Red Cross releases ethical guidelines for hacktivists in war

The International Committee of the Red Cross (ICRC) has released the first-ever ethical guidelines for civilian hackers — or hacktivists — engaged in armed conflicts.

The organization asks hacktivists to comply with eight “humanitarian law-based rules” to protect themselves and avoid harming others.

The ICRC said that international humanitarian law doesn’t prohibit hacking military targets during armed conflicts, but those involved in such operations must adhere to basic humanitarian principles.

According to the guidelines, hacktivists shouldn't target civilian objects or deploy malware that can impact both military and civilian infrastructure.

“Stop the attack if the harm to civilians risks being excessive,” one of the rules said.

Certain targets, like medical and humanitarian facilities, drinking water systems, and hazardous plants “must never be targeted.” The ICRC also urges hackers not to threaten civilians or attempt to enlist other hackers in the cause.

“Civilian hackers must comply with these rules even if their enemy does not,” the guideline said.

Worrying trend

Hacktivism has played a role in armed conflicts and political turmoil for many decades, from the late '90s when Cult of the Dead Cow hackers helped Chinese citizens access blocked websites, to the current cyberwar between Ukraine and Russia.

The ICRC says that civilian involvement in digital attacks during armed conflicts has reached an "unprecedented” level.

“Sitting at some distance from physical hostilities, including outside the countries at war, civilians are conducting a range of cyber operations against their ‘enemy’,” the organization said.

However, this involvement comes with risks. It not only can harm civilians but also make these hacktivists legitimate targets for attacks — whether by bullets and missiles or through cyber operations — as their adversaries see them as directly engaging in hostilities.

Additionally, the more civilians engage in warfare, the harder it becomes to distinguish between civilians and combatants. “As a result, the risk of harm to civilians grows,” the ICRC said.

Unlikely impact

In the ongoing cyber war between Ukraine and Russia, none of the sorts of rules proposed by ICRC have been followed. The anonymity of cyberattacks and the lack of cyber regulations make it easy to avoid responsibility and to break international humanitarian law.

Ukraine is actively pushing for Russian cybercrimes to be classified as war crimes, as many of these attacks cause harm to civilian infrastructure, including energy facilities and telecommunication services.

At the same time, Ukrainian state officials praise the achievements of its own hacktivists and openly encourage tech-savvy citizens to join their ranks.

The ICRC's guidelines state that the governments should not promote or accept civilian hackers engaging in cyber operations. Instead, they should create and enforce national laws governing civilian hacking. “Cyberspace is not a lawless space – even wars have limits,” the ICRC said.

In Ukraine, discussions regarding the potential regulation or legalization of various Ukrainian volunteer cyber groups haven't yet yielded any results, as this would require changes to both the Ukrainian criminal code and international law.

There are still no clear rules that would allow a state to respond to a cyberattack in the same way as to a physical attack, Natalia Tkachuk, head of the Information Security and Cybersecurity Service said in an interview in December.

For example, there has been much debate over whether Albania should invoke NATO’s Article 5 in response to a cyberattack by Iran, drawing all NATO member states into a confrontation with Tehran.

Even if governments choose to respond to these attacks or prosecute the cybercriminals behind them, their abilities are constrained because it's difficult to attribute the attacks to specific individuals.

The easiest way to uncover the people behind cyberattacks is by intercepting their conversations or obtaining leaked documents. In 2021, Ukraine identified eight members of the Russian hacker group Armageddon by listening to their calls, but this is not a common practice.