The International Committee of the Red Cross (ICRC) has issued a first-of-its-kind rules of engagement for civilian hackers in conflicts.
The organisation released the rules this week in the wake of unprecedented numbers of civilians joining patriotic cyber-gangs since the Russian invasion of Ukraine.
The ICRC statement says that Patriotic hacking has risen over the past decade, and highlights pro-Syrian cyber-attacks on Western news media in 2013 as an example.
In that series of incidents, the Syrian Electronic Army claimed responsibility for a host of attacks against organisations such as the BBC, The Guardian, France 24 TV, al-Jazeera, the government of Qatar, Sepp Blatter (the then president of Fifa), and National Public Radio in the United States.
A spokesperson for the ICRC commented that:
“Some experts consider civilian hacking activity as ‘cyber-vigilantism’ and argue that their operations are technically not sophisticated and unlikely to cause significant effects. However, some of the groups we’re seeing on both sides are large and these ‘armies’ have disrupted… banks, companies, pharmacies, hospitals, railway networks and civilian government services.“
Governments need to act
The ICRC is also imploring governments to restrain hacking and enforce existing laws.
The Ukraine conflict has blurred the boundaries between civilian and military hacking, with civilian groups such as the IT Army of Ukraine being set up and encouraged by the government to attack Russian targets.
The IT Army of Ukraine, which has 160,000 members on its Telegram channel, also targets public services such as railway systems and banks.
Eight rules
Based on international humanitarian law, the rules are:
- Do not direct cyber-attacks against civilian objects
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
- When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
- Do not conduct any cyber-operation against medical and humanitarian facilities
- Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
- Do not make threats of violence to spread terror among the civilian population
- Do not incite violations of international humanitarian law
- Comply with these rules even if the enemy does not
Non-compliance
The BBC has reached out to a number of hacktivist groups, most of whom say that they will not comply with the rules set by the ICRC.
A spokesperson for Russian gang KillNet said “Why should I listen to the Red Cross?”, whereas a spokesperson for the group Anonymous Sudan said that the new rules were “not viable and that breaking them for the group’s cause is unavoidable”.
A member of the Anonymous collective also told BBC News it had “always operated based on several principles, including rules cited by the ICRC, but had now lost faith in the organisation and would not be following its new rules.“
