International Committee of the Red Cross details 8 rules for civilian hackers in wartime

The conflict between Ukraine and Russia has seen a quantum increase in civilian hackers taking sides and choosing their targets with military goals in mind. This is nothing entirely new, but the scale of involvement is.

This was the background for a recent blog post from the International Committee of the Red Cross (ICRC), which, on 4 October, laid down eight simple rules alongside a cautioning word for any civilian activist hoping to aid their country in a time of war.

“With many groups active in this field, and some of them having thousands of hackers in their coordination channels and providing automated tools to their members, the civilian involvement in digital operations during armed conflict has reached unprecedented proportions,” the ICRC said in a Law & Policy blog post.

Now, just days after posting the set of rules, hackers from all over the world are taking sides in the conflict between Israel and the Palestinian terrorist organisation Hamas. Distributed denial-of-service attacks are being targeted at the websites of government agencies, newspapers, and even airports.

Other threat actors are claiming to be working towards more impactful targets, such as industrial systems and more. So far, the attacks are very much nuisance-level, though Anonymous Sudan has claimed to have disrupted Israel’s Iron Dome air defence system and its civilian early warning systems.

Regardless of the conflict, the Red Cross’ reiteration of international humanitarian law and how it affects civilians engaging in conflict are worth repeating – perhaps even more so now.

8 rules of civilian hackers involved in an armed conflict

1. Civilian targets are off-limits.

VIEW ALL

This one is pretty simple – if a target is not military, it is NOT a target. This includes public services, private property, and “arguably civilian data”, according to the Red Cross.

2. Avoid malware that may spread itself automatically.

A hacker may intend their malware payload for a military target, but if that same malware spreads from a military network to a civilian network, that could be seen as a war crime.

3. Even if the target is military, take effort to avoid collateral civilian damage.

The example the Red Cross gives here is where a hacker might target transport infrastructure engaged in the carriage of war material. A railroad might carry tanks to the front, but it is also used by civilian trains – so hackers need to balance the military impact against the civilian one.

“When planning a cyber attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians,” the Red Cross said, “and stop the attack if the harm to civilians risks being excessive”.

4. Do not target hospitals.

In fact, do not target anything that is humanitarian or medical in nature.

5. Targets that are “indispensable” to the local population or could “release dangerous forces” are off-limits.

According to international humanitarian law, “dams, dykes and nuclear electrical generating stations” are strictly forbidden as targets, and that counts for kinetic military operations and cyber operations, due to the impact of their possible failure. Similarly, anything without which a civilian population can survive, such as drinking water, is not a legitimate target.

6. Striking terror in the population is not on.

Anything that is designed to cause terror – such as hacking into broadcast systems or other communications – and thus make populations likely to flee is against international humanitarian law.

7. Do not incite others to violate the international humanitarian law.

Aiding or assisting those proposing to do any of the above is also not on. This includes sharing technical details that could help another hacker.

8. Even if the enemy doesn’t follow these rules, you must.

Revenge is not a defence.

Civilian hackers are liable to prosecution

If civilians “directly participate in hostilities through cyber means”, they may be considered combatants.

Civilians are generally not meant to be targeted, according to international humanitarian law, unless they are directly participating in the conflict – this makes hackers, too, legitimate targets, liable to be attacked in turn.

More dangerous, while a military hacker, if captured, would likely be seen as a prisoner of war and protected as such, a civilian operator would be without such protection and could be prosecuted as a criminal or terrorist.

What can nation-states do?

The big question is how civilian hackers can be regulated when it comes to conflict. Unsurprisingly, the Red Cross feels the onus is on the states those hackers operate from.

“Any state that is committed to the rule of law or a ‘rules-based international order’ must not close its eyes when people on its territory conduct cyber operations in disregard of national or international law, even if directed against an adversary,” the Red Cross said.

This comes with its own four areas of responsibilities for states to consider

1. If a civilian hacker operates under the direction of a state, that state is responsible for the hacker’s actions.

“For instance, if a state uses private individuals or groups as ‘volunteers’ and instructs them to carry out particular cyber operations in disregard of international law,” the Red Cross said, “the state is legally responsible for such violations”.

2. This one’s simple – states must not encourage their civilians to operate in violation of international humanitarian law.

3. Nations have “due diligence” to prevent illegal operations on their territory. The state “must take feasible measures, such as taking public positions requiring civilian hackers not to conduct cyber operations in relation to armed conflicts, to respect IHL if they do, and suppress violations under national law”.

4. States must prosecute war crimes and prevent any other violations of international humanitarian law. This includes adopting the necessary laws to criminalise “cyber operations amounting to war crimes”.

According to international humanitarian law and the Red Cross, no one involved in a conflict is beyond these rules.

“... every hacker that conducts operations in the context of an armed conflict must respect them, and states must ensure this is the case to protect civilian populations against harm,” Red Cross said.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.