International communities should work together in the fight against life-threatening cyberattacks

On 10 September, a woman in need of urgent medical attention in the German city of Düsseldorf died after the ambulance driving her was diverted to another hospital more than 30km away. The reason – the Düsseldorf University Hospital had been hit by a critical ransomware attack. 

The incident is being investigated by German authorities but this may well turn out to be the first reported life lost to such a cyberattack. Governments and the international community needs to step up its efforts to combat this. The lives at stake are anything but virtual.

The aforementioned incident follows a very difficult 2020 for healthcare. Covid-19 put many hospitals and primary care centres under unprecedented strain, often pushing them to work well beyond their typical capacity. Cybercriminals fed off this desperation. They knew how catastrophic it would be if hospitals were not able to use their IT and telecommunication systems. Callously and cruelly they reportedly attempted to – and often succeeded in – encrypting the systems of healthcare facilities to pressure the hospital to pay a ransom.

Other attacks – ranging from disinformation campaigns to crippling critical systems – can do untold damage, cause delays to patients receiving care, and lead to loss of life. Since the beginning of Covid-19, new cyberattacks have been reported in Czechia, France, Thailand, and the US, amongst others. The World Health Organisation reported a fivefold increase in cyberattacks.

How would we react if armed persons, often from a foreign country, stormed a hospital, and stopped all staff from working, demanding money before they leave? Action would be swift and international condemnation strong. The structures – both for domestic law enforcement and incident response teams, as well as international law and cross-border cooperation – would be in place.

When it comes to a cyberattack, the threat of lives lost is the same, but responses get stuck in a quagmire of inadequate policies and a lack of international clarity. We have come to accept that little can be done about cyberattacks in modern life, and we mostly put the responsibility on local IT teams. Instead, we should be tackling it as a pressing international security issue that requires a global response.

There are numerous important discussions on the stability and security of cyberspace that cover cyberattacks, including two processes mandated by the United Nations General Assembly. The UN Security Council has been focusing on cyberattacks as well, most recently at an Arria-formula meeting on cyberattacks against critical infrastructure – though healthcare facilities are not universally considered part of critical infrastructure, which is yet another point of contention.  

Cyberattacks against healthcare facilities can only be combated through ambitious collective activity on the international stage that includes the private sector and civil society. National cyber security bodies must exchange information about risks and threats, and work internationally to raise technical capacity in countries that require more support. Domestic infrastructure and governance models are the first line of defence against cyberattacks. 

Countries must subscribe to established and emerging norms of state behaviour in cyberspace, which include rules not simply disallowing cyberattacks against healthcare and other critical infrastructure systems, but also obligating countries to prevent and punish such activity from taking place from within their territory. 

Once an attack has taken place, states must cooperate with each other and with private companies and civil society to mitigate the damage caused, investigate the attacks and hold those responsible accountable. International law already provides the mechanisms necessary to do this, and they apply in cyberspace. States must speed up discussions on how to put this into practice.

A secure cyberspace that is undivided, free and peaceful, will save lives. Making that happen requires a global shared understanding of how states can and should behave in cyberspace, as well as commitments to protect critical infrastructure such as healthcare. Covid-19 has demonstrated the unique vulnerabilities in the healthcare sector. While the borders that exist in the physical world do not exist in cyberspace, the ramifications of a lack of positive action are being felt around the world.

Karoliina Ainge is the former head of Estonian Cyber Security Policy and now works for the NGO Independent Diplomat