International Committee of the Red Cross releases report on the human cost of cyber operations. What rules exist? Need to expand? I'm proud being part of this (co-author). Threat with analysis. #CyberICRC blogs.icrc.org/law-and-policy…

My analysis of @ICRC report selection. Cyberoperations. What impacts on exploit cost? Why supply chain attacks are a risk? Targeting health care (lethal cyberattacks; can you even detect?), ICS. Armed conflict context. How to move forward? #CyberICRC blog.lukaszolejnik.com/icrc-report-on…

The full report is here. My analysis follows. Report speaks on cyber operations & armed conflict context, where many peacetime assumptions may differ. Supply chain attacks are a risk. Exploit price is driven by specific demand. #CyberICRC icrc.org/en/download/fi…

Are cyber operations (espionage, attacks) cheaper than traditional spy/attacks? Not so simple, there are a lot of other costs involved. #CyberICRC

Technological change impacts on risk (attack/defence). For example processor changes might actually solve a lot of security problems, making exploits non-viable. Will this happen? #CyberICRC

As hospitals are increasingly digitized, risk of it falling apart following cyberattack increases. Unfortunately there is an (unethical) reason why hospitals are targeted with ransomware.

On lethal cyberattacks, there are a lot uncertainties. Technically killing with cyberoperation is possible. It would have serious consequences. On the other hand, detection today is not certain. Is anyone even looking? #CyberICRC blog.lukaszolejnik.com/icrc-report-on…

Cyberattacks on industrial control systems, with physical effects (disruption, destruction) is fortunately difficult and require large resources. Not many have the capability. In armed conflict motivations change. #CyberICRC

Some people still speak of "grey zones" when it comes to cyberattacks? Well, not always precisely. There are a lot of rules in international law. How to apply them is another story! Oh, and forget about cyber-only war. #CyberICRC

Disclosing vulnerabilities improves cybersecurity. But countries are not obliged to do so. Using exploits for spying is also not forbidden. Exploits leave traces making it easier to recover and reuse in later attacks. Are these remnants of war (i.e. mines)? #CyberICRC

It's not simple to predict collateral damage of cyber operations. But in some contexts, some might choose to prefer it over physical kinetic destruction (less civilian harm). Your point? #CyberICRC

Interested in cyber-peacekeeping? Consider those below. Can digital markers help distinguish essential off-limits civilian infrastructure? Can they explain cyberattack purpose (stability)? #CyberICRC

Malware reengineering and repurpose an important consideration. Meanwhile, some systems (even high-stakes) and device are highly vulnerable. In assessing the risk (or actual attack), focus on the impact. #CyberICRC

Some tools ("cyber weapons") can be unlawful. Rules already exist. But in some contexts programmers, developers, analysts, etc. - can become combattants and lawful targets. Not simple to establish, though. Same for military objectives. #CyberICRC

Lastly, many technical avenues to explore, also on the "weaponization of vulnerabilities" development front. #CyberICRC