In a recent essay published by the European Journal of International Law, the International Committee of the Red Cross (ICRC) has released guidelines for hacktivists. These guidelines aim to extend existing international norms of armed conflict and international humanitarian law to the realm of cyberspace. The ICRC hopes to preserve norms that protect noncombatants from attacks on vital infrastructure as well as from online incitement to atrocity. The authors of the essay, Tilman Rodenhäuser and Mauro Vignati, both legal advisers at the ICRC, are concerned about the growing trend of civilians participating in wars through offensive actions in cyberspace.
The ICRC points to various examples of hacktivism during recent conflicts to illustrate this trend. Grass-roots hacktivists from Greece attacked Azerbaijan government sites in support of Armenia during the conflict over Nagorno-Karabakh. The Anonymous campaign counteracting the Islamic State is another instance of hacktivism. The Syrian Electronic Army, acting on behalf of the Assad regime, and hacktivist auxiliaries involved in Russia’s war against Ukraine are also mentioned as examples. These cases demonstrate how civilians have taken up cyber warfare as a means of participating in conflicts.
To address this situation, the ICRC proposes eight rules for hacktivists. These rules are extensions of regulations that encompass the principle of discrimination, protecting noncombatants and non-military targets from attacks, and the principle of proportionality, aiming to limit damage and suffering to the minimum required by military necessity. The guidelines state that hacktivists must not direct cyber attacks against civilian objects, which include infrastructure, public services, companies, private property, and potentially civilian data. This prohibition does not extend to military objectives, which are primarily the physical and digital infrastructure of a warring party’s military.
The guidelines also advise hacktivists against using malware or tools and techniques that spread automatically and indiscriminately damage both military objectives and civilian objects. This ensures that attacks are carefully planned and conducted to avoid or minimize harm to civilians. Hacktivists are also explicitly prohibited from targeting medical and humanitarian facilities, objects indispensable to the survival of the population, and from inciting violence to spread terror among civilian populations.
Furthermore, the ICRC emphasizes that hacktivists should not encourage or enable others to violate international humanitarian law, even if the enemy does so. They must also comply with these rules, regardless of whether reciprocity is observed. The ICRC emphasizes that revenge or reciprocity cannot excuse violations of international humanitarian law.
Aside from offering guidelines for hacktivists, the ICRC also outlines four rules for states. Since hacktivists operate within physical territories, they are subject to the jurisdiction of a particular state. Hence, states are responsible for preventing their territories from being used for actions that violate international law. The ICRC asserts that states must bear the responsibility of any conduct by civilian hackers that goes against their international obligations. States should not encourage civilians or groups to act in violation of international humanitarian law and have a duty to prevent such violations by civilian hackers. Finally, the ICRC states that states have an obligation to prosecute war crimes and suppress other violations of international humanitarian law.
The ICRC’s essay also highlights the legal implications of hacktivism. Hacktivists are seen as irregular combatants who can be treated as combatants or, under certain circumstances, as criminals. It is important to note that irregular combatants can lose the protection against cyber and physical attacks and may face criminal prosecution if they directly participate in hostilities through cyber means. The essay reiterates that hacktivism will be subject to the rules of armed conflict, similar to how irregular forces such as guerrillas and partisans have been regulated since World War II.
In conclusion, the ICRC’s guidelines for hacktivists aim to address the growing trend of civilians participating in wars through offensive actions in cyberspace. These guidelines extend existing international norms of armed conflict and humanitarian law to the digital realm and strive to protect noncombatants and essential infrastructure. Simultaneously, the guidelines remind states of their responsibilities in preventing violations of international law and prosecuting war crimes. As hacktivism continues to evolve, it is essential to adapt legal frameworks to address the challenges posed by cyber warfare.