Eight rules for “civilian hackers” during war, and four obligations for states to restrain them
Today, an unprecedented number of civilians is becoming involved in armed conflicts through digital means. Civilians – including hacktivists, to cyber security professionals, ‘white hat’, ‘black hat’ and ‘patriotic’ hackers – are conducting a range of cyber operations against their ‘enemy’.
The phenomenon of civilian hackers conducting cyber operations in the context of an armed conflicts is worrying for at least three reasons.
One, they cause harm to civilian populations, either by targeting civilian objects directly or damaging them incidentally.
Two, civilian hackers risk exposing themselves, and people close to them, to military operations.
Three, the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who a combatant. As a result, the risk of harm to civilians.
Eight rules for civilian hackers operating in the context of an armed conflict
Civilian hackers must respect the law of the countries they operate in. In times of armed conflict, they must also respect international humanitarian law.
IHL consists of hundreds of rules. The ICRC has highlighted 8 rules that anyone who conducts a cyber operation in the context of an armed conflict (including non-States armed groups and civilian hackers) must respect. These are not new rules – they are rules that restate existing legal obligations.
Caution: Civilian hackers risk losing protection against cyber of physical attack and may be criminally prosecuted if they directly participate in hostilities through cyber means.
1. Do not direct cyber attacks* against civilian objects.
Civilian objects are all objects that are not military objectives. This includes civilian infrastructure, public services, companies, private property, and arguably civilian data. Military objectives do not enjoy the same protection. ‘Military objectives’ comprise primarily the physical and digital infrastructure of the military of a warring party. It may also include civilian objects, depending on whether and how they are being used by the military.
* Under IHL, and in the context of cyber operations, the notion of attack refers to cyber operations that can be reasonably expected to result – directly or indirectly – in damage, disabling, or destruction of objects (such as infrastructure and, arguably, data) or injury or death of people. It does not, for instance, include cyber operations aimed at obtaining unauthorized access to information.
2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
For example, malware that spreads automatically, spills-over, and damages military objectives and civilian objects without distinction must not be used.
3. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
For example, if you aim to disrupt electricity or railway services used by military forces, you must avoid or minimize the effects your operation may have on civilians. It is essential to research and understand the effects of an operation – including unintended ones – before conducting it. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians, and stop the attack if the harm to civilians risks being excessive. If you have gained access to an operating system but you do not understand the possible consequences of your operation, or realize that the harm to civilians risks being excessive, stop the attack.
4. Do not conduct any cyber operation against medical and humanitarian facilities.
Hospitals or humanitarian relief organizations must never be targeted.
5. Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces.
In international humanitarian law, objects containing dangerous forces are defined as ‘dams, dykes and nuclear electrical generating stations’; in reality, however, chemical and similar plants also contain dangerous forces. Objects indispensable for the survival of the civilian population include, among others, drinking water installations or irrigation systems.
6. Do not make threats of violence to spread terror among the civilian population.
For example, hacking into communication systems to publish information designed primarily to spread terror among civilian populations is prohibited. Likewise, designing and spreading graphic content to spread terror among civilians in order to make them flee is unlawful.
7. Do not incite violations of international humanitarian law.
Do not encourage or enable others to conduct cyber or other operations against civilians or civilian objects. For example, do not share technical details in communication channels to facilitate attacks against civilian institutions.
8. Comply with these rules even if the enemy does not.
Revenge or reciprocity are no excuses for violations of international humanitarian law.
Four obligations of States to restrain civilian hackers
States should not encourage or tolerate civilian hackers conducting cyber operations in the context of an armed conflict.
States have undertaken to respect and to ensure respect for IHL. With regard to civilian hackers, this legal commitment means at least four things:
If civilian hackers act under the instruction, direction or control of a State, that State is internationally legally responsible for any conduct of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law (see here, article 8, and here). For instance, if a State uses private individuals or groups as “volunteers” and instructs them to carry out particular cyber operations in disregard of international law, the state is legally responsible for such violations (see here, para. 2 on article 8).
States must not encourage civilians or groups to act in violation of international humanitarian law (see here, para. 220). Concretely, this means that State agents – be they military, intelligence, or any other government actor – are prohibited from encouraging civilians or groups to, for example, direct cyber attacks against civilian objects, irrespective of which channel or app is used to do so.
States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory (see here, para. 183). Of course, a State cannot prevent all violations of the law. However, it must take feasible measures, such as taking public positions requiring civilian hackers not to conduct cyber operations in relation to armed conflicts, to respect IHL if they do, and suppress violations under national law.
States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations (article 49/50/129/146 GCI-IV; article 85 Additional Protocol I). First, this requires the adoption and enforcement of the necessary laws that criminalize cyber operations amounting to war crimes, and second, to take effective measures to stop all other violations of IHL, which may include legal, disciplinary, or administrative measures.