Cybersecurity in Conflict: The Rules of Digital Engagement

Digital technology’s transformative influence on modern warfare has caught the International Committee of the Red Cross’s (ICRC) attention, spotlighting a troubling development: Civilians, once mere spectators of distant battlefields, are now actively partaking in cyber operations, thrusting themselves into virtual confrontations with foes. This new frontier of conflict, notably exemplified by the involvement of civilian hackers in the Russia-Ukraine conflict, raises complex legal and ethical questions.

The ICRC’s “8 rules for civilian hackers” during war, along with “4 obligations for states to restrain them,” aim to navigate the intricacies of international humanitarian law (IHL) in cyberspace. Their guidelines present a framework not only for individuals operating in the digital domain of war but also for states responsible for reigning in such activities.

For the Hacktivist: 8 Cardinal Rules

1. Respect Civilian Digital Sanctity: Cyber-attacks must not target civilian infrastructure or data.
2. Avoid Indiscriminate Malware: Tools causing uncontrolled damage to both military and civilian systems are prohibited.
3. Minimize Civilian Impact: Operations against military objectives should avoid or minimize civilian harm.
4. Protect Medical and Humanitarian Facilities: These should never be compromised by cyber operations.
5. Safeguard Essential Services: Attacks must not target facilities vital to civilian survival or those that could unleash dangerous forces.
6. Refrain from Terror Tactics: Spreading fear amongst the civilian population through digital means is outlawed.
7. Don’t Incite IHL Violations: Encouraging or facilitating attacks against civilian institutions is prohibited.
8. Uphold IHL, Regardless of Enemy Conduct: Adherence to IHL is not conditional on the enemy’s compliance​.

State Obligations: Keeping Civilians in Check

States bear a weighty responsibility to regulate and control civilian cyber activities in wartime:

1. Legal Accountability: If civilians operate under state direction, the state is internationally responsible for any IHL breaches.
2. Prohibition of Encouragement: States must not prompt civilians to engage in activities violating IHL.
3. Due Diligence in Prevention: States should take all feasible measures to prevent IHL violations by civilian hackers.
4. Prosecution of War Crimes: States are obliged to enact laws against cyber operations that qualify as war crimes and to take effective measures to suppress IHL violations​.

The ICRC’s guidelines underscore the imperative that both individuals and states adhere to IHL to protect civilians from the ramifications of digital warfare. As cyber operations become increasingly prevalent in conflicts, these rules and obligations are critical in establishing boundaries and responsibilities in the digital arena of war.

States must therefore enact and enforce regulations that not only deter civilians from becoming digital combatants but also hold those accountable who choose to engage in such warfare, ensuring that the cyber realm becomes an extension of the established principles of war, not an exception to them.

The significance of these rules lies not only in their ethical implications but also in the practical safeguarding of civilians in the increasingly digital landscape of conflict. The blurred lines between combatant and civilian in cyberspace make it more crucial than ever to define and respect the rules of digital engagement.

For those interested in delving deeper into the evolving landscape of IHL in the digital age and the comprehensive positions of the ICRC on this matter, exploring the wealth of knowledge in their publications and the Cyberlaw Toolkit would be invaluable.