Red Cross issues rules of engagement for hackers in conflicts

The International Committee of the Red Cross (ICRC) has created the first ever “rules of engagement” for civilian hackers operating in conflict zones.

The ICRC said that while civilian hackers operating in armed conflicts is nothing new, the outbreak of war between Russia and Ukraine has pushed their involvement to “unprecedented proportions”.

It warned in a blog published by the European Journal of International Law that civilian hackers risk harming other non-combatants through their targeting of various “civilian objects”, including pharmacies, hospitals, railway network and citizen-facing government services, as well as exposing themselves and the people close to them to military operations by getting involved in hostilities.

It further warned that, the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who a combatant.

“Under [International Humanitarian Law] IHL, civilians must not be attacked unless and for such time as they directly participate in hostilities. Conducting cyber attacks against military or civilian targets can amount to such ‘participation in hostilities’ and risks making civilian hackers liable to attacks,” wrote Tilman Rodenhäuser, an ICRC legal adviser; and Mauro Vignati, an ICRC adviser on new digital technologies of warfare in the blog.

In response to the “worrying trend” of civilian hackers becoming increasingly involved in inter-state conflict, the ICRC – which is responsible for overseeing and monitoring the rules of war – has outlined eight rules to in an attempt to clarify permissible behaviour in cyber space.

The rules include banning direct attacks on civilian objects; not using malware or other tools and techniques that spread automatically and damage military objectives and civilian objects indiscriminately; doing everything feasible to minimise the impact of cyber attacks on civilians; and not conducting any cyber operations against medical or humanitarian facilities.

Other rules include not conducting any cyber attacks against objects indispensable to the survival of the population; not making threats of violence to spread terror among the civilian population; and to not incite violations of international law.

The ICRC’s final rule is that hackers should follow the seven other rules, even if the enemy does not.

It added: “States should not encourage or tolerate civilian hackers conducting cyber operations in the context of an armed conflict.” This entails adopting and enforcing national laws that regulate civilian hacking.

“If civilian hackers act under the instruction, direction or control of a state, that state is internationally legally responsible for any conduct of those individuals that is inconsistent with the state’s international legal obligations, including international humanitarian law,” it said.

In March 2022, soon after the Russian invasion, the Ukrainian government led on the creation of a volunteer IT army to conduct cyber attacks against Russian targets, including businesses and government bodies.

Responding to the ICRC rules, a spokesperson for the IT army told the BBC it had not decided whether to implement them, noting that while it has already banned attacks on healthcare-related targets, wider impact on civilians was unavoidable.

“Adhering to the rules can place one party at a disadvantage,” they said.

Representatives from three other groups – the Anonymous collective, Anonymous Sudan, and the Russian-aligned KillNet group – told the BBC that they have no intention of following the rules, or that breaking them was otherwise unavoidable.

Commenting on the rules, Matt Hull, global head of threat intelligence at the NCC Group, said that geopolitical tensions and conflicts have been increasingly spilling over in the digital realm over the last decade.

“We’re seeing nations engage in cyber espionage, information warfare and cyber attacks. They often sponsor hacker groups to advance attacks against ‘adversaries’ to steal sensitive information, disrupt critical infrastructure or even cause physical damage – like the Predatory Sparrow attack against an Iranian steel mill last year,” he said.

“This is putting everyday people at risk of being caught in the ‘crossfire’ of cyber activity, and it is already having a devastating impact on civilians. These rules of engagement are therefore a useful step forward from the Red Cross in signaling that conflicts are no longer just confined to the physical realm.”

However, he noted that while the rules are a positive step in the right direction, further action is needed to protect against the risk of geopolitically-motivated cyber activity.

“Forming global alliances and partnerships to share threat intelligence, collaborate on cyber security research and respond collectively to threats should be considered a priority,” he said.

“Similarly, governments and authorities should have the continuity of critical services and protection against potentially catastrophic cyber incidents as a number one priority, to mitigate the impact of cyber activity that has a civilian impact.”