More than 120 lawyers have signed the Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector. The Oxford Statement is a declaration that the world is not incapable of combating assaults on healthcare computer systems, which are increasingly vulnerable to cyber harm as a result of the ongoing COVID-19 pandemic. 

The Oxford Statement reads: “We, the undersigned public international lawyers, have watched with growing concern reports of cyber incidents targeting medical facilities around the world, many of which are directly involved in responding to the ongoing COVID-19 pandemic. We are concerned that the impact of such incidents is exacerbated by the existing vulnerability of the health-care sector to cyber harm. Even in ordinary times, this sector is particularly vulnerable to cyber threats due to its growing digital dependency and attack surface.

“We consider it essential that medical facilities around the world function without disruption as they struggle to respond to the COVID-19 pandemic. Any interference with the provision of health care, including by cyber means, risks further loss of life as thousands continue to die every day.”

Initiated by Professor Dapo Akande, Co-Director of the Oxford Institute for Ethics, Law and Armed Conflict, the Statement has been signed by legal experts from over 20 countries including Argentina, India, China, Germany, France, and the US.

Professor Akande explains: “[We] have come up with a set of principles, something that states can point to as a framework for battling cyber-attacks. We hope the Statement will be used as an example of what the rules are.”

The Oxford Statement has already been referred to in the UN Security Council as a good articulation of relevant international law principles.

Professor Akande says that cyber-attacks against healthcare facilities can be tackled using existing international law on human rights: “[We] don’t need new rules, we already have them.” He places a duty on providers and nations to protect their own citizens and those of other countries. Since cyber-attacks in one country will originate from, pass through, or use infrastructure located in other countries, those other countries are required, under international law, to ensure that harm is not caused to other states and their populations. 

Professor Akande describes that a two-pronged approach will be needed in order to create an international consensus on the issue. Countries must protect themselves and others by exercising due diligence, but they are also entitled to take action against unlawful activity against states using counter measures.

He said: “Right now, taking action against cyber-attacks against the health sector is low-hanging fruit, world leaders are wanting to sign up and back the campaign. It is easier if we act together.”