We live in an age of state-sponsored cyber warfare, one where conflicts have a parallel and intangible digital battlefield. The most obvious manifestation of this is propaganda, good old information warfare, with things like photos, videos and records being obtained and then framed and circulated online. The other side of it—concentrated cyber attacks on infrastructure, hacks of enemy equipment and forces, doomsday viruses like Stuxnet—the public never sees outside of vague news reports.
Russia's invasion of Ukraine has turbo-charged another aspect to this: civilian hacker groups, sometimes called hacktivists, who are able to get involved in a conflict from anywhere. The International Committee of the Red Cross (ICRC) reckons that this particular conflict has seen unprecedented numbers of civilian hackers get involved and, for the first time, has published rules of engagement for cyber warfare.
There are eight rules, including a ban on attacking hospitals, a ban on threatening civilians, and the production of computer viruses that spread uncontrollably. The rules are rooted in international humanitarian law and are:
- Do not direct cyber-attacks against civilian objects
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
- When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
- Do not conduct any cyber-operation against medical and humanitarian facilities
- Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
- Do not make threats of violence to spread terror among the civilian population
- Do not incite violations of international humanitarian law
- Comply with these rules even if the enemy does not
The ICRC warns hackers risk not only threatening the lives of others but making themselves legitimate military targets. ICRC legal adviser Dr Tilman Rodenhäuser says:
"Some experts consider civilian hacking activity as 'cyber-vigilantism' and argue that their operations are technically not sophisticated and unlikely to cause significant effects. However, some of the groups we're seeing on both sides are large and these 'armies' have disrupted [...] banks, companies, pharmacies, hospitals, railway networks and civilian government services."
Unfortunately, the very nature of civilian hacking collectives means there is a diaspora of targets for such guidance, no guarantees anyone will abide by them, and the last rule in particular—"Comply with these rules even if the enemy does not"—has a slight whiff of desperation. The BBC highlights the IT Army of Ukraine, which has 160,000 members on its Telegram channel and has targeted Russian civilian infrastructure among other targets. It told BBC News it hadn't decided whether to implement the rules, emphasised it did not attack medical targets, and added "Adhering to the rules can place one party at a disadvantage."
The Russian cyber group Killnet's leader, Killmilk, had an even more stark response: "Why should I listen to the Red Cross?"
Whether it's called cybercrime or hacktivism, the presence of civilian attackers in digital warfare is an increasingly prominent element of conflicts, and they don't operate by any military code: though of course many choose to adhere to certain humanitarian principles. Perhaps a bigger problem than what groups choose to do, however, is their ability to control it and limit collateral damage, which seems an impossible task. And there's the simple fact that, with some of the red Cross's rules, they rub up against goals that hackers may well have set themselves: all is fair, as they say, in love and war. Or as ESET global cybersecurity manager Jake Moore puts it, "Being able to act in war under an invisibility cloak adds a dimension that sets up rules to fail."