As digital technology changes how militaries conduct war, a concerning trend has emerged in which an increasing number of civilians become involved in armed conflicts via digital means. Civilians – from hacktivists to cyber security professionals, ‘white hat’, ‘black hat’, and ‘patriotic’ hackers – are conducting a variety of cyber operations against their ‘enemy’ while sitting some distance away from physical hostilities, including outside the countries at war. Some have called civilians “first choice cyberwarriors” because the “vast majority of expertise in cyber(defence) lies with the private (or civilian) sector.”
There are numerous examples of civilian hackers operating in the context of armed conflicts (see here, here, and here). In the international armed conflict between Russia and Ukraine, some groups present themselves as a “global IT community” with the mission of “helping Ukraine win by crippling aggressor economies, blocking vital financial, infrastructural, and government services, and exhausting major taxpayers.” Others, among other things, have reportedly “called for and carried out disruptive – albeit temporary – attacks on hospital websites in both Ukraine and allied countries.” With a plethora of groups active in this field, some of which have thousands of hackers in their coordination channels and provide automated tools to their members, civilian involvement in digital operations during armed conflict has reached unprecedented levels.
This is not the first time civilian hackers have operated in the context of an armed conflict, and it is unlikely to be the last. In this post, we will explain why this trend should concern states and societies. Following that, we present eight international humanitarian law-based rules that all hackers conducting operations in the context of an armed conflict must follow, and we remind states of their responsibility to restrain them.
Concerning Trend: Civilians Engage In Digital Warfare
Civilian hackers conducting cyber operations during wars is concerning for three reasons.
One, they harm civilians by targeting or accidentally damaging civilian objects. Some experts call civilian hackers and groups “cyber vigilantism” because their operations are simple and unlikely to have a big impact. However, civilian hackers and ‘armies’ have disrupted banks, companies, pharmacies, hospitals, railway networks, and government services.
Military operations threaten civilian hackers and their loved ones. A party to an armed conflict may consider them directly involved in hostilities depending on the operation they conduct (see cyber-specific analyses here and here). Their computers and digital infrastructure risk becoming military targets, making them vulnerable to attack. According to the adversary, the hacker may be attacked by bullet, missile, or cyber operation, depending on their location.
Three, as civilians participate more in warfare, the line between civilian and combatant blurs. The risk of civilian harm rises, and legal experts wonder if the principle of distinction, central to international humanitarian law, can withstand this pressure.
Eight Civilian Hacking Rules For Armed Conflicts
Cyberspace is not a lawless zone; even wars have boundaries.
Civilian hackers must, of course, follow the laws of the countries in which they operate. In times of armed conflict, international humanitarian law (IHL) provides a universally agreed-upon set of rules that aim to protect civilians, as well as soldiers who are no longer able to fight, from some of war’s horrors. The most egregious violations of these rules are classified as war crimes and can be prosecuted both nationally and internationally.
IHL does not prohibit ‘hacking’ in the context of an armed conflict, nor does it prohibit civilians from conducting cyber operations against military assets. However, it establishes fundamental humanitarian considerations on civilian protection, implying obligations that everyone must uphold when conducting operations in the context of an armed conflict, regardless of the reasons for the conflict, whose goals are deemed legitimate, or whether an operation is conducted in offence or defence.
IHL is made up of hundreds of rules; here is one word of caution and eight rules that anyone conducting a cyber operation in the context of an armed conflict (including non-State armed groups and civilian hackers) must be aware of and respect at the very least. Groups or collectives must ensure that their members adhere to these guidelines.
Caution: Civilian Hackers Risk Losing Protection Against Cyber Or Physical Attack And May Be Prosecuted For Directly Participating In Digital Warfare
Civilians are not to be attacked under IHL unless and until they directly participate in hostilities. Conducting cyber attacks against military or civilian targets can be considered direct “participation in hostilities,” exposing civilian hackers to attack. Furthermore, while members of a state’s armed forces (including cyber operators) are immune from prosecution for lawful acts of war (such as attacking a military installation) and become ‘prisoners of war’ when captured, civilian hackers are not (here, para. 3634 on article 85 GCIII). If they are apprehended, they risk being labelled criminals or “terrorists” and prosecuted as such.
1. Do not launch cyberattacks* against civilian objects
Civilian objects are all non-military objectives. Civilian infrastructure, public services, businesses, private property, and potentially civilian data are all included. Military objectives are not afforded the same safeguards. Military objectives are primarily the physical and digital infrastructure of a warring party’s military. Depending on whether and how they are used by the military, civilian objects may also be included.
2. Avoid malware and other tools that automatically damage military and civilian targets
Malware that spreads automatically, spills over, and damages both military and civilian targets without distinction, for example, must not be used.
3. When planning a cyber attack against a military target, do everything possible to avoid or minimise the impact on civilians
For example, if your goal is to disrupt military forces’ access to electricity or railway services, you must avoid or minimise the impact on civilians. Before carrying out an operation, it is critical to research and comprehend its consequences, including any unintended consequences. When planning a cyber attack against a military target, do everything possible to avoid or minimise the effects on civilians, and halt the attack if the harm to civilians threatens to be excessive. Stop the attack if you have gained access to an operating system but do not understand the potential consequences of your operation or realise that the harm to civilians may be excessive.
4. Do not conduct any cyber operations against medical and humanitarian facilities
Hospitals or humanitarian relief organizations must never be targeted.
5. Do not launch any cyber attacks against objects critical to the survival of the population or that have the potential to release dangerous forces
Objects containing dangerous forces are defined as “dams, dykes, and nuclear electrical generating stations” in international humanitarian law; however, chemical and similar plants also contain dangerous forces. Drinking water installations and irrigation systems are examples of objects that are essential for civilian survival.
6. Make no violent threats in order to instill fear among the civilian population
Hacking into communication systems, for example, to publish information intended primarily to spread terror among civilian populations is prohibited. Similarly, designing and disseminating graphic content to instill fear in civilians in order to cause them to flee is illegal.
7. Do not incite people to violate international humanitarian law
Do not encourage or assist others in carrying out cyber or other operations against civilians or civilian objects. Do not, for example, share technical details in communication channels in order to facilitate attacks on civilian institutions.
8. Even if your opponent does not follow the rules, you must
Revenge or reciprocity are not justifications for violations of international humanitarian law.
* Under IHL, and in the context of cyber operations, the notion of attack refers to cyber operations that can be reasonably expected to result – directly or indirectly – in damage, disabling, or destruction of objects (such as infrastructure and, arguably, data) or injury or death of people. It does not, for instance, include cyber operations aimed at obtaining unauthorized access to information.
For more detailed positions of the International Committee of the Red Cross on IHL and cyber operations, see here and here. To learn more about how international law applies in cyberspace, consult the ‘Cyberlaw Toolkit’.