This is the first article in a series about how faculty from Temple Law are helping to shape law and policy at an international level. The professors highlighted in this series have ties to the United Nations, are actively involved in roles that have an impact on the global stage, and are putting international law theory into practice.
Amid the peak of the COVID-19 outbreak in March 2020, a cyberattack hit the second-biggest hospital in the Czech Republic, compromising the medical care facility’s ability to transfer information between its facility systems and databases. The attack forced the University Hospital Brno to postpone urgent surgical interventions, reroute new acute patients and disrupted the processing of coronavirus tests.
Since then, cyber incidents targeting the health-care sector have been reported from countries including Ireland, France, Spain, Thailand, and the United States.
With nearly twice the volume of cyber-attacks than the previous year, officials in the Czech Republic were scrambling to protect its healthcare center following network disruptions to the University Hospital Brno and the Psychiatric Hospital in Kosmonosy. Countries around the world condemned the attacks and looked to experts to determine the protections afforded by existing international laws.
Professor Duncan Hollis, Laura H. Carnell Professor of Law and co-faculty director of Temple’s Institute for Law, Innovation and Technology (iLIT), is a globally recognized scholar focusing on issues of international law and cybersecurity. Together with Oxford University Professor Dapo Akande, he co-convened what became known as the Oxford Process on International Law Protections in Cyberspace to address cyber attacks against the healthcare sector.
“What we discovered was if you asked lawyers what was protected, there was pretty uniform agreement: You can’t hack hospitals,” Professor Hollis said. “As lawyers though, we fight about which rationale is the right one all the time. What the Oxford Process did was figure out that we could get greater consensus if we asked lawyers what was prohibited, permitted or required without requiring them to explain why this was so.”
Under the auspices of the Oxford Institute for Ethics, Law and Armed Conflict (ELAC) at the Blavatnik School of Government—the school of public policy at Oxford University in England, Professors Hollis and Akande were able to bring together international legal experts from around the globe to work on identifying and clarifying rules of international law beginning with the threat to the healthcare sector.
As one of the convenors of this process, Professor Hollis then worked to bring international lawyers together online and off to discuss other pressing problems of international legal regulation online. Among other things, the Oxford Process went on to produce five “Statements,” each of which has been signed by over 100 international lawyers on how international law works to protect against ransomware operations, foreign electoral interference, information operations, cyber operations targeting the health care sector generally, and vaccine research specifically.
In all these cases, Professor Hollis and others found, the reasons varied on why international lawyers understood targets like hospitals and election machinery should not be hacked, either because it violates sovereignty, the duty of non-intervention, or because of the UN Charter’s prohibition of use of force.
Cyber operations have posed an increasing threat to our daily lives. In what Professor Hollis called a “watershed moment” in 2007, the Estonian Government removed a Soviet war monument from Tallinn, triggering three weeks of denial of service (DDoS) attacks from Russia-based attackers crippling the Estonian public and private sector organizations. This was the first time that foreign actors threatened another nation’s security and political independence primarily through cyber operations.
“States began to really think about militarizing and having forces that would both do offense and defense in cyberspace,” Professor Hollis said, citing that the United States enlists over 5,000 forces under U.S. Cyber Command.
As the U.S. presidential election in 2020 loomed, the risks cyber operations posed to elections became a global priority. This, in part, led to the drafting of the Third Statement of the Oxford Process, which explains international law protections against foreign electoral interference through digital means.
“And then the question becomes, what are you going to do about it?” Professor Hollis said. “What steps will you take to ensure your state is not playing host to this unlawful behavior?”
The Oxford Process has begun to draw attention from sovereign states around the world. It has been favorably discussed in UN Security Council meetings. Costa Rica, which was the victim of a major ransomware attack in 2022, cited the Oxford Process in a national statement it made about international law in cyberspace last year as did the Czech Republic in a statement it published in March 2024.
The work of the Oxford Process has recently been collected into a 500+ page compendium, which is available for free here: https://www.elac.ox.ac.uk/wp-content/uploads/2022/10/Oxford-Process-Compendium-Digital.pdf