Russia’s invasion of Ukraine led unprecedented numbers of people to join patriotic cyber gangs. Now, the International Committee of the Red Cross (ICRC) has published rules of engagement for civilian hackers involved in conflicts in an attempt to protect civilians.
In February 2022, hackers identifying with the Anonymous collective said that they launched cyber operations that briefly took down some websites associated with the Russian government. An Anonymous video posted Feb. 15, 2022 threatened to “take hostage” of industrial control systems if the crisis in Ukraine escalated. Russian cyber forces hit back by targeting the websites of several Ukrainian banks and government departments with a wave of DDoS attacks. The following month, a hacking group affiliated with Anonymous claimed that it breached the control center of Russian State Space Corporation “Roscosmos” and cut off the agency’s control over its spy satellites. Another group called the Belarusian Cyber-Partisans said it hacked railway systems in Minsk, Orsha, and Osipovichi to obstruct Russian military movements toward Ukraine from the country.
ICRC says the Ukraine crisis is not the first time that civilian hackers operate in the context of an armed conflict, and likely not the last. It presents eight “international humanitarian law-based rules that all hackers who carry out operations in the context of an armed conflict must comply with” and also sets out the responsibilities of countries to restrain them.
In the context of an armed conflict, international humanitarian law (IHL) does not prohibit hacking, and it does not prohibit civilians from conducting cyber operations against military assets. However, ICRC says that the phenomenon of civilian hackers conducting cyber operations in the context of an armed conflicts is worrying for at least three reasons. One, they cause harm to civilian populations, either by targeting civilian objects directly or damaging them incidentally. Two, civilian hackers risk exposing themselves, and people close to them, to military operations. Three, the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who is a combatant. As a result, the risk of harm to civilians grows.
Under IHL, civilians must not be attacked unless and for such time as they directly participate in hostilities. Conducting cyber attacks against military or civilian targets can amount to such direct ‘participation in hostilities’ and risks making civilian hackers liable to attacks. In addition, while members of a State’s armed forces (including cyber operators) enjoy impunity for lawful acts of war (such as attacking a military installation) and become ‘prisoners of war’ when captured, civilian hackers do not, ICRC warns. If captured, they risk being considered criminals or ‘terrorists’ and prosecuted as such.
To help protect both hackers and civilians, ICRC has issued the following rules:
- Do not direct cyber attacks against civilian objects.
Civilian objects are all objects that are not military objectives. This includes civilian infrastructure, public services, companies, private property, and arguably civilian data. Military objectives do not enjoy the same protection. ‘Military objectives’ comprise primarily the physical and digital infrastructure of the military of a warring party. It may also include civilian objects, depending on whether and how they are being used by the military.
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
For example, malware that spreads automatically, spills-over, and damages military objectives and civilian objects without distinction must not be used.
- When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
For example, if you aim to disrupt electricity or railway services used by military forces, you must avoid or minimize the effects your operation may have on civilians. It is essential to research and understand the effects of an operation – including unintended ones – before conducting it. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians, and stop the attack if the harm to civilians risks being excessive. If you have gained access to an operating system but you do not understand the possible consequences of your operation, or realize that the harm to civilians risks being excessive, stop the attack.
- Do not conduct any cyber operation against medical and humanitarian facilities.
Hospitals or humanitarian relief organizations must never be targeted.
- Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces.
In international humanitarian law, objects containing dangerous forces are defined as ‘dams, dykes and nuclear electrical generating stations’; in reality, however, chemical and similar plants also contain dangerous forces. Objects indispensable for the survival of the civilian population include, among others, drinking water installations or irrigation systems.
- Do not make threats of violence to spread terror among the civilian population.
For example, hacking into communication systems to publish information designed primarily to spread terror among civilian populations is prohibited. Likewise, designing and spreading graphic content to spread terror among civilians in order to make them flee is unlawful.
- Do not incite violations of international humanitarian law.
Do not encourage or enable others to conduct cyber or other operations against civilians or civilian objects. For example, do not share technical details in communication channels to facilitate attacks against civilian institutions.
- Comply with these rules even if the enemy does not.
Revenge or reciprocity are no excuses for violations of international humanitarian law.
Many of these rules are already followed by some civilian hackers, such as not attacking hospitals, but others have said the rules are not viable and breaking them is unavoidable.
Fully aware that not all civilian hackers will follow the rules to the letter, ICRC also says countries should not encourage or tolerate civilian hackers conducting cyber operations in the context of an armed conflict. With regard to the conduct of private individuals in times of armed conflict, countries have a legal commitment to respect and to ensure respect for IHL.
This means that if civilian hackers act under the instruction, direction or control of a country, that country is internationally legally responsible for any conduct of those individuals that is inconsistent with the country’s international legal obligations, including international humanitarian law. Countries must not encourage civilians or groups to act in violation of international humanitarian law, and they have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory. ICRC acknowledges that countries cannot prevent all violations of the law, but says they must take feasible measures. In addition, countries have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations. ICRC adds that adopting laws or policies that turn a blind eye on civilian hackers conducting cyber operations as long as these operations are committed against ‘the enemy’ does not comply with this obligation.
ICRC has been the victim of a hacking attack itself. In early 2022, the organization determined that servers hosting personal data belonging to more than 515,000 people worldwide were hacked in a sophisticated cyber attack.
ICRC said the attackers used a very specific set of advanced hacking tools designed for offensive security and that these tools are primarily used by advanced persistent threat groups, and are not available publicly and therefore out of reach to other actors. ICRC determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. Anti-malware tools ICRC had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass the anti-malware solutions, and it was only when the organization installed advanced endpoint detection and response agents as part of a planned enhancement program that this intrusion was detected.