The International Committee of the Red Cross (ICRC) has released a set of rules for hacktivists and other online participants of conflict to follow to remain in accordance with international humanitarian law in times of war. The rules are interpretations of existing humanitarian law, but for the cyber battlefield, the ICRC says. They have been written specifically to protect civilians’ crucial access to information and to notify hacktivists of the dangers of engaging in warfare.
Researchers at the Red Cross hope that the move will start a conversation that will explore and encourage new ways to promote safety in the cyber domain. “It’s not just law, it’s norms of behaviour, it’s education, it’s morality,” says Alexi Drew, technology and policy advisor at the international committee of the Red Cross.
The rules released today in the European Journal of International Law have been written to protect civilians from illicit cyber activity on behalf of a warring nation, as well as to highlight the dangers of participating in such an activity for hacktivists and other cybercriminal organisations.
“In the adversary’s eyes, and depending where the hacker sits, they may be attacked – by bullet, missile, or cyber operation,” the ICRC says. “Cyberspace is not a lawless space – even wars have limits.”
Eight rules have been released to guide those engaging in vigilante online warfare into participating in a way that does not undermine international human rights law. They command hacktivists not to direct cyberattacks against civilian objects, or to use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
Hacktivists planning a cyberattack against a military objective should “do everything feasible to avoid or minimise the effects your operation may have on civilians”, and not “conduct any cyber operation against medical and humanitarian facilities” or “objects indispensable to the survival of the population or that can release dangerous forces”.
They also ban making threats of violence to spread terror among the civilian population and inciting violations of international humanitarian law. Hacktivists should always comply with these rules even if the enemy does not, the ICRC says.
Several hacktivist attacks have taken place during the war in Ukraine that made life difficult for civilians fleeing the conflict. DDoS attacks have regularly been carried out by hackers supporting both Russia and Ukraine, including an incident last week when the Ukraine IT Army group managed to cripple flights in and out of Moscow.
Away from Ukraine, the wave of protests in Iran triggered by the death of 21-year-old Mahsa Amini at the hands of Iranian police included a hacktivist attack on the online systems of the Atomic Energy Organisation of Iran, leaking sensitive data onto the dark web.
The start of a conversation about hacktivism?
The ICRC believes that hacktivist activity needs oversight to ensure that in the event of war or political unrest, civilians have access to safety, information and transport allowing them to escape as quickly as possible.
Though hacktivist groups usually claim to have altruistic intentions, the unintended consequences of their actions can be damaging. Last year the NSA’s Rob Joyce said that hacktivism in the Russia-Ukraine war was at times proving “problematic” for wider security efforts.
“The ability for an individual in a country to get accurate information from their government is important,” Drew says. “Fundamentals like where is safe, where can you get water and where can you get medical aid are critical.
“If we don’t have rules of the road that mean that those facilities and those sources of information are protected, then we risk armed conflict becoming even more harmful and dangerous to those caught up in it.”
Drew says the laws reflect an attempt to bring “norms of behaviour, education, morality [and] ethics” to the online battlefield. She adds: “All of these things together and more combined have historically created a situation where even in the midst of armed conflict, there are still boundaries that are not crossed.
“We just need to work out how we can translate those tools in that suite, into a more modern conflict that has these new dynamics – this is our attempt at starting to do that.”