Rules of engagement issued to hacktivists after chaos
The International Committee of the hacktivists Red Cross (ICRC) has, for the first time, published rules of engagement for civilian hackers involved in conflicts.
The organisation warns unprecedented numbers of people are joining patriotic cyber-gangs since the Ukraine invasion.
The eight rules include bans on attacks on hospitals, hacking tools that spread uncontrollably and threats that engender terror among civilians.
But some cyber-gangs have told BBC News they plan to ignore them.
The ICRC, responsible for overseeing and monitoring the rules of war, is sending the new rules to hacking groups particularly involved in the Ukraine war. It is also warning hackers their actions can endanger lives, including their own if deemed to make them a legitimate military target.
Patriotic hacking has risen over the past decade. The ICRC statement highlights pro-Syrian cyber-attacks on Western news media in 2013.
But the worrying trend, accelerated hacktivists by the Russia-Ukraine conflict, is now spreading globally, ICRC legal adviser Dr Tilman Rodenhäuser says.
“Some experts consider civilian hacking activity as ‘cyber-vigilantism’ and argue that their operations are technically not sophisticated and unlikely to cause significant effects,” he says.
“However, some of the groups we’re seeing on both sides are large and these ‘armies’ have disrupted… banks, companies, pharmacies, hospitals, railway networks and civilian government services.”
Based on international humanitarian law, the rules are:
- Do not direct cyber-attacks against civilian objects
- Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
- When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
- Do not conduct any cyber-operation against medical and humanitarian facilities
- Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
- Do not make threats of violence to hacktivists spread terror among the civilian population
- Do not incite violations of international humanitarian law
- Comply with these rules even if the enemy does not
The ICRC is also imploring governments to restrain hacking and enforce existing laws.
The Ukraine conflict has blurred the hacktivists boundaries between civilian and military hacking, with civilian groups such as the IT Army of Ukraine being set up and encouraged by the government to attack Russian targets.
The IT Army of Ukraine, which has 160,000 members on its Telegram channel, also targets public services such as railway systems and banks.
- Meet the hacker armies on Ukraine’s cyber front line
- Anonymous Sudan hacks X to get Musk’s attention
Its spokesman told BBC News it had not decided whether to implement the ICRC rules. The group has already banned attacks on healthcare targets – but said the wider civilian impact was unavoidable.
“Adhering to the rules can place one party at a disadvantage,” the spokesman added.
Large groups in Russia have similarly attacked Ukraine and allied countries – including disruptive but temporary attacks, such as knocking websites offline, on hospitals.
“Why should I listen to the Red Cross?” a representative of Killnet, which has 90,000 supporters on its Telegram channel, asked BBC News.
Pro-Russian groups are accused of working directly for, or in conjunction, with the Kremlin. But Killnet strongly denies this.
Meanwhile, a representative of Anonymous Sudan, which in recent months has begun attacking technology companies and government services it says are critical of Sudan or Islam, told BBC News the new rules were “not viable and that breaking them for the group’s cause is unavoidable”.
And a high-profile member of the Anonymous collective told BBC News it had “always operated based on several principles, including rules cited by the ICRC” but had now lost faith in the organisation and would not be following its new rules.