The International Committee of the Red Cross (ICRC) has, for the first time, published rules of engagement for civilian computer hackers who become actively involved in cyberwarfare.
The ICRC believes that digital technology is impacting the ways that armies conduct war in the 21st century. Because of this an article in the European Journal of International Law (EJIL) written by Tilman Rodenhäuser, a legal adviser, and Mauro Vignati, an advisor on digital technologies in warfare, at the ICRC outlines the need for rules analogous to the Laws of Armed Conflict – defined in the four Geneva Conventions and their three additional protocols.
The Red Cross has identified that many of these cyber-attacks are increasingly impacting non-military targets including hospitals, banks, businesses, pharmacies, railway networks, and civilian government services.
This sort of attack not only hurts those not involved in a war but could make opposing forces view the hackers as legitimate military targets. The ICRC believes that the states in which these groups are based must do more to control and regulate their activities.
It has published rules of engagement to clarify what should be off-limits to civilian hackers in cyberspace; the basis of which is existing International Humanitarian Law. The eight new rules are:
· Do not direct cyber-attacks against civilian objects;
· Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately;
· When planning a cyber-attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians;
· Do not conduct any cyber-operation against medical and humanitarian facilities;
· Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces;
· Do not make threats of violence to spread terror among the civilian population;
· Do not incite violations of international humanitarian law;
· Comply with these rules even if the enemy does not.
The ICRC’s intervention comes as offensive activity from both Russian and Ukrainian groups has escalated since the war started. They specifically mention the so-called “IT Army of Ukraine,” which boasts tens of thousands of members on its Telegram channel.
Commentators suspect that the ICRC’s call will continue to be ignored as hacktivist activities such as distributed denial-of-service (DDoS) attacks, website vandalism, malware attacks and other hacking attempts have proved useful in disrupting the enemy way of life as well as providing useful propaganda tools.
Jake Moore, the cybersecurity advisor, for the ESET digital security company argues that the rules will be ignored because of the problems involved in attributing attacks to specific groups, many of whom hide behind their anonymity:
“…being able to act in war under an invisibility cloak adds a dimension that sets up rules to fail,” he said.
“Furthermore, the way some targets are chosen in cybercrime means there is often collateral damage miles away simply due to how the networks are set up and which third parties are used.”
NATO has been struggling with this issue for over ten years but from the other side of the argument. The so-called Tallinn Manuals endeavor to itemize at what point the effects of a cyber-attack become comparable to a conventional “kinetic” attack under which the existing laws of war can justify an armed or other response. The third revision is currently being prepared which will hopefully provide the definitive solution that has so far proved elusive.
You can also highlight the text and press Ctrl + Enter