Cyber Attacks and Cyber (Mis)information Operations during a Pandemic

Paper by Marko Milanovic and Michael Schmitt. Journal of National Security Law & Policy. May 28, 2020.

Paper by Marko Milanovic and Michael Schmitt. Journal of National Security Law & Policy.

May 28, 2020.

The COVID-19 pandemic has been accompanied by reprehensible cyber operations directed against medical facilities and capabilities, as well as by a flood of misinformation. Our goal in this article is to map out the various obligations of states under general international law law and under human rights law with regard to malicious cyber and misinformation operations conducted by state and non-state actors during the pandemic. First, we consider cyber operations against health care facilities and capabilities, including public health activities operated by the government, and how such operations, when attributable to a state, can violate the sovereignty of other states, the prohibitions of intervention and the use of force, and the human rights of the affected individuals. Second, we perform a similar analysis with regard to state misinformation operations during the pandemic, especially those that directly or indirectly affect human life and health, whether such misinformation is targeting the state’s own population or those of third states. Finally, we turn to the positive obligations that states have to protect their populations from hostile cyber and misinformation operations, to the limits that human rights law imposes on efforts to combat misinformation, and to protective obligations towards third states and their populations.

We argue that international law can play a robust role in addressing the COVID-19 pandemic. For the most part, the parameters of the relevant legal rules are reasonably clear. But significant areas of uncertainty remain. For instance, at least one state, wrongly in our view, rejects the existence of the general international law rule most likely to be breached by COVID-19-related cyber operations, sovereignty. Another major issue is the extraterritorial application of the human rights obligations to respect and protect the rights to life and health in the cyber context, which we examine in detail.

It is difficult to find anything positive about this horrific global pandemic. However, perhaps it can help draw attention to the criticality of moving forward the international cyber law discourse among states much more quickly than has been the case to date. Many states have been cautious about proffering their interpretation of the applicable law, and to some extent rightfully so, but caution has consequences and can leave us normatively ill-prepared for the next crisis. Some states have condemned the COVID-19-related cyber operations, although seldom on the basis of international law as distinct from political norms of responsible state behavior. Hopefully, they will add legal granularity to future statements. But all states, human rights courts, human rights monitoring bodies, the academy, the private sector and NGOs must take up the challenge presented by this tragic pandemic to move the law governing cyberspace in the right direction.

See more