The International Committee of the Red Cross (ICRC) has published a new set of rules urging hacktivists to abide by international humanitarian law in times of conflict.
Writing in the European Journal of International Law (EJIL), the ICRC warned that cyber-attacks carried out by civilians during wartime are increasingly causing disruption to non-military targets such as hospitals, pharmacies and banks – impacting blameless members of society.
Such attacks could also mean hacktivists are putting themselves in danger by signalling to opposing forces that they are a legitimate military target, the non-profit added.
The ICRC is therefore asking governments to limit this hacktivist activity. It published new rules of engagement in cyberspace to clarify what should be off-limits to civilian hackers:
- Do not direct cyber-attacks against civilian objects
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
- When planning a cyber-attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians
- Do not conduct cyber-operations against medical and humanitarian facilities
- Do not conduct cyber-attacks against objects indispensable to the survival of the population or that can release dangerous forces
- Do not make threats of violence to spread terror among the civilian population
- Do not incite violations of international humanitarian law
- Comply with these rules even if the enemy does not
The ICRC’s intervention is seen as a response to the escalating offensive activity coming from both pro-Russia groups and the IT Army of Ukraine – which has tens of thousands of members on its Telegram channel.
However, it’s unlikely that the ICRC’s calls will be heard, as web defacements, DDoS attacks and other hacktivist efforts are a useful propaganda tool for nations involved in conflict, which also goes some way to disrupting the enemy’s way of life.
Several groups the BBC spoke to said they had no intention of following the ICRC’s rules.
ESET global cybersecurity advisor, Jake Moore, argued that the difficulty of attributing attacks means the rules will probably be ignored.
“The enhancement of being able to act in war under an invisibility cloak adds a dimension that sets up rules to fail,” he said. “Furthermore, the way some targets are chosen in cybercrime means there is often collateral damage miles away simply due to how the networks are set up and which third parties are used.”