Red Cross lays down hacktivism law as Ukraine war rages on – Source: go.theregister.com

New guidelines have been codified to govern the rules of engagement concerning hacktivists involved in ongoing cyber warfare.

The International Committee of the Red Cross (ICRC), the humanitarian protection organization responsible for promoting international law, has set out eight rules for hacktivists and another four for states to discourage civilian involvement in cyberattacks against other countries.

The rate at which civilians are becoming involved in international conflicts has been described as “a worrying trend” by the ICRC – a phenomenon exacerbated by the ongoing war in Ukraine, which has seen for the first time conflict taking place in both the physical and digital space concurrently.

Specifically named by the ICRC was the IT Army of Ukraine – the vigilante band of hacktivists that assembled early in the war using the Telegram messaging platform – as an example of civilians joining war efforts. 

The group has since expanded to develop a service that invites anyone to donate compute power to launch autonomous disruptive attacks against Russian targets.

One of the eight new rules surrounding hacktivism efforts explicitly prohibits activity such as this, banning the use of autonomous attack methods and by extension historical examples like Stuxnet.

The same rule also prohibits the use of attacks that could “spill over” and disrupt systems away from the intended target.

While the attack on Viasat, which took place just an hour before the war in Ukraine officially began, wasn’t listed as an example, it serves as one of the most recent cases of these kinds of spillover attacks.

In the weeks that followed, satellite internet users throughout Europe reported issues, and the effects even disrupted wind farms in neighboring countries.

The NotPetya worm of 2017 also presents an infamous historical example of cyberattacks the effects of which spill over and affect targets beyond their intended reach, including Møller-Maersk, Merck, and Mondelez.

The full list of rules that apply to civilian online attackers is:

1. Do not direct cyberattacks against civilian objects
2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians
4. Do not conduct any cyber operation against medical and humanitarian facilities
5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces
6. Do not make threats of violence to spread terror among the civilian population
7. Do not incite violations of international humanitarian law
8. Comply with these rules even if the enemy does not

Many of the rules echo the unspoken code of conduct that’s generally understood to be in place in the cybersecurity world, that attacks should not harm civilians or target hospitals, charities, and similar organizations.

These rules are generally understood in most cases and even the most prolific ransomware groups have shown glimpses that they abide by a moral code. However, some cybercriminals still operate without such restrictions.

The ICRC said the three main concerns borne out of the rise in civilian engagement in digital warfare include increased risk to civilian harm due to the increased number of attacks targeting civilian objects, the risk of civilians exposing themselves to military operations, and the fact the line increasingly blurs between who is a civilian and who is a combatant.

“Under [international humanitarian law (IHL)], civilians must not be attacked unless and for such time as they directly participate in hostilities. Conducting cyber attacks against military or civilian targets can amount to such ‘participation in hostilities’ and risks making civilian hackers liable to attacks,” said two ICRC advisors in an article announcing the rules. 

“In addition, while members of a State’s armed forces (including cyber operators) enjoy impunity for lawful acts of war (such as attacking a military installation) and become ‘prisoners of war’ when captured, civilian hackers do not. If captured, they risk being considered criminals or ‘terrorists’ and prosecuted as such.”

Rules for states

The ICRC has also drawn up rules for countries themselves in an effort to dissuade them from tolerating hacktivist activity.

All revolve around the legality of engaging in digital military conflict as a civilian and the responsibilities of states to uphold IHL, prosecuting violations where necessary.

It’s worth noting that neither the US, Russia, nor China – three of the world’s leading powers – are part of the International Criminal Court, the institution in charge of administering international law.

The four rules are:

1. If civilian hackers act under the instruction, direction or control of a State, that State is internationally legally responsible for any conduct of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law
2. States must not encourage civilians or groups to act in violation of international humanitarian law
3. States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory
4. States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations

“IHL sets out essential rules to limit the effects of armed conflicts on civilians. No one that participates in war is beyond these rules,” said the ICRC. 

“In particular, every hacker that conducts operations in the context of an armed conflict must respect them, and States must ensure this is the case to protect civilian populations against harm.”

Will anything be changed?

With the practice of accompanying kinetic warfare with cyber attacks so deeply entrenched in the ongoing conflict in Ukraine, experts speaking to The Register said they’re unconvinced that the rules will substantially impact the war.

• LockBit: Sorry about the SickKids ransomware, not sorry about the rest
• Barts NHS hack leaves folks on tenterhooks over extortion
• US, UK sanction more Russians linked to Trickbot
• Hacktivists attack Japanese government over Fukushima wastewater release

“The way Russia is behaving… [taking] prisoners of war, bombing theatres and hospitals… I can’t see it having any effect at all on hacktivists,” said Professor Alan Woodward, a computer science and security specialist at the University of Surrey.

“If [hacktivists are] willing to get involved in that war, in that way, are some rules put out by the ICRC going to make any difference? I don’t think so.”

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, commended the spirit of the rules but echoed what appears to be the prevailing sentiment that the rules may not have the impact the ICRC hopes for.

“The ICRC rules of engagement are sensible, ranging from not directing cyber-attacks against civilian objects to complying with these rules, even if the enemy does not. However, any cyber offensive team which tried to adhere to ‘these noble goals’ would be at a significant disadvantage.” Curran added that in the mindset of these keyboard warriors “all destruction within the enemies’ borders is justified – nothing is off the table.”

The leader of Killnet, the Telegram-assembled Russia-aligned DDoS operatives, known for launching daily disruptive attacks on various targets throughout Ukraine, has already said the group would not be adhering to the ICRC’s new rules.

Speaking to The Register, the spokesperson for the IT Army of Ukraine said the group is “committed to abiding by international standards and ethical practices, and will ensure to adhere to these newly suggested rules.” 

They pointed to an alleged cyberattack on the Okhmatdyt children’s cancer hospital, which they claimed was carried out today, as an example of why the guidelines are necessary.

“We will exert our utmost efforts to distinctly separate military and civilian accounts, especially in scenarios where dual civilian/military objectives are targeted,” they added. “This is in line with our ongoing commitment to minimize any potential harm to civilians.

“On a broader spectrum, it might be beneficial for the rule-making bodies to contemplate mechanisms that compensate the losses of parties adhering to these guidelines. The current construct may inadvertently favor those disregarding the laws, thus potentially incentivizing non-compliance.

“We remain open to further discussions to elucidate our stance and are willing to cooperate with international bodies to foster a conducive and lawful operational environment.” ®