An essay by two ICRC officials seeks to offer clarity on hacktivism and the laws of war.
Hacktivism and the laws of war.
In an essay published by the European Journal of International Law the International Committee of the Red Cross (ICRC) has issued guidelines for hacktivists, They constitute an extension of existing international norms of armed conflict and international humanitarian law to cyberspace, with a view to preserving norms that would protect noncombatants, not only against attacks against infrastructure on which they depend, but also from online incitement to atrocity. The authors, Tilman Rodenhäuser (legal adviser at the ICRC) and Mauro Vignati (adviser on new digital technologies of warfare at ICRC headquarters in Geneva), are responding to what they see as a "worrying trend:" the rising tendency for civilians to participate in wars through offensive action in cyberspace.
Hacktivism in recent wars.
The authors cite several examples of wartime hacktivism as instances of this trend: Greek hacktivists (and these are apparently grass-roots hacktivists, not state-directed auxiliaries) attacking Azerbaijan government sites in support of Armenia during the conflict over Nagorno-Karabakh, the Anonymous campaign against the Islamic State (neither party is an actual government), the Syrian Electronic Army (which operates from Dubai in the interests of the Assad regime), and hacktivist auxiliaries on both sides of Russia's war against Ukraine.
Eight rules for hacktivists.
The rules the ICRC writers propose are extensions of familiar restrictions that require discrimination--that is, protection of noncombatants and non-military targets from attack--and proportionality--that is, limitation of damage and suffering to the minimum required by military necessity.
- "Do not direct cyber attacks against civilian objects. Civilian objects are all objects that are not military objectives. This includes civilian infrastructure, public services, companies, private property, and arguably civilian data. Military objectives do not enjoy the same protection. ‘Military objectives’ comprise primarily the physical and digital infrastructure of the military of a warring party. It may also include civilian objects, depending on whether and how they are being used by the military.
- "Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately. For example, malware that spreads automatically, spills-over, and damages military objectives and civilian objects without distinction must not be used.
- "When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians. For example, if you aim to disrupt electricity or railway services used by military forces, you must avoid or minimize the effects your operation may have on civilians. It is essential to research and understand the effects of an operation – including unintended ones – before conducting it. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians, and stop the attack if the harm to civilians risks being excessive. If you have gained access to an operating system but you do not understand the possible consequences of your operation, or realize that the harm to civilians risks being excessive, stop the attack.
- "Do not conduct any cyber operation against medical and humanitarian facilities. Hospitals or humanitarian relief organizations must never be targeted.
- "Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces. In international humanitarian law, objects containing dangerous forces are defined as ‘dams, dykes and nuclear electrical generating stations’; in reality, however, chemical and similar plants also contain dangerous forces. Objects indispensable for the survival of the civilian population include, among others, drinking water installations or irrigation systems.
- "Do not make threats of violence to spread terror among the civilian population. For example, hacking into communication systems to publish information designed primarily to spread terror among civilian populations is prohibited. Likewise, designing and spreading graphic content to spread terror among civilians in order to make them flee is unlawful.
- "Do not incite violations of international humanitarian law. Do not encourage or enable others to conduct cyber or other operations against civilians or civilian objects. For example, do not share technical details in communication channels to facilitate attacks against civilian institutions.
- "Comply with these rules even if the enemy does not. Revenge or reciprocity are no excuses for violations of international humanitarian law."
By "cyber attack" the essay means an operation that "can be reasonably expected to result – directly or indirectly – in damage, disabling, or destruction of objects (such as infrastructure and, arguably, data) or injury or death of people." Collection of information online, presumably even from a non-cooperating target, is explicitly excluded.
Four rules for states.
Hacktivists, as the essay points out, live somewhere in physical space, and therefore under the legal jurisdiction of some state. States are responsible, under international law, for preventing their territory from being used in actions that violate that law. There are, therefore, three considerations states should bear in mind with respect to hacktivism.
- "First, if civilian hackers act under the instruction, direction or control of a State, that State is internationally legally responsible for any conduct of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law (see here, article 8, and here)."
- "Second, States must not encourage civilians or groups to act in violation of international humanitarian law (see here, para. 220)."
- "Third, States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory (see here, para. 183)."
- "Fourth, States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations (article 49/50/129/146 GCI-IV; article 85 Additional Protocol I)."
Hacktivists as irregular combatants.
Cyberspace has a disinhibiting effect on its users, and that disinhibition, that sense of immunity and impunity, carries over to hacktivism, many of whom act without a sense of consequences that might restrain them IRL. One of the cautions Rodenhäuser and Vignati emphasize is that irregular combatants can be treated as combatants, and even, under some circumstances, as criminals. "Civilian hackers risk losing protection against cyber or physical attack and may be criminally prosecuted if they directly participate in hostilities through cyber means."
One of the developments in international law since the Second World War has been a general movement to bring irregular forces--guerrillas, partisans, etc.--under the rules of armed conflict, with both the combatants' rights (to surrender, to treatment as prisoners of war, and so forth) and the combatants' responsibilities (to adhere to the rules of armed conflict, to avoid perfidy, etc.). The ICRC's essay is a reminder of how that extension will wind up being applied to hacktivism.