Civilian hackers blur the lines of modern conflict

Hackers must be aware of their legal obligations in war
Main Top Image
This image was created with the help of Midjourney

Digital technology is changing how militaries conduct war, giving rise to a worrying trend: civilians taking part in armed conflicts through digital means. Examples of civilian hackers operating in the context of armed conflicts are diverse and many (see here, here, here).  Yet civilian hackers using their skills against the information infrastructure of governments is even older than those examples, going back two decades. 

The first civilian hackers

Back in January 1999, an international coalition of hackers—among them the Cult of the Dead Cow and the Computer Chaos Club—signed a statement condemning the decision by the hacker group Legion of the Underground to declare “war” against several governments. The Legion of the Underground wanted to disrupt and disable internet infrastructures in these countries, citing allegations of human rights violations and other repressive measures as their justification.

This was likely the first statement of its kind. The coalition of hackers “strongly oppose[d] any attempt to use the power of hacking to threaten or destroy the information infrastructure of a country, for any reason”. In its statement, the coalition stressed that “declaring war against a country is the most irresponsible thing a hacker group can do. […] If hackers solicit recognition as paramilitary factions, then hacking in general will be seen as an act of war. Ergo, hackers will be viewed as legitimate targets of warring states.”

A quarter century later, an unprecedented number of hacktivists can now be observed in every major conflict. The current trends suggest a trivialisation of hacktivism, including during armed conflict. There is a certain gamification of offensive operations: civilians conducting offensive cyber operations track the progress of their activities and their ‘achievements’ through personalised statistics, like in a videogame, with a ranking of the ‘best hackers’. 

But war is not a game. The danger of damage and harm to people is real. Civilian hackers face significant risks and must be aware of the prohibitions and obligations to which they are legally bound once they enter an armed conflict.

A growing phenomenon

Many civilian hackers probably do not understand the consequences of their actions. With automated and ‘off the shelf’ hacking tools, people without any real knowledge of cyberspace can participate in offensive operations, facilitated by the provision of simple interfaces, click-and-attack buttons, and cloud-based offensive services. 

A civilian hacker may know they are participating in a distributed denial of service (DDoS) operation, which can result in the suspension of a service—most commonly taking a website offline. Yet a DDoS operation can also be engineered to disrupt significant civilian infrastructure: the IT system of a hospital, an industrial system, a payment system, or a server managing public transportation. When given a target in the form of an IP address, a novice hacker may not even be aware what the IP address represents. 

Several experts argue that DDoS attacks are low-level cyber operations. They are considered inferior because they are easier to execute compared to advanced persistent threats—inferior and therefore less dangerous. Yet often the DDoS attack’s targets, consequences, and impact on civilians are not well understood. Just because DDoS is a category of operations that can be deployed without much technical skill does not mean it is less dangerous. If an offensive operation degrades or disrupts a connected digital asset, or results in injury or death, it is harmful, regardless of the ease of execution. We have recently observed the extensive use of such operations against civilian infrastructure, data, or other objects. 

New challenges and risks

The phenomenon of civilian hackers conducting cyber operations during an armed conflict is concerning for at least three reasons.

First, civilian hackers can cause harm to civilian populations, either by targeting civilian infrastructure, data, or other objects directly, or by damaging them incidentally. Direct targeting of civilian objects violates the principle of distinction, a cardinal principle of international humanitarian law (IHL). 

Second, civilian hackers risk exposing themselves and people close to them to military operations. This means that the computers and digital infrastructure they use could become military targets under IHL and lose their protection under that body of law. Civilian hackers may also be prosecuted for their conduct. They do not enjoy any legal immunity, not even for operations that comply with the laws of war.

Finally, the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who is a combatant. As a result, the risk of harm to civilians grows.

Respect the rules

To prevent or reduce the harm caused to civilians, and to inform civilian hackers of the risks they take, Tilman Rodenhäuser and I recently published ‘8 rules for civilian hackers during war, and 4 obligations for states to restrain them’. We must be clear: cyberspace is not a lawless space. 

In times of armed conflict, international humanitarian law (IHL) provides a universally agreed set of rules that aims to safeguard civilians and combatants who are no longer able to fight. 

IHL does not prohibit ‘hacking’ as such, and it does not prohibit civilians from conducting cyber operations against military objectives. However, it does set out foundational considerations for the protection of civilians. These are obligations that everyone must respect, and which exist irrespective of the reasons for the conflict, whose goals are legitimate, or whether an operation is conducted in offence or defence. If a civilian participates in hostilities, they must comply with IHL. This applies to cyber operations, too.

Some observers have referred to the rules spelled out in our blog post as the ‘8 Commandments of the Red Cross’, the ‘Geneva Code of Cyber War’, or the ‘Red Cross Hacker Geneva Convention’. Yet these rules are neither new nor issued by us or by the ICRC. They are based on, and give expression to, IHL prohibitions and obligations. They are not voluntary or optional, but legally binding. Those rules are:

  1. Do not direct cyberattacks against civilian objects.
  2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
  3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians.
  4. Do not conduct any cyber operations against medical and humanitarian facilities.
  5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
  6. Do not make threats of violence to spread terror among the civilian population.
  7. Do not incite violations of international humanitarian law.
  8. Comply with these rules even if the enemy does not.

IHL sets out essential rules to limit the effects of armed conflicts on civilians. No one who participates in armed conflict is beyond these rules. Every hacker who conducts operations in the context of an armed conflict must respect them—and states must ensure this is the case—to protect civilian populations against harm. In the words of the coalition of hackers’ 1999 declaration: “The signatories to this statement are asking hackers to reject all actions that seek to damage the information infrastructure of a country. Do not support any acts of cyberwar. Keep the networks of communication alive. They are the nervous system for human progress”.

Terms & Conditions

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.