Hackers do not live in cyberspace – States must impose limits

Civilian hackers conducting cyber operations in the context of an armed conflict should not be encouraged or tolerated by states.

The more civilian hackers who participate in cyber operations, the more likely it is that operations will violate applicable law and blur the line between combatants and civilians. As a result, the International Committee of the Red Cross (ICRC) has urged states to “give due consideration to the risk of exposing civilians to harm if encouraging or requiring them to participate in military cyber operations.“

Legally, all States have agreed not to “knowingly allow their territory to be used for internationally wrongful acts using ICTs” (para. 13(c)). While framed as a political commitment, this standard reflects states’ ‘due diligence’ obligations under international law, including in relation to civilian hackers operating from their territory (see here). Any State committed to the rule of law or a ‘rules-based international order’ must not turn a blind eye when people on its territory conduct cyber operations in violation of national or international law, even if directed against an adversary.

This entails, first and foremost, enacting and enforcing national laws that govern civilian hacking.

Furthermore, and particularly with regard to the conduct of private individuals during times of armed conflict, states have committed to respecting and ensuring respect for IHL. This legal obligation implies at least four things:

First, if civilian hackers act under the instruction, direction, or control of a State, that State is held internationally legally liable for any behaviour of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law (see here, article 8, and here). For example, if a state employs private individuals or groups as “volunteers” and instructs them to conduct specific cyber operations in violation of international law, the state is legally liable for such violations (see here, para. 2 on article 8). (This responsibility is in addition to the private hacker’s potential criminal liability).

Second, states must not encourage civilians or groups to engage in conduct that violates international humanitarian law (see here, para. 220). This means that State agents – whether military, intelligence, or any other government actor – are prohibited from encouraging civilians or groups to direct cyber attacks against civilian objects, regardless of the channel or app used.

Third, states have a duty of care to prevent violations of international humanitarian law by civilian hackers on their territory (see here, para. 183). Of course, a state cannot prevent all legal violations. However, it must take practical steps, such as public statements requiring civilian hackers not to conduct cyber operations in relation to armed conflicts, to respect IHL if they do, and to prosecute violations under national law.

Fourth, states have an obligation to prosecute war crimes and take other IHL violations seriously (articles 49/50/129/146 GCI-IV; article 85 Additional Protocol I). First, the necessary laws that criminalise cyber operations amounting to war crimes must be adopted and enforced, and second, effective measures to stop all other violations of IHL must be implemented, which may include legal, disciplinary, or administrative measures. Adopting laws or policies that turn a blind eye to civilian hackers conducting cyber operations as long as they are committed against ‘the enemy’ clearly does not meet this obligation.