Civilian hackers blur the lines of modern conflict

Digital technology is changing how militaries conduct war, giving rise to a worrying trend: civilians taking part in armed conflicts through digital means. Examples of civilian hackers operating in the context of armed conflicts are diverse and many (see here, here, here).  Yet civilian hackers using their skills against the information infrastructure of governments is even older than those examples, going back two decades. 

The first civilian hackers

Back in January 1999, an international coalition of hackers—among them the Cult of the Dead Cow and the Computer Chaos Club—signed a statement condemning the decision by the hacker group Legion of the Underground to declare “war” against several governments. The Legion of the Underground wanted to disrupt and disable internet infrastructures in these countries, citing allegations of human rights violations and other repressive measures as their justification.

This was likely the first statement of its kind. The coalition of hackers “strongly oppose[d] any attempt to use the power of hacking to threaten or destroy the information infrastructure of a country, for any reason”. In its statement, the coalition stressed that “declaring war against a country is the most irresponsible thing a hacker group can do. […] If hackers solicit recognition as paramilitary factions, then hacking in general will be seen as an act of war. Ergo, hackers will be viewed as legitimate targets of warring states.”

A quarter century later, an unprecedented number of hacktivists can now be observed in every major conflict. The current trends suggest a trivialisation of hacktivism, including during armed conflict. There is a certain gamification of offensive operations: civilians conducting offensive cyber operations track the progress of their activities and their ‘achievements’ through personalised statistics, like in a videogame, with a ranking of the ‘best hackers’. 

But war is not a game. The danger of damage and harm to people is real. Civilian hackers face significant risks and must be aware of the prohibitions and obligations to which they are legally bound once they enter an armed conflict.

A growing phenomenon

Many civilian hackers probably do not understand the consequences of their actions. With automated and ‘off the shelf’ hacking tools, people without any real knowledge of cyberspace can participate in offensive operations, facilitated by the provision of simple interfaces, click-and-attack buttons, and cloud-based offensive services. 

A civilian hacker may know they are participating in a distributed denial of service (DDoS) operation, which can result in the suspension of a service—most commonly taking a website offline. Yet a DDoS operation can also be engineered to disrupt significant civilian infrastructure: the IT system of a hospital, an industrial system, a payment system, or a server managing public transportation. When given a target in the form of an IP address, a novice hacker may not even be aware what the IP address represents. 

Several experts argue that DDoS attacks are low-level cyber operations. They are considered inferior because they are easier to execute compared to advanced persistent threats—inferior and therefore less dangerous. Yet often the DDoS attack’s targets, consequences, and impact on civilians are not well understood. Just because DDoS is a category of operations that can be deployed without much technical skill does not mean it is less dangerous. If an offensive operation degrades or disrupts a connected digital asset, or results in injury or death, it is harmful, regardless of the ease of execution. We have recently observed the extensive use of such operations against civilian infrastructure, data, or other objects. 

New challenges and risks

The phenomenon of civilian hackers conducting cyber operations during an armed conflict is concerning for at least three reasons.

First, civilian hackers can cause harm to civilian populations, either by targeting civilian infrastructure, data, or other objects directly, or by damaging them incidentally. Direct targeting of civilian objects violates the principle of distinction, a cardinal principle of international humanitarian law (IHL). 

Second, civilian hackers risk exposing themselves and people close to them to military operations. This means that the computers and digital infrastructure they use could become military targets under IHL and lose their protection under that body of law. Civilian hackers may also be prosecuted for their conduct. They do not enjoy any legal immunity, not even for operations that comply with the laws of war.

Finally, the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who is a combatant. As a result, the risk of harm to civilians grows.

Respect the rules

To prevent or reduce the harm caused to civilians, and to inform civilian hackers of the risks they take, Tilman Rodenhäuser and I recently published ‘8 rules for civilian hackers during war, and 4 obligations for states to restrain them’. We must be clear: cyberspace is not a lawless space. 

In times of armed conflict, international humanitarian law (IHL) provides a universally agreed set of rules that aims to safeguard civilians and combatants who are no longer able to fight. 

IHL does not prohibit ‘hacking’ as such, and it does not prohibit civilians from conducting cyber operations against military objectives. However, it does set out foundational considerations for the protection of civilians. These are obligations that everyone must respect, and which exist irrespective of the reasons for the conflict, whose goals are legitimate, or whether an operation is conducted in offence or defence. If a civilian participates in hostilities, they must comply with IHL. This applies to cyber operations, too.

Some observers have referred to the rules spelled out in our blog post as the ‘8 Commandments of the Red Cross’, the ‘Geneva Code of Cyber War’, or the ‘Red Cross Hacker Geneva Convention’. Yet these rules are neither new nor issued by us or by the ICRC. They are based on, and give expression to, IHL prohibitions and obligations. They are not voluntary or optional, but legally binding. Those rules are:

1. Do not direct cyberattacks against civilian objects.
2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians.
4. Do not conduct any cyber operations against medical and humanitarian facilities.
5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
6. Do not make threats of violence to spread terror among the civilian population.
7. Do not incite violations of international humanitarian law.
8. Comply with these rules even if the enemy does not.

IHL sets out essential rules to limit the effects of armed conflicts on civilians. No one who participates in armed conflict is beyond these rules. Every hacker who conducts operations in the context of an armed conflict must respect them—and states must ensure this is the case—to protect civilian populations against harm. In the words of the coalition of hackers’ 1999 declaration: “The signatories to this statement are asking hackers to reject all actions that seek to damage the information infrastructure of a country. Do not support any acts of cyberwar. Keep the networks of communication alive. They are the nervous system for human progress”.