marelli | Head of Data Protection Office, ICRC | Leads ICRC’s data protection policy and practice |
Access#
Also available as PDF download from the blog.
Related Resources#
- Safeguarding Humanitarian Data (Movement Resolution) — The formal resolution adopted by the International Red Cross and Red Crescent Movement
- ICRC Cyber-attack: What We Know — Official ICRC statement on the 2022 breach
- Handbook on Data Protection in Humanitarian Action — The comprehensive reference work
- Digitalising the Red Cross Emblems — Report on the digital emblem proposal