There’s been plenty of debate about why Russia’s invasion of Ukraine never devolved into the full-blown cyber Armageddon many expected at the start of the war, and what that suggests about the role of cyber operations in kinetic warfare.
Yet, while the cyber elements of the conflict may not have played out as anticipated, Ukraine is still very much fighting a constant cyberwar. And one of the more surprising aspects of this battle has been the number of civilian hackers from all over the world who have joined in.
When Russia first invaded Ukraine, there was a free-for-all as volunteer hackers descended on the digital battlefield launching uncoordinated cyberattacks against both sides. These activities added further layers of chaos and disruption to the war as each side tried to figure out who was responsible for which attacks and how to respond appropriately and proportionally.
While Russia has long had notoriously close (if not direct) ties with various pro-Russian hacking groups and appears to be happy to let them run rampant, Ukraine rallied hackers on its side to come together as a volunteer force. The IT Army of Ukraine now has hundreds of thousands of members working together to coordinate cyber defences and direct cyberattacks in support of Ukraine’s military objectives.
However, the participation of these hackers on both sides has blurred the lines between civilians and combatants, creating a complex legal dilemma that is playing out in real time. The fog of war is hard enough without the extra confusion that arises when civilians in third countries launch cyberattacks against military assets or critical infrastructure like hospitals or energy facilities that could result in losses of innocent lives—let alone the potential for more significant attacks that could have even bigger consequences.
In an attempt to rein in the chaos surrounding the role of civilian hackers in the Russia–Ukraine conflict—as well as the broader rise of private actors joining other digital battlefields—last month the International Committee of the Red Cross issued eight rules for civilian hackers to follow during armed conflict. The rules are:
- Do not direct cyberattacks against civilian objects.
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
- When planning a cyberattack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians.
- Do not conduct any cyber operation against medical and humanitarian facilities.
- Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
- Do not make threats of violence to spread terror among the civilian population.
- Do not incite violations of international humanitarian law.
- Comply with these rules even if the enemy does not.
In the same statement, the Red Cross also reminded states of their international legal obligations for civilian hackers—namely, that states are liable for hackers operating under their direction or operating in their territory or jurisdiction. States must also prevent breaches of international law and have obligations to stop and prosecute activity taking place within their territory.
Neither the rules for hackers nor the reminders for states are new or revolutionary—they draw on established international law and an enormous body of work on how international law applies to cyberspace. However, they do distil this work into clear and simple language that’s easy to understand.
The voluntary principles for both hackers and states also reflect an acknowledgement of the evolving nature of warfare and the necessity to uphold humanitarian principles, regardless of the domain in which hostilities occur. The rules apply to all armed conflicts—not just the Russia–Ukraine war—signifying a recognition of the permanent and growing role that cyber operations and civilians play in modern warfare. They also seek to draw attention to the risks civilian hackers bring upon themselves by participating in armed conflict.
Ideally, these rules would result in hacking groups restricting their activities to official or military targets rather than civilian infrastructure, which in turn would dramatically reduce the number of destructive cyberattacks that affect non-combatants.
However, the effectiveness of these rules ultimately hinges on the hacking community’s adherence to them. This raises a crucial question: will civilian hackers abide by this new ‘Geneva code’?
It’s not clear that they will. Hackers’ initial reactions to the rules were negative. The pro-Russia Killnet group asked why it would listen to the Red Cross, while Ukrainian hackers voiced concerns about being at a disadvantage if they followed the rules, given that pro-Russian groups frequently violate the principles. Killnet and the IT Army of Ukraine have both now committed to adhering to these rules. Other hacktivist groups around the world have said they won’t.
Indeed, despite the rules’ release, within hours of Hamas launching its devastating attack on Israel last month, civilian hackers had joined the conflict on both sides. This activity has continued and there has been a rise in hacking tied to states such as Russia and Iran.
While the decentralised and often anonymous nature of hacking makes enforcement a challenge, the Red Cross’s initiative is ultimately still a significant and welcome step towards establishing a normative framework for civilian engagement in cyber operations during armed conflicts.