The efforts of the International Committee of the Red Cross (ICRC) to establish rules of engagement to combatants in a cyberwar should be applauded internationally, even if adherence is likely to be limited. The ICRC recently released a set of rules for civilian hackers involved in conflicts to follow in order to clarify the line between civilians and combatants, as cyberspace can be a blurry place to work in — especially during a war.
The ongoing conflict between Russia and Ukraine in particular has caused unprecedented numbers of civilian hackers to place themselves in the middle of the war, using their skills to fuel attacks on banks, manufacturing facilities, hospitals, and railways, in an attempt to sway the war to one side or another. Cyber vigilantism isn’t a new concept, but the large scale of these nascent patriotic cyber “gangs” has given the ICRC reason to take action with the hope that that hackers on both sides adhere to these rules.
Do’s and Don’ts for Hacktivists
ICRC’s eight rules for “hacktivists” are:
Do not direct cyberattacks against civilian objects.
Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
Do not conduct any cyber operation against medical and humanitarian facilities.
Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
Do not make threats of violence to spread terror among the civilian population.
Do not incite violations of international humanitarian law.
Comply with these rules even if the enemy does not.
These rules come at a time when it’s never been easier for groups, or even individuals, to get involved in attacks and do their part for their cause. The easier it is for anybody with a grudge to launch a cyberattack, the less restrictive these rules will be and the less they will be followed. Many of the stateless groups involved in the Russia-Ukraine conflict aren’t bound by current national or international laws. Indeed, several groups, such as the pro-Russian Killnet group, already have reported they will not follow the ICRS’s rules.
Even though these rules likely will not be accepted by the hacking groups currently operating within the Russia-Ukraine conflict, the ICRC should be commended for coming up with and publishing these rules. Establishing norms is crucial for holding such groups accountable for potential war crimes, civilian death and destruction, and other harmful ancillary effects.
The rules are supposed to fall in line with international humanitarian law, a set of rules that seek to limit the effects of armed conflict and, when broken, constitute war crimes. The IHL rules for armed conflict are critical in protecting citizens in military zones during wartime, but the often anonymous and detached nature of cyberspace means it will be much, much harder to police these new cyber-focused IHL rules.
Rule No. 3, for example, is absolutely critical to mitigating the damage to civilians during a conflict. But civilian hackers working on behalf of a military goal may be totally unaware of the unintended destruction they would cause with their attacks. When preparing any kind of cyberattack, the intelligence that an actor has going into the target environment is rarely 100%, even if they’re a professional. If the intention is to impact a single component of a bank, for example, but the attacker fails to realize that a nearby hospital relies on that same electrical grid, the situation can escalate very quickly. And when it’s a low-skilled attacker with little regard or understanding of what a high-powered tool can do, miscalculations become alarmingly easy.
It’s also likely that the private sector will take the brunt of this collateral damage. For example, NotPetya — a targeted attack against Ukrainian infrastructure — went into the wild in 2017, paralyzing factories across the globe and costing shipping company Maersk $300 million. The other cause for concern is that the commercialization of cybercrime has enabled less advanced actors to rent state-of-the-art malware and launch campaigns with speed and with ease. For example, the Colonial Pipeline attack was likely orchestrated by an affiliate who had paid for the DarkSide malware. This makes it far more challenging to monitor who is being targeted, and even the developers probably don’t know for certain how and where their malware will be used.
The ICRC is sending these rules to hacking groups on both sides of the conflict, and has called on all states — not just Russia and Ukraine — to “give due consideration to the risk of exposing civilians to harm if encouraging or requiring them to be involved in military cyber operations.” Creating the parameters for civilian hackers involved in conflicts now hopefully will lead to internationally accepted and enforceable rules in the future. If even some level of deterrence can be achieved by these rules, it will serve to avoid unnecessary damage and harm in future conflicts.