“Hacktivists”, “patriotic hackers” and “civilian hackers” – cyber security professionals as well as cyber criminals – are increasingly active in the context of armed conflicts.Footnote 1 Already during the 2003 armed conflict between the United States and Iraq, a US government agency warned that “global hacking activities are likely to increase”.Footnote 2 Five years later, individuals described as “patriotic hackers” are alleged to have conducted cyber operations against Georgian government websites in the context of the Russia–Georgia armed conflict.Footnote 3 In 2011, the Syrian Electronic Army emerged,Footnote 4 and in 2015, the hacker group Anonymous issued a declaration of war against the so-called Islamic State group.Footnote 5 In the international armed conflict (IAC) between Russia and Ukraine, the IT Army of Ukraine presents itself as a “worldwide IT [information technology] community” with the mission to, in its own words, “help Ukraine win by crippling aggressor economies, blocking vital financial, infrastructural and government services, and tiring major taxpayers”.Footnote 6 The Russian group Killnet has reportedly “called for and carried out disruptive – albeit temporary – attacks on hospital websites in both Ukraine and allied countries”, among many other operations.Footnote 7 Civilian hackers have also operated in the context of the armed conflicts in Syria, Armenia and Azerbaijan, India and Pakistan, and Israel and Iran, and between Israel and Hamas.Footnote 8 With many groups active in these conflicts, and some of them having thousands of hackers in their social media coordination channels, the civilian involvement in cyber and information operations during armed conflict has reached unprecedented dimensions.
In most cases, links between such groups and States are either non-existent or blurred, meaning that their acts cannot easily be attributed to any State and that people taking part in such operations cannot be regarded as combatants. Some consider these groups primarily as “cyber vigilantes”, emphasizing that many of the operations they conduct require rather low levels of technological sophistication or know-how and stressing that they are unlikely to cause significant effects.Footnote 9 At the same time, reports suggest that civilian hackers have targeted – and at times disrupted – various parts of civilian infrastructures, such as banks, companies, pharmacies, hospitals, railway networks and civilian government services.Footnote 10 The impact that civilian hackers may cause is not only, or primarily, defined by their technological or organizational sophistication; it also depends on the exposure, cyber security posture, dependencies and position of the target. Thus, even small groups of hackers with skills and tools that may not be comparable to military cyber operators may nonetheless cause a significant impact on people and society – particularly during armed conflicts, when hospitals are overwhelmed or public infrastructure and essential services are strained.
The growing involvement of civilian hackers in cyber operations in the context of armed conflicts is one part of a larger trend.Footnote 11 In a resolution of 2024, States and the components of the International Red Cross and Red Crescent Movement noted that “ICTs may enable … civilians to conduct or support ICT activities in armed conflict”, and expressed “concern that civilians may not be aware of the risks involved or the legal limits and implications applicable to their conduct”.Footnote 12 Indeed, during armed conflict, armed forces may (mis)qualify such individuals as civilians directly participating in hostilities, meaning that these hackers risk being attacked – by cyber operation, bullet or missile. Likewise, the computers and digital infrastructure they use risk becoming military objectives, meaning that these objects are also at risk of being attacked. Taking a step back and looking at this trend more systematically, the International Committee of the Red Cross (ICRC) has warned that the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who is a combatant, making it difficult to implement the cardinal principle of distinction.Footnote 13
This article provides an assessment of the operations, legal obligations and status of “civilian hackers” or “IT” or “cyber” armies under international humanitarian law (IHL) and the international legal obligations of States under the jurisdiction of which they operate. The first part assesses the type of operations that civilian hackers commonly conduct and which IHL rules they must respect. The second part analyzes whether such groups are “armies” in the legal sense of the term (i.e., part of the armed forces of a State party to an armed conflict), and if not, what other legal status they may have. The third part focuses on the question of when a State is legally responsible for the conduct of civilian hackers operating under its instruction, direction or control, and recalls States’ responsibility to ensure respect for IHL by civilian hackers operating from their territory.
“Vigilantism” or “acts of war”: International legal limits for civilian cyber operations during war
In times of armed conflict, IHL provides universally agreed rules that aim to safeguard civilian populations and soldiers who are no longer able to fight from harm. There is no rule that expressly prohibits hacking under IHL, but IHL contains a set of rules that everybody must respect when conducting cyber operations in the context of an armed conflict.Footnote 14 For civilian hackers conducting cyber operations in the context of an armed conflict, a set of eight IHL-based rules have been published by the ICRC.Footnote 15 These rules are reproduced below. The list is not exhaustive of the IHL obligations that bind civilian hackers; it is only a selection of legally binding rules that are particularly relevant considering the kind of cyber operations commonly conducted by civilian hackers. For the purposes of this article, footnotes have been added to each rule to provide the rule’s legal source.
1. Do not direct cyber attacks against civilian objects.Footnote 16
2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.Footnote 17
3. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.Footnote 18
4. Do not conduct any cyber operation against medical and humanitarian facilities.Footnote 19
5. Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces.Footnote 20
6. Do not make threats of violence to spread terror among the civilian population.Footnote 21
7. Do not incite violations of international humanitarian law.Footnote 22
8. Comply with these rules even if the enemy does not.Footnote 23
In the media, it has been said that by presenting these eight rules, the ICRC “has, for the first time, published rules of engagement for civilian hackers involved in conflicts”.Footnote 24 Yet, the fact that these rules are formulated in a concise manner and in language accessible for civilian hackers should not distract from the fact that they are based on binding rules of IHL. As the footnotes show, each rule has a basis in IHL treaties and/or custom and is therefore legally binding.
This also means that violations of most of these rules – namely rules 1, 2, 3 (in certain circumstances), 4, 5, and 8 – may amount to a war crime. While the present article is not the place to discuss this in detail, governments and experts have done significant work on the subject.Footnote 25 Moreover, the Office of the Prosecutor of the International Criminal Court (ICC) announced in 2023 that it “will collect and review evidence of” cyber operations that aim “to impact critical infrastructure such as medical facilities or control systems for power generation”.Footnote 26
The following analysis addresses some of the conceptual issues to consider when analyzing which cyber operations are subject to IHL.Footnote 27
The nexus requirement
IHL “applies only in situations of armed conflict”,Footnote 28 and more precisely only to cyber operations that are “conducted in the context of an armed conflict”.Footnote 29 While a range of cyber operations may occur in a country affected by war, “there must be a nexus between the cyber activity in question and the conflict for the law of armed conflict to apply to that activity”.Footnote 30 Identifying such a nexus is normally uncontroversial if the armed forces of a party conduct a cyber operation against their adversary’s military or civilian infrastructure. It may be more challenging, however, if civilian actors conduct a cyber operation with effects in a territory controlled by a party to an armed conflict. As the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual 2.0) points out:
The law of armed conflict does not embrace activities of private individuals or entities that are unrelated to the armed conflict. This would, for example, be the case for a private corporation that is engaging in theft of intellectual property to achieve a market advantage over a competitor in the enemy State.Footnote 31
Likewise, cyber crimes such as fraud, ransomware operations purely for personal gain, or other acts that are not related to an armed conflict do not fall within the scope of application of IHL, even if they take place on the territory of a party to an armed conflict.Footnote 32
This changes, however, if a nexus between a cyber operation and the armed conflict exists. As no IHL treaty rule defines this nexus requirement, experts have argued that “the contours and content of such nexus must be inferred from the whole spirit of IHL and international criminal law as well as the object and purpose of the relevant international rules”.Footnote 33 Indeed, because the nexus requirement is similarly important in the context of war crimes trials (i.e., trials of certain IHL violations), the jurisprudence of international criminal tribunals can provide guidance. In the ICC’s Elements of Crimes, States defined the nexus as requiring that an act “took place in the context of and was associated with an armed conflict”.Footnote 34 In several cases, tribunals and courts have held that an act may amount to a war crime – i.e., a serious violation of IHL – if there is an “evident nexus between the alleged crimes and the armed conflict as a whole”.Footnote 35 In their views,
[t]he existence of an armed conflict must, at a minimum, have played a substantial/major part in the perpetrator’s ability to commit [the act], his decision to commit it, the manner in which it was committed or the purpose for which it was committed.Footnote 36
The conjunction “or” in this list signifies that an act does not need to meet all these elements to have a nexus to the conflict. At the same time, tribunals have also cautioned that “particular care [in this assessment] is needed when the accused is a non-combatant”,Footnote 37 which would be the case for a civilian hacker.
In practice, the assessment of which acts have a nexus to an armed conflict requires a case-by-case analysis, and it is legally different from the analysis of whether an act shows a “belligerent nexus” and could mean that the author of the act is directly participating in hostilities (see below section on “Hackers Directly Participating in Hostilities during Armed Conflict”). Following the considerations lined out by international tribunals, it may be concluded that several common types of civilian cyber operations would show a nexus to an armed conflict. For instance, cyber operations by civilian hackers directed against the military of a party to an armed conflict, or otherwise aimed at undermining military operations in the context of an armed conflict, are usually linked to that conflict. Similarly, if a hacker group is established for the purpose of conducting cyber operations against military or civilian objects of an adverse party in an armed conflict, and the group indeed conducts such operations, the nexus to the conflict is clear. Likewise, if a party to an armed conflict provides hackers with tools and instructions for conducting operations against the adverse party, the conflict will play a major part in the hacker’s ability to conduct the operation and the purpose for which it is committed. Moreover, if an individual feels outraged by an act that they see in the context of an armed conflict and decides to conduct a cyber operation against one of the warring parties, the armed conflict is the determining factor for the decision to conduct that operation. As a result, IHL applies to the operation.
IHL obligations are legally binding for civilian hackers
One may, however, ask whether and which rules of IHL actually bind civilian hackers. In principle, IHL has been agreed among States primarily to regulate the conduct of armed forces and other agents of parties to an armed conflict.Footnote 38 Yet, IHL also contains some rules explicitly addressed to private civilians, such as the obligation of the “civilian population” to “respect [the] wounded and sick, and in particular abstain from offering them violence”.Footnote 39 Already in 1949, the ICRC stated that the inclusion of obligations for civilians in the Geneva Conventions was “essential in view of the special character which modern warfare is liable to assume … and which may lead to closer and more frequent contacts between military and civilians”.Footnote 40 Nonetheless, most IHL rules are either addressed to “High Contracting Parties” or “parties to the conflict”, or simply stated as prohibitions or obligations without specifying their addressees.
For rules that are drafted as simple prohibitions, such as “civilian objects shall not be the object of attack”, the wording does not limit their application to members of armed forces. With regard to such rules, international criminal tribunals have held that violations can be committed “by any individual, regardless of his official status”.Footnote 41 As will be seen in the following paragraph, this interpretation is supported by an analysis of the context of IHL treaties and their object and purpose, and can also be extended to at least some of the rules that are addressed to “parties to the conflict”.Footnote 42
Considering the context of IHL rules in the respective treaties, it is particularly important to note that the Geneva Conventions and Additional Protocol I (AP I) contain rules that require States to “provide effective penal sanctions for persons committing, or ordering to be committed”, grave breaches of IHL (meaning war crimes), and to “take measures necessary for the suppression” of any other IHL violation.Footnote 43 These rules do not limit people who violate IHL to members of the armed forces of parties to a conflict; they require the suppression of violations by any person, including civilians.Footnote 44 To ensure that these rules are known and respected by everyone – military or civilian – States have further undertaken to disseminate IHL as widely as possible in their countries and to encourage the study thereof “so that those instruments may become known to the armed forces and to the civilian population”.Footnote 45 As the ICRC Commentaries on the Geneva Conventions explain, the dissemination of IHL among the general population is not only “a significant element for attaining full compliance with the Conventions” but is also important “because the obligation of States Parties to suppress all violations of the Conventions … applies not only to violations committed by persons acting on behalf of a State, but also to violations by private persons”.Footnote 46
Turning to the object and purpose of IHL rules on the conduct of hostilities, their raison d’être is to safeguard civilian persons and objects from harm.Footnote 47 If the view was taken that only members of armed forces and agents of parties to an armed conflict must respect these rules as a matter of IHL, there is a real risk that IHL “would be lessened and called into question”.Footnote 48 Indeed, for IHL to be effective, it must bind anyone who carries out hostilities, deprives people of liberty in connection with the conflict, or carries out other such acts that are regulated under IHL because they have a nexus to an armed conflict.Footnote 49 In other words, it would be difficult to see why killing a civilian, torturing a detainee or destroying civilian infrastructure in the context of an armed conflict would only be prohibited if conducted by a party to the conflict and not by any other individual or group conducting such acts. This conclusion finds support in the views of StatesFootnote 50 and the ICRC.Footnote 51
This conclusion is further strengthened when analyzing the international criminalization of grave violations of IHL, and relevant jurisprudence. Indeed, the view that IHL rules which constitute war crimes apply to all individuals, military or civilian, has long been reflected in international criminal law jurisprudence. Famously, the International Military Tribunal at Nuremberg held that “crimes against international law [including war crimes, which are by definition IHL violations] are committed by men, not by abstract entities”.Footnote 52 Subsequently, the US Military Tribunal asserted that “the application of international [humanitarian] law to individuals is no novelty”.Footnote 53 Accordingly, when prosecuting German industrials – who were private civilians – for war crimes, the US Tribunal found that “the laws and customs of war are binding no less upon private individuals than upon government officials and military personnel”.Footnote 54
A similar approach was taken by the International Criminal Tribunal for Rwanda (ICTR), which held that there is no requirement, under IHL or international criminal law, that the perpetrator of a war crime must have a “special relationship” with one party to the conflict.Footnote 55 Today, this is also reflected in the Rome Statute of the ICC, which does not limit individual criminal responsibility to agents of a party to an armed conflict.Footnote 56 Linking war crimes jurisprudence back to IHL obligations, it has been pointed out that “if individuals were not the addressees of criminalized IHL rules, then these individuals could not have been tried by international tribunals such as the ICTY [International Criminal Tribunal for the former Yugoslavia] and the ICTR, since the tribunals were constituted after the crimes had been committed”.Footnote 57 In other words, if the criminalized IHL rules were not binding on private civilians, the principle of nullum crimen sine lege would have made these prosecutions unlawful.
As a result, it is uncontroversial that criminalized rules of IHL bind private individuals, who may be held criminally responsible for violating such rules. In addition, IHL treaty rules and the object and purpose of this field of international law, as well as State practice and expert views, suggest that a wider scope of IHL rules bind private individuals, including civilian hackers, when conducting cyber operations in the context of an armed conflict.Footnote 58
Limits that IHL imposes on cyber operations conducted by civilian hackers
A cyber operation conducted by a civilian hacker in the context of an armed conflict may, however, not necessarily violate IHL. IHL does not prohibit hacking or cyber operations as such; for instance, it would not necessarily be a violation of IHL for a civilian hacker to conduct an operation against a military objective.Footnote 59 Moreover, IHL does not impose the same limits on all types of cyber operations; for example, IHL does not prohibit information gathering (espionage), including through cyber operations.Footnote 60 In addition, while some rules apply to a wide range of cyber operations, or protect certain objects or people irrespective of the kind of operation conducted, other rules – notably many of the rules on the conduct of hostilities – only apply to cyber operations that qualify as attacks under IHL.Footnote 61
With regard to the eight rules set out by the ICRC, as listed above, the question of whether an operation amounts to an attack under IHL is only relevant for rules 1 (prohibition of attacking civilian objects), 2 (prohibition of indiscriminate attacks), 3 (obligation to take precautions in attack) and part of rule 5 (attacks against works and installations containing dangerous forces). In contrast, the legal obligations underlying rule 4 (protection of medical facilities and humanitarian operations), part of rule 5 (prohibition of rendering useless objects indispensable to the survival of the civilian population), 6 (prohibition of threats of violence to spread terror among the civilian population), 7 (prohibition of encouraging or inciting IHL violations) and 8 (reciprocity is not a justification for IHL violations) apply to a wider scope of cyber operations. Moreover, and as will be discussed below, IHL does not provide carte blanche for targeting cyber operations against civilian objects, even if these operations cannot be considered attacks; in fact, Article 48 of AP I demands that parties to the conflict must “direct their operations only against military objectives”, which is also reflected in rule 1 cited above.
Cyber operations conducted by civilian hackers and the IHL notion of attack
A cyber operation that amounts to an attack under IHL is subject to all rules regulating the conduct of hostilities, including all the rules stemming from the principles of distinction, proportionality and precaution. Article 49 of AP I defines “attacks” as “acts of violence against the adversary, whether in offence or in defence”. In the cyber context, it is widely accepted that cyber operations which can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under IHL.Footnote 62 When considering whether distributed denial of service (DDoS) operations, ransomware attacks or other cyber operations commonly conducted by civilian hackers qualify as attacks under IHL, the key question is whether such operation can be expected to cause “damage” or “destruction”.
At present, different views exist on the issue, with some States emphasizing that it deserves “further reflection”.Footnote 63 In legal literature and State positions, one view is that only physical damage is relevant in the assessment of what constitutes an attack under IHL, or that the effect of a cyber operation would need to be “akin to”, “comparable to” or “equivalent to” the effects of kinetic operations.Footnote 64 If the view is taken that physical damage is required, “the mere loss or impairment of functionality to infrastructure would be insufficient” to qualify a cyber operation as an attack.Footnote 65 Accordingly, a DDoS or ransomware operation would be unlikely to qualify as an attack under IHL.Footnote 66
Others, among them several States and the ICRC, have interpreted the notion of attack as including cyber operations that disable the functionality of the target without causing physical damage comparable to kinetic military operations.Footnote 67 Even under this broader view, however, the level of interference with the functionality of a system remains subject to debate.Footnote 68 Some States require “harmful effects above a de minimis threshold”,Footnote 69 that “the targeted equipment or systems no longer provide the service for which they were implemented, whether temporarily or permanently, reversibly or not”,Footnote 70 or that a cyber operation may be expected to cause “harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons”.Footnote 71 Other States consider more practically whether an operation “renders inoperable a state’s critical infrastructure”,Footnote 72 whether it disables a “State’s basic services (water, electricity, telecommunications, or the financial system)”,Footnote 73 or whether it causes “financial loss at large scale”, “undermines the confidentiality, integrity, and the availability of a critical civilian infrastructure”, or attempts “to delete, destroy and manipulate the data essential for the smooth functioning of the critical civilian infrastructure and may impair its operations”.Footnote 74 The ICRC has taken the view that “an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means”.Footnote 75
As seen from these examples, States rarely opine explicitly on specific types of cyber operations or tools, but rather evaluate the effects of such operations or tools.Footnote 76 Thus, whether an operation conducted by civilian hackers meets the threshold of an attack under IHL and must therefore comply with all the rules stemming from the principles of distinction, proportionality and precaution requires a case-by-case assessment of the reasonably foreseeable effects of the operation. Considering the views expressed by States, DDoS operations do not seem to be per se excluded from the notion of attack under IHL.Footnote 77 This is even less the case for operations that cause effects directly on the targeted system, such as ransomware or wipers.Footnote 78 For instance, noting from its own experience that “ransomware can cripple the operations of private entities and entire governmental organs”, with “significant economic, political, and human costs”, Costa Rica has stated that “encrypting data through ransomware, despite being temporary and reversible, would be considered an attack under IHL and therefore must not be directed against civilian systems”.Footnote 79 In light of the views expressed by States, one commentator recently observed that “while there may not yet be enough consensus among State positions to determine what constitutes an attack in these scenarios, the law appears to be moving towards extended denial of functionality as a qualifying effect”.Footnote 80
While the legal debate on what constitutes an attack under IHL is important for legal and practical reasons, it is even more important to recall that cyber operations which cannot be legally qualified as attacks under IHL are “still governed by the provisions of IHL applicable to any military operation carried out in an armed conflict situation”.Footnote 81
Cyber operations conducted by civilian hackers and the IHL rules limiting operations other than attacks
Even when a cyber operation by a civilian hacker cannot be considered an attack under IHL, it might nonetheless violate IHL to direct such operations against civilian objects.Footnote 82 IHL imposes limits on military operations that do not amount to attacks – for example, in the conduct of any military operation, belligerents have an obligation to take “constant care … to spare the civilian population, civilians and civilian objects”.Footnote 83 It is hard to see how the obligation of constant care can be reconciled with directing cyber operations against civilian objects. At least in contexts in which AP I applies, directing cyber operations against civilian objects would also seem difficult to reconcile with – or would have to be carefully articulated with – Article 48 of AP I, which provides that “the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives”.Footnote 84 In addition, IHL principles such as humanity and necessity impose limits on cyber operations. Concretely, if a cyber operation that targets civilian infrastructure but does not amount to an attack is “not actually necessary for the accomplishment of a legitimate military purpose in a particular situation, it would be inconsistent with the principles of military necessity and humanity”.Footnote 85 In this context, a legitimate military purpose is “to weaken the military forces of the enemy” – not its civilian population.Footnote 86 Accordingly, irrespective of the qualification of a cyber operation as an attack under IHL, it has been concluded that “it is widely accepted today that parties to conflicts cannot blatantly disregard such harmful effects [i.e., danger] to the civilian population in their military operations”.Footnote 87
In addition, IHL provides specific protection for certain objects and operations, including medical or humanitarian ones.Footnote 88 As stated in rule 5 of the above-listed ICRC rules for civilian hackers (which reflect IHL treaty and customary law), any cyber operation against medical or humanitarian facilities is unlawful as long as such facilities are entitled to the protection given to civilians or civilian objects under the law of armed conflict. In times of armed conflict, medical units that are exclusively assigned to medical duties and purposes, as well as objects used for humanitarian relief operations, must be respected and protected.Footnote 89 Experts have concluded that cyber operations against such facilities are governed by IHL “even if they do not rise to the level of an ‘attack’”.Footnote 90
As a result, the suggestion that cyber operations conducted by civilian hackers, such as DDoS or ransomware operations, are merely irritations or inconveniences and are thus insignificant under the law of armed conflict is not convincing. A case-by-case assessment is required. Even if the view is followed that certain operations may not cause effects that would qualify them as attacks under IHL and are thus not subject to the entire spectrum of IHL rules on the conduct of hostilities, IHL nonetheless imposes limits on such operations – it does not provide carte blanche to direct such operations against civilian companies, civilian government services or civilian infrastructure. This is a fortiori the case if they are directed against specifically protected objects or operations, in particular medical or humanitarian ones.
Private hackers, IT armies and cyber armies: Members of armed forces, non-State parties to armed conflict, or simply civilians?
As highlighted at the beginning of this article, in times of armed conflict it has become rather common that individuals, volunteer groups, self-proclaimed armies or militias will oppose military forces, conduct sabotage, fight alongside a party to the conflict or otherwise take part in hostilities.Footnote 91 The information and communication technology (ICT) environment, however, appears to have changed the scale of civilians engaging in activities linked to armed conflict, and this creates the possibility for civilians far from the theatre of conflict to nonetheless take part in it. As experts have pointed out, in digitalizing armed conflicts, civilians can more easily contribute to digital military operations and “it is much easier to scale civilian activity in conflicts, as groups comprising thousands or even tens of thousands of individuals may be formed and coordinated online in a matter of hours”.Footnote 92 In fact, as the “vast majority of expertise in cyber(defence) lies with the private (or civilian) sector”, civilians have been described as “first choice cyberwarriors”.Footnote 93 The digitalization of armed conflicts has thus facilitated the emergence of diverse actors conducting various types of cyber operations in the context of armed conflicts.Footnote 94
Under IHL, knowing the status of each individual or group operating in the context of an armed conflict is key to determining whether they are protected against attack or may be lawfully targeted, and which consequences they may face if captured by an adverse party to the conflict. As the rights and liabilities of people engaging in armed conflict differ between IACs and non-international armed conflicts (NIACs), the following sections discuss the two situations separately.Footnote 95
When do hackers qualify as combatants or prisoners of war in an international armed conflict?
In all armed conflicts, the cardinal IHL principle of distinction stipulates that parties to an armed conflict must at all times distinguish between combatants (i.e., members of the armed forces) and civilians. Attacks may be directed against combatants but they must not be directed against civilians, unless and for such time as they directly participate in hostilitiesFootnote 96 (see below section on “Hackers Directly Participating in Hostilities during Armed Conflict”). This principle is recognized as applying equally in the context of cyber operations conducted in situations of armed conflict.Footnote 97 Under IHL, combatants are defined as “all members of the armed forces of a party to the conflict …, except medical and religious personnel”.Footnote 98 State armed forces of a party to an armed conflict “consist of all organized armed forces, groups and units which are under a command responsible to that party for the conduct of its subordinates”.Footnote 99
In IAC, the legal notion of combatant signifies liabilities and rights. Combatants are liable to attack, and when captured, they will in most cases qualify as prisoners of war (PoWs) and enjoy the so-called “combatant privilege”, meaning that they “may not be prosecuted for lawful acts of war committed in the course of an armed conflict, even if their acts constitute a criminal offence under the domestic laws of the Detaining Power”.Footnote 100
The application of these concepts has raised questions in the ICT environment. For example, Russia has noted that it is “very difficult (if not impossible) to draw a distinction in virtual space between … combatants and non-combatants”,Footnote 101 and Japan has identified the question of how “the scope of combatants applies to cyberspace” as an issue needing further analysis.Footnote 102
The following sections analyze how these concepts apply in the cyber context.
Combatant status and the question of who may be lawfully targeted under IHL
In practice, the most significant group of combatants are States’ armed forces. Membership in a State’s armed forces is not defined in international law but is rather a “matter of domestic regulation”.Footnote 103 Members of a State’s military cyber forces would commonly be combatants, such as members of the China’s People’s Liberation Army Cyberspace Force, France’s Commandement de la Cyberdéfense, Israel’s Defence Forces Unit 8200, or the US Cyber Command. In contrast, members of volunteer IT or cyber armies who are not formally incorporated into the armed forces of a State do not fall into this category.
Such groups could, however, fall into the category of other organized “groups and units which are under a command responsible to that party for the conduct of its subordinates”, which also qualify as a State’s armed forces and members of which are combatants.Footnote 104 The requirements of being “organized” and “under a responsible command”, however, set a rather high threshold. While “being organized” can take different forms, the notion is generally understood as referring to groups whose operations “have a collective character” and are “conducted under proper control and according to rules, as opposed to individuals operating in isolation with no corresponding preparation or training”.Footnote 105 Thus, loose collectives of hackers who act for a common purpose but without an organizational structure that shows a collective character and a form of internal control would not qualify as being “organized”. The requirement of a “responsible command” further clarifies that in order to qualify as part of a States’ armed forces, a group must “have a hierarchy”, meaning that members of the group “are subordinate to a command which is responsible to one of the Parties to the conflict for their operations”.Footnote 106 This criterion effectively excludes from a State’s armed forces any individual hackers or groups which are not controlled by, or acting on behalf of, a party to the conflict, but which rather “wage a private war”.Footnote 107
As a result, in order to be considered a member of a State’s armed forces and thus a combatant under IHL, unless they are formally (by law) part of the armed forces, a hacker would have to be part of an organized group with an internal hierarchical structure that ensures discipline within that group and is effectively subordinated and responsible to a State party to an armed conflict. While there is no reason why these criteria could not be fulfilled by hacker groups, the assessment is highly fact-dependent. A group that organizes and coordinates its acts independently from a State, or only online through open communication channels in which anyone can participate, would likely not qualify as an organized armed group under IHL.
PoW status and penal prosecution for cyber operations during war
When a civilian hacker conducts a cyber operation, they likely violate the domestic law of the targeted State and/or of the State in which they are based, and may be criminally liable for such acts. This is the case irrespective of whether the operation was conducted in accordance with or in violation of IHL. In contrast, in IACs, combatants enjoy the so-called “combatant privilege”, meaning that if captured they must be granted PoW status and not prosecuted for lawful acts of war even if they violate the domestic laws of the adverse party to the conflict.Footnote 108 Consider, for example, a situation in which a State arrests alleged members of a group that has conducted cyber operations against the military infrastructure of that State. The operations were lawful under IHL but violated the applicable domestic law. If the arrested persons were combatants, they would in most cases qualify as PoWs and it would be unlawful to prosecute them for these acts that do not violate IHL. In contrast, if they were not combatants but civilians, they could be prosecuted for the very same conduct. Thus, militaries have argued that incorporating private cyber actors into armed forces would be “perfect to make voluntary defence organizations (defence leagues) specialized in cyberdefence or cyberwarfare … fall under the protective umbrella of combatant status”.Footnote 109
Under IHL, PoW status must be given to several categories of people. Without being exhaustive, two categories are particularly relevant in the present context: namely, members of a State’s armed forces as well as members of militias or volunteer corps forming part of such armed forces as per Article 4(a)(1) of Geneva Convention III (GC III), and members of militias and volunteer corps belonging to a party to the conflict, provided they meet certain conditions under Article 4(a)(2) of GC III.Footnote 110
For States party to AP I, any person who qualifies as a combatant and falls “into the power of an adverse Party shall be a prisoner of war”.Footnote 111 As discussed above, this would include not only members of military “cyber commands” but also other hacker groups or units operating under a command responsible to a party to the armed conflict for the conduct of its subordinates.
Under GC III, which is universally ratified, PoW status must also be granted to “members of militias or volunteer corps forming part of armed forces”. Thus, cyber “militias or volunteer corps” may form part of the armed forces if they are formally – meaning under domestic law – incorporated as such.Footnote 112
In addition, members of a (cyber) militia or volunteer corps who are not formally integrated into the armed forces of a State but who “belong to” a party to the conflict may qualify as PoWs if they fulfil four conditions: namely, they need to operate under a responsible command, wear a “fixed distinctive sign”, “carry arms openly” and conduct “their operations in accordance with the laws and customs of war”.Footnote 113 With regard to the requirement that a militia or volunteer group “belongs to” a State, it has been explained that this is the case if the group “in fact fights on behalf of that party”, and if the State party explicitly or tacitly accepts the group’s fighting role on its behalf.Footnote 114 This would be the case, for instance, if a State publicly asserts – for instance on social media – that a group is conducting cyber operations on its behalf and that it approves of the group’s actions, or if the State contracts a cyber group to conduct operations on its behalf (comparable to members of a private military company who are hired by a State party to an armed conflictFootnote 115). For members of such groups to be granted PoW status, however, the four above-mentioned conditions set a rather high threshold, and there is no agreement as to how they would be met in the cyber context.Footnote 116 As discussed above, conducting operations under a responsible command requires a form of internal organization to ensure discipline, which is unlikely to be the case for loosely organized hacker groups.Footnote 117 Moreover, it is unlikely that civilian hackers will wear a “fixed distinctive sign”, such as a military uniform, and experts have voiced different views on what it would mean for hackers to “carry arms openly”. Members of hacker groups that consistently and intentionally direct their cyber operations against civilian objects, meaning that “the acts of the group entail large-scale or systematic non-compliance with international humanitarian law”, would also be excluded from PoW status.Footnote 118 With this uncertainty around how these conditions are applied in the cyber context, integration into armed forces will be the much clearer option to ensure that civilian hackers or hacker groups are granted PoW status and not prosecuted for acts of war that do not violate IHL.Footnote 119
If civilian hackers fall into the hands of the enemy in an IAC and do not qualify for PoW status, they may – if they meet the requisite criteria – qualify as protected civilians under Geneva Convention IV (GC IV) and must be treated accordingly, or at the very least receive treatment in accordance with Article 75 of AP I and relevant rules of customary IHL.
What legal status do hackers have in a non-international armed conflict?
In NIAC, the concepts of “combatant”, “combatant privilege” and “PoW” do not exist. Nonetheless, for the purpose of the principle of distinction it is essential to identify who is a civilian and is thus protected against attack, and who is not.Footnote 120
Under customary IHL, for the purposes of the principle of distinction, membership in State armed forces can be determined as discussed above with regard to IACs.Footnote 121 However, additional analysis is needed to determine which armed groups qualify as a non-State party to an armed conflict and who forms part of their armed forces.
In order to qualify as a non-State party to an armed conflict, a group must show a certain degree of organization. In addition, violence between the group and its adversary must reach a certain intensity.Footnote 122 With regard to cyber operations, three scenarios must be distinguished.
First, a group that qualifies as a non-State party to an armed conflict in light of the traditional, kinetic operations that it conducts will also be bound by IHL when conducting cyber operations in the context of the same armed conflict.Footnote 123 Second, if a hacker group is sufficiently organized as required under IHL (see next paragraph) and conducts cyber operations in support of one party to a pre-existing NIAC against another party to that conflict, the hacker group might itself become a party to the conflict.Footnote 124 Under this “support-based approach” to conflict classification, the cyber operations of such a group would need to support the collective conduct of hostilities and have a direct impact on the opposing party’s ability to carry out its military operations. In addition, the group’s operations would need to be carried out objectively in support of a party to that pre-existing conflict.Footnote 125 If these conditions are met, the cyber operations conducted by the hacker group would not need to reach a certain intensity of violence by themselves; for example, cyber operations to collect operationally relevant intelligence that is then immediately shared with a party and used in hostilities by the supported party would turn an organized hacker group into a party to an armed conflict.Footnote 126
The third question is whether a group that is only organized online could be classified as a party to a NIAC. Consider, for instance, a group which only convenes online and engages exclusively in cyber operations. With regard to the required degree of organization to qualify as a party to an armed conflict, such a group would have to be a collective entity with an internal structure that shows the ability to implement basic IHL rules and the organizational and logistical capacity to engage in military-type hostilities, which in the ICT environment would require the ability to engage in sufficiently intense cyber operations.Footnote 127 While this sets a rather high threshold, many agree that at least in theory, “the failure of members of the group physically to meet does not alone preclude it from having the requisite degree of organization”.Footnote 128 With regard to the criterion that “Parties confront one another with violence of a certain degree of intensity”,Footnote 129 it is doubtful whether this threshold can be met if hostilities consist only of cyber operations. As States have indicated, “in practice, the required threshold of intensity is unlikely to be reached by cyber operations alone”.Footnote 130 As a result, “activities such as a large-scale intrusion into foreign cyber systems, significant data theft, the blocking of internet services and the defacing of governmental channels or websites will usually not singularly and in themselves bring about a non-international armed conflict”.Footnote 131
With regard to non-State parties to an armed conflict, the ICRC has clarified that “[a]s with State parties to armed conflicts, non-State parties comprise both fighting forces and supportive segments of the civilian population, such as political and humanitarian wings”.Footnote 132 This differentiation is essential. For determining who forms part of a non-State party’s fighting forces, the ICRC has taken the view that the fighting forces consist of all persons who assume “a continuous function for the group involving [their] direct participation in hostilities”.Footnote 133
Applying this concept to people conducting cyber operations on behalf of a non-State party to an armed conflict, this means that individuals whose continuous function involves conducting cyber operations that amount to direct participation in hostilities (DPH) (see below section on “Hackers Directly Participating in Hostilities during Armed Conflict”) would not be protected against direct attack. In contrast, members of a group whose function consists only in political leadership or online recruitment, propaganda and public relations are civilians whose activities do not amount to DPH and who must not be directly attacked.
In NIAC, as stated above, captured hackers would not enjoy PoW status. While any detainee held in relation to a NIAC must be treated in accordance with IHL, there is no rule of IHL that would bar a party to a NIAC from prosecuting alleged crimes committed by an adversary.Footnote 134 Applied to persons involved in cyber operations, this means that if captured by a State or a non-State party to NIAC, such individuals may be prosecuted for alleged crimes under the law enforced by the detaining party even if their operations otherwise respected IHL.Footnote 135 In other words, hackers participating on either side of the conflict could be prosecuted similarly to cyber criminals.
To sum up, when taking part in cyber operations in relation to NIACs, no hacker – State or non-State, member of the armed forces of a party to the conflict or not – will enjoy PoW status or immunity from prosecution by their adversary. Moreover, those who are members of armed forces of a State or non-State party to the conflict are not covered by the protection from attack provided by IHL. In contrast, any hacker who is not a member of such armed forces is a civilian and is therefore entitled to protection against direct attack unless and for such time as they take direct part in hostilities.Footnote 136
Hackers directly participating in hostilities during armed conflict
In international and non-international armed conflicts, civilians are protected against attack unless and for such time as they directly participate in hostilities.Footnote 137 In practice, this means that if a civilian hacker conducts a cyber operation in the context of an armed conflict and that operation amounts to DPH, the civilian hacker may be attacked, during that time, provided all other rules of IHL are respected. Moreover, the computers and digital infrastructure that they use risk becoming military objectives, meaning that they too face a real risk of attack.Footnote 138 Hackers themselves have recognized this risk: “If hackers solicit recognition as paramilitary factions then hacking in general will be seen as an act of war. Ergo, hackers will be viewed as legitimate targets of warring states.”Footnote 139
To qualify as an act of DPH under IHL, a civilian hacker’s operation has to meet three cumulative criteria.Footnote 140 First, the “act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack” (threshold of harm).Footnote 141 Second, there must be “a direct causal link between the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part” (direct causation).Footnote 142 And third, the “act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another” (belligerent nexus).Footnote 143
With regard to the first element, the threshold of harm, operations that adversely affect the military operations or military capacity of a belligerent, on the one hand, and operations that harm civilian persons or objects, on the other, must be considered differently. Regarding operations directed against military objectives, the threshold of harm is understood to be reached if the reasonably foreseeable effects of a civilian hacker’s conduct would adversely affect the military operations or military capacity of a party to an armed conflict. The ICRC’s Interpretative Guidance on the Notion of Direct Participation in Hostilities (ICRC Interpretive Guidance), which was developed based on expert consultations, clarifies with regard to cyber operations that “[e]lectronic interference with military computer networks could … suffice, whether through computer network attacks or computer network exploitation, as well as wiretapping the adversary’s high command or transmitting tactical targeting information for an attack”.Footnote 144 Such operations do not need to qualify as “attacks” under IHL to cause harm for the purposes of DPH.Footnote 145 As this threshold is rather low and may mean that civilian hackers can easily be perceived to be directly participating in hostilities, experts have questioned
whether further clarification may be needed on the type and effect of the digital activities that could be considered as “adversely affecting the military operations or military capacity of a party to the conflict” for the purpose of the analysis of whether a civilian might be losing their protection against attack.Footnote 146
There is wide agreement, however, that the defacement of the website of, for example, a ministry of defence would be unlikely to “adversely affect military operations or military capacity”, and would thus not cause the requisite level of harm.Footnote 147
In contrast, if the target of the cyber operation is civilian in nature, such as civilian infrastructure, government services or businesses, a cyber operation would only reach the requisite threshold of harm if it may be reasonably expected to cause death, injury or destruction. In this respect, the ICRC Interpretive Guidance notes that the “most uncontroversial examples of acts that can qualify as direct participation in hostilities even in the absence of military harm are attacks directed against civilians and civilian objects”, meaning “acts of violence” against civilians or civilian objects.Footnote 148 If this view is taken, and as seen below, some of the cyber operations conducted by civilian hackers may amount to attacks as defined in IHL and may therefore be likely to cause the level of harm required for amounting to DPH.
At the same time, the ICRC Interpretive Guidance specifies with respect to certain civilian conduct targeting civilian objects, such as “the interruption of electricity, water, or food supplies” or “the manipulation of computer networks”, that such activities may be prohibited under IHL. However, “they would not, in the absence of adverse military effects, cause the kind and degree of harm required to qualify as direct participation in hostilities”.Footnote 149 Against this background, many DDoS and other operations commonly conducted by hacker groups, in particular those that do not amount to attacks under IHL, might violate IHL but will be unlikely to meet the threshold of harm for determining whether the author directly participates in hostilities.Footnote 150
While this differentiation between operations that “adversely affect military operations or military capacity” and those that harm civilians may seem surprising, this elevated threshold of harm reflects the fact that what is required is DPH of a military nature that justifies using direct force against a civilian. Not every cyber operation committed by a civilian, including operations that violate IHL, meets this threshold. Importantly, this means that the civilians carrying out these operations cannot be attacked; however, a State targeted by civilian hackers may still prosecute civilians that violate its national law and intern them if there are imperative reasons of security to do so, and all parties to armed conflict must suppress and possibly prosecute acts that violate IHL.Footnote 151
Regarding the direct causation element, two scenarios should be considered. In the first scenario, a lone civilian hacker could cause a level of harm as discussed above, for instance by hacking into an industrial control system and causing material damage. In that case, the direct causation element would be met. This, however, is not the most common scenario. Cyber operations may require several experts working together to, inter alia, identify vulnerabilities, understand the targeted systems, develop exploits and employ malware to cause a harmful effect. Likewise, in the context of DDoS operations, it may be the case that many actors work together to overwhelm the capacity of the targeted system. Taken on their own, these contributions may not cause the requisite level of harm, but the direct causation criterion can be met if the act of a civilian hacker “constitutes an integral part” of a “coordinated military operation”.Footnote 152 Thus, if several hackers join forces and each conducts part of a joint operation which, as a whole, reaches the requisite threshold of harm, the direct causation requirement would be met. What constitutes an integral part of a coordinated military operation, however, is to be understood narrowly – for instance, merely adding a device to a botnet for unspecified operations should not be considered as contributing to a specific coordinated military operation,Footnote 153 but adding computing power to a specific DDoS operation against a military objective could be. Likewise, if a civilian develops digital tools for a party to the conflict (comparable to a civilian working in weapon manufacturing), or supports it by recruiting or training cyber operators, this kind of act may not be considered as directly causing harm unless the activity is “carried out as an integral part of a specific military operation”. The latter could be the case, however, if a person develops malware for a party to an armed conflict in order to exploit a specific vulnerability in an adversary’s IT system.Footnote 154
Finally, the act of a civilian hacker needs to have a “belligerent nexus”. Under IHL, this belligerent nexus is different from a general nexus that links an act to an armed conflict, which has been discussed above.Footnote 155 The belligerent nexus requires that an act is “so closely related to the hostilities conducted between parties to an armed conflict that [it constitutes] an integral part of those hostilities”.Footnote 156 Further, the act must be conducted “in support of a party to the conflict and to the detriment of another”. Thus, acts such as providing tactical targeting information or disrupting military communications – acts which harm the military activities of one belligerent in support of the military operations of another – clearly have this belligerent nexus.Footnote 157
In light of this criterion, certain cyber operations by civilian hackers will not qualify as DPH, even if they directly cause harm, because they do not have a belligerent nexus. This would be the case, for instance, for any form of cyber crime that is conducted in a country affected by conflict but without a link to the conflict, meaning purely for the benefit of the criminals and not aimed at supporting one belligerent against another.Footnote 158 Likewise, hacktivist activities conducted by groups against a belligerent as a form of protest but not in support of another belligerent will not meet this threshold. For example, if a group of hacktivists in State A manipulates or disrupts military communication systems or equipment to protest against State A’s military conduct in an armed conflict against State B, but does so for political purposes, as a form of “civil unrest”, and not to support State B, such hacktivism would not show a belligerent nexus.Footnote 159
The question of when a belligerent nexus exists is, however, more challenging to establish with respect to cyber operations directed against civilian objects. Consider, for example, a situation in which civilian hackers based in country A carry out operations to damage or destroy the ICT systems of a private civilian company, such as a bank, in State B at a time when States A and B are involved in an IAC against each other, and these hackers do so with the stated objective of harming State B economically. With respect to this example, it should be recalled that experts have understood the notion of belligerent nexus for the purpose of DPH “more narrowly than the general nexus requirement developed in the jurisprudence [of international criminal tribunals]”.Footnote 160 Thus, an act by a civilian that has a nexus to an armed conflict must comply with IHL (which is not the case in the above example of civilian hackers attacking private civilian companies); however, having a nexus to the conflict does not automatically mean that such acts also have a sufficient belligerent nexus to qualify as DPH. As the group of experts that took part in ICRC-convened discussions on the notion of DPH emphasized “practically unanimously” with respect to “inter-civilian violence”,
in order to qualify as direct participation in hostilities, inter-civilian violence must have a sufficient nexus to military operations or hostilities occurring in relation to a situation of armed conflict. In the words of individual experts, inter-civilian violence had to be “specifically related” or “linked” to military operations, “connected to violence used by combatants”, have a “nexus to the hostilities”, occur “in furtherance of specific hostilities”, [or] be “linked” or “related to” or “part of” already existing hostilities. Thus, while inter-civilian violence occurring generally “on behalf of” a party to the conflict or in support of its political goals was not per se regarded as sufficient, there seemed to be unanimous agreement that inter-civilian violence carried out “specifically in support of the military operations of a party to the conflict” would constitute direct participation in hostilities.Footnote 161
Against this background, certain acts of civilian hackers, such as those with no impact on, or link to, the actual hostilities or military operations (even if having a general nexus to the armed conflict), may not show a belligerent nexus qualifying such acts as DPH, and may rather be regarded as “inter-civilian violence” that is not part of the hostilities. In contrast, where civilian hackers are used by parties to an armed conflict to conduct harmful cyber operations against civilian objects under the control of the adversary as part of a larger military campaign or strategy, this would potentially meet the belligerent nexus threshold. Likewise, where a cyber operation by civilian hackers is “motivated by the same political disputes or ethnic hatred that underlie the surrounding armed conflict and where it causes harm of a specifically military nature”, the nexus would most likely exist.
To sum up, the three criteria that define DPH set out a rather high threshold for a civilian to lose their protection against attack, not least because they must be met cumulatively. This means, for example, that acts of cyber crime which directly cause harm and are conducted in a country affected by conflict but without a link to the conflict would not qualify as DPH.Footnote 162 Similarly, other civilian cyber operations that disable civilian services but are not specifically designed in support of one belligerent and to the detriment of another do not amount to DPH. Likewise, the development of tools and the provision of services that provide support to a party to armed conflict but not to a specific operation may contribute to harm and support one belligerent against another but would not be sufficiently linked to the harm to satisfy the direct causation criterion.
Nonetheless, other cyber operations can be regarded as DPH, meaning that the risk of harm to civilian hackers in response to such operations is real and may be lawful under IHL. For instance, if a civilian hacker based in the capital of one warring party aims to support their country by disrupting the military communication systems of the other party’s armed forces and thereby adversely affecting the latter’s military operations, or is providing an integral part of a collective operation that is causing such an effect, the person would be considered to be directly participating in hostilities. In that case, IHL would no longer prohibit attacking that person for such time as they are participating in the operation provided that other rules of IHL are respected. As kinetic attacks against civilian hackers may have far-reaching consequences not only for the hackers but also for civilians and civilian objects in their vicinity, the ICRC has cautioned that
belligerents should consider carefully whether responding to such acts by kinetic force is actually necessary to achieve a legitimate military purpose or whether other, less destructive (for example, cyber or electro-magnetic) means can be used to achieve their objective.Footnote 163
States’ obligations to prevent and stop civilian hackers from violating IHL
Hackers do not live in cyberspace – they live and operate under the jurisdiction of States. Depending on the relationship between a State and a civilian hacker or group, different legal responsibilities arise. As a general norm of “responsible State behaviour”, all States have pledged to not “knowingly allow their territory to be used for internationally wrongful acts using ICTs”, meaning that they “should seek to ensure that their territory is not used by non-State actors to commit [internationally wrongful] acts”.Footnote 164 While formulated as a policy commitment, this norm reflects States’ “due diligence” obligation under international law, including in respect of civilian hackers operating from their territory.Footnote 165 Thus, a State that aims to comply with its international legal obligations must not ignore, condone or support people on its territory conducting cyber operations in violation of international law, even if directed against an adversary. In addition to this general rule, two questions merit particular examination. First, under which circumstances is the conduct of civilian hackers attributable to the State, meaning that the State is legally responsible for their conduct? And second, what does States’ specific undertaking to ensure respect for IHL in all circumstances require with respect to civilian hackers operating from their territory?
The attribution of cyber operations by civilian hackers to a State
Even if civilian hackers or members of seemingly private IT or cyber armies might not be considered combatants under IHL, a State may nonetheless be legally responsible for wrongful acts that they commit. In other words, there can be cases in which civilian hackers do not qualify as members of a State’s armed forces and do not enjoy the privileges associated with that status, but the State is nonetheless legally responsible for their conduct.
Under international law, States are, in principle, not responsible for the conduct of private persons or entities. This rule, however, has certain exceptions.Footnote 166 For our purposes, the most notable of these exceptions is that a State is legally responsible for the conduct of civilian hackers if a “person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct”.Footnote 167
The question of how to interpret the notion of “direction or control” under public international law has been the subject of long-standing debates.Footnote 168 Without going into detail, the two main views on the notion may be summarized as follows. On the one hand, the International Court of Justice (ICJ) has held that for the purposes of determining the responsibility of a State for internationally wrongful acts committed by a non-State actor, the State must exercise “effective control” over that conduct. In the Court’s view, this requires that the State not only financed or equipped the non-State actor but “had effective control of the military or paramilitary operations in the course of which the alleged violations were committed”.Footnote 169 Applied to the case of civilian hackers, under the effective control standard, a State would be responsible for wrongful acts if it had effective control over the specific cyber operation in the course of which a wrongful conduct occurred. In other words, the State would not only have to assist the civilian hackers financially, organizationally, with logistics such as tools, or even with the selection of targets, but would have to exercise such control that it effectively “directed or enforced” the perpetration of possible IHL violations.Footnote 170 This standard would likely be met, for instance, if a State contracted and directed an IT company to develop and carry out a specific cyber operation in violation of IHL.Footnote 171
On the other hand, the ICTY, followed by the ICC and the ICRC, has held that with regard to organized armed groups, a State is legally responsible for such a group’s conduct if it “wields overall control over the group, not only by equipping and financing the group, but also by coordinating or helping in the general planning of its military activity”.Footnote 172 As the ICRC has explained, the conduct of a non-State armed group can be attributed to a State if that group is “subordinate to the State even if there are no specific instructions given for every act of belligerency”.Footnote 173 The focus is thus not on control over a specific operation but on control exercised over the group. Importantly, this test was developed, and is commonly used, only with respect to groups that have a degree of internal organization sufficient to qualify them as a party to an armed conflict, which requires the ability of the group’s leadership to impose rules and disciplineFootnote 174 (see the discussion on “responsible command” in the above section on “Combatant Status and the Question of Who May Be Lawfully Targeted under IHL”). Under the “overall control” standard, a State would thus be legally responsible for the acts of an organized hacker group if it has “a role in organising, coordinating or planning” the group’s cyber operations, “in addition to financing, training and equipping or providing operational support”.Footnote 175 Compared to the effective control standard, it would not be necessary for the State to direct or enforce every single cyber operation in which a wrongful act may be committed.
Alternatively, a State would also be responsible if, in the commission of a wrongful act, such individuals or groups were acting on the instructions of that State. As the ICJ has held, wrongful conduct of a group of private people would be imputable to a State if “on the occasion in question the militants acted on behalf of the State, having been charged by some competent organ of the … State to carry out a specific operation”.Footnote 176 In such cases, it is not sufficient that a State expresses general support for the group’s operations or stirs “general resentment” against those targeted; instead, there would need to be “an authorization from the State to undertake the specific operation”.Footnote 177 In other words, it would be “necessary to ascertain whether specific instructions concerning the commission of that particular act had been issued by that State to the individual or group in question”.Footnote 178 This would be the case, for example, if
State organs [were to] supplement their own action by recruiting or instigating private persons or groups who act as “auxiliaries” while remaining outside the official structure of the State. These include, for example, individuals or groups of private individuals who, though not specifically commissioned by the State and not forming part of its police or armed forces, are employed as auxiliaries or are sent as “volunteers” to neighbouring countries, or who are instructed to carry out particular missions abroad.Footnote 179
Accordingly, it appears that the “instruction” standard is only met if a State authorizes, charges or instigates individuals or groups to carry out a cyber operation, meaning that for the purpose of such an operation, these individuals are used to help or support the State. The ICJ has further clarified that a State’s instructions would have to be given “in respect of each operation in which the alleged violations occurred, not generally in respect of the overall actions taken by the persons or groups of persons having committed the violations”.Footnote 180 In the cyber context, one scenario provided by experts to explain this standard is “the case of unanticipated massive cyber operations directed against a State” that has “no standing cyber defence organisations”. If in that case “the State instigates private individuals and groups to act as volunteers to help respond to the crisis”, the experts concluded that “during the incident they are acting as an auxiliary of the State in responding to the crisis” and are “an instrument of the State and acting on its behalf”, and the instruction threshold has been met.Footnote 181
Whether an ICT professional, a hacker or a group of hackers acts under a State’s instructions, direction or control necessarily requires a case-by-case assessment. As seen in the above analysis, international law sets out different “tests” for establishing the responsibility of a State for the conduct of a person or group of persons. Concretely, if a State provides civilian hackers with resources – such as malware or other tools, or funding – and is directing specific operations carried out by the group, the State will be considered to be exercising effective control over the group and will be legally responsible for possible wrongful acts committed by the hackers in the course of that operation.
Neither the effective control standard nor the overall control standard would be met, however, if State agents were to encourage or support the creation of loosely organized groups of individuals who meet in online fora or coordinate cyber operations through messaging apps. Likewise, shared political objectives between a State and civilian hackers, a State expressing general support for civilian hackers conducting cyber operations against an adversary, a State providing civilian hackers with malware or other tools for use at their discretion, or the State generally encouraging the work of civilian hackers would not make the State legally responsible for the acts of the civilian hackers.Footnote 182 In contrast, a State is legally responsible for the conduct of civilian hackers if those hackers operate on the specific instructions of State organs. Thus, if a State’s armed forces or intelligence services instruct – meaning instigate, order or direct – volunteer hackers to conduct DDoS operations against a specific set of targets, such instructions would likely make the State legally responsible for harm caused in violation of international law.
States’ obligation to ensure respect for IHL
If the conduct of civilian hackers cannot be attributed to a State, it is nonetheless the responsibility of States to ensure that civilian hackers under their authority do not violate IHL. States have undertaken to respect and to ensure respect for IHL in all circumstances.Footnote 183 This means, first and foremost, that States must not violate IHL through their armed forces, other State agents, or persons operating under their instruction, direction or control. Moreover, States have the obligation to ensure – and a key role to play in ensuring – respect for IHL by civilian hackers over which they exercise authority. This obligation has a negative and a positive dimension.
Under the negative dimension, among other things, States must not encourage civilian hackers to act in violation of IHL.Footnote 184 Thus, State agents are prohibited from, for instance, encouraging civilian hackers to direct cyber operations against civilian objects. Likewise, providing information or tools for use in operations against civilian targets, or that otherwise violate IHL, would similarly amount to unlawful encouragement.Footnote 185
Under the positive dimension, States have an obligation to exercise due diligence to prevent and repress breaches of IHL by the civilian population “over which they exercise authority, i.e. also to private persons whose conduct is not attributable to the State”.Footnote 186 States’ obligation to ensure respect for IHL by private persons – such as civilian hackers or hacker groups – under their authority has been described as one of means and not of result. In other words, while a State cannot be expected to prevent all IHL violations committed by civilian hackers, it must take feasible measures to prevent or repress them. The precise measures that a State may be required to take depend “on the specific circumstances, in particular the foreseeability of the violations and the State’s knowledge thereof, the gravity of the breach, the means reasonably available to the State and the degree of influence it exercises over the private persons”.Footnote 187
In practice, such due diligence measures to ensure respect for IHL can take different forms. For instance, as a matter of policy and for a variety of reasons, States may call upon hackers on their territory to refrain from conducting cyber operations against a military adversary. In 2003, the US National Infrastructure Protection Center worried about “script kiddies” and “patriotic hackers”, recalling that “such activity is illegal and punishable as a felony” under domestic law and stating that “[t]he US Government does not condone so-called ‘patriotic hacking’ on its behalf”.Footnote 188 More recently, some States have reportedly warned their citizens against conducting cyber operations in the context of the IAC between the Russian Federation and Ukraine.Footnote 189 If this is not done, to prevent IHL violations by individuals or groups that have rarely heard of IHL, authorities must inform civilian hackers and IT or cyber armies of relevant IHL rules and demand that they respect those rules. Drawing on the practice of States and humanitarian organizations, concrete measures to disseminate IHL could include clear statements by political and military leaders on the requirement for everyone to respect IHL, providing IHL-compliant model codes of conduct that such groups should follow,Footnote 190 or developing educational videos or apps educating such actors about the laws of war.Footnote 191 This would also align with States’ obligation to “disseminate the [Geneva] Conventions and [Additional Protocols] as widely as possible in their respective countries” and “encourage the teaching of international humanitarian law to the civilian population”.Footnote 192 In light of the latter, States should also consider supporting dissemination of IHL in “engineering schools to make future operators aware of the specific rules applicable when conducting digital operations during armed conflict and the associated risks”.Footnote 193
In addition, States have an obligation to suppress breaches of the Geneva Conventions and, if applicable, AP I – irrespective of whether they are committed by members of the armed forces or private actors.Footnote 194 In particular in the event of “grave breaches” (i.e., war crimes), this requires providing “effective penal sanctions” in national law, searching for alleged perpetrators, and either bringing such persons before the State’s own courts or handing such persons to another State.Footnote 195 For the suppression of other violations of IHL, States may take different measures depending on the gravity and circumstances of the acts. This can include penal sanctions, administrative sanctions, the adoption of new laws or regulations, or renewed efforts to disseminate the rules of IHL.Footnote 196 In light of this obligation, the adoption of laws that would permit civilian hackers to conduct cyber operations during armed conflict as long as these operations were in the interest of a State would be problematic unless such laws would also mandate respect for IHL. Likewise, a policy of national authorities turning a blind eye to cyber operations that violate not only national law but also IHL – as long as such acts are committed against an adversary of the State – is not permissible under IHL.
Conclusion
In 1999, a coalition of hacktivist groups issued a joint declaration “asking hackers to reject all actions that seek to damage the information infrastructure of any country”. They called on hacktivists not to “support any acts of ‘cyberwar’” in order to “keep the networks of communication alive. They are the nervous system for human progress.”Footnote 197
Twenty-six years later, the ICT environment has changed. The involvement of civilian hackers in armed conflicts has reached new dimensions. This is particularly concerning because ICT connectivity and services have today become an integral part of many societies; they are essential for economies and have attained significant importance in the lives of many civilians. Civilian hackers have targeted – and disrupted – many civilian websites, services and infrastructures. While twenty-six years ago some (mis)perceived cyberspace as a “wild west” or “lawless space”, today it is universally accepted that international law is applicable in the ICT environment, which includes IHL.
As this article shows, for civilian hackers conducting operations in the context of armed conflict, this means at least three things. Firstly, any hacker conducting cyber operations in the context of and associated with an armed conflict must respect the applicable rules of IHL. The view that cyber operations commonly conducted by non-State actors during armed conflict, such as DDoS or ransomware operations, are merely irritations or inconveniences (despite them being criminalized in most States that have cyber crime laws) and are thus insignificant under IHL is not convincing. Even if the view is followed that many of the operations conducted by civilian hackers may not cause effects that would qualify them as attacks under IHL and are thus not subject to the entire spectrum of IHL rules on the conduct of hostilities, IHL does impose limits on such operations – it does not provide carte blanche to direct such operations against civilian companies, civilian government services or civilian infrastructure. This is a fortiori the case if cyber operations are directed against specifically protected objects or operations, in particular medical or humanitarian ones. Knowing and respecting IHL should be of particular interest to hacktivists not only for moral or political reasons, but also because international experts, prosecutors and States might increasingly focus on the prosecution of “cyber war crimes”, which is another term for grave breaches of IHL committed via cyber means.
Secondly, civilian hackers who conduct cyber operations in the context of an armed conflict – whether alone or as part of a group – will rarely qualify as combatants or PoWs. This means, first and foremost, that if captured by an adversary, they face prosecution of their operations under the national criminal law of the State. They do not enjoy the same legal privileges that members of State armed forces enjoy for those operations that are lawful under IHL.
Thirdly, civilian hackers face a risk of being attacked. This may affect not only themselves or the machines they use but also other civilians around them as well as machines in the same network. While most hackers are, in principle, civilians under IHL and are thus protected against attacks directed against them, they lose this protection if their operation amounts to DPH. The risk of cyber operations reaching the DPH threshold is particularly acute if a civilian hacker conducts – or provides an integral part of – cyber operations against military forces.
Importantly, civilian hackers do not live in cyberspace – they live and operate under the jurisdiction of States, which are also responsible for ensuring respect for IHL. Depending on the relationship between a State and a civilian hacker or group, this entails different legal responsibilities. Most importantly, States are directly responsible for the conduct of those individuals or groups that operate under their instruction, direction and control. In addition, even if civilian hackers operate independently, States must not encourage, aid or assist operations in violation of IHL, and they must take measures to ensure that hackers respect IHL, especially when operating on their territory. Such measures should include clear statements requiring respect for IHL from anyone fighting on behalf of the State in question, and a legal and policy framework designed to suppress IHL violations and to prosecute war crimes, whether committed through “traditional” or cyber operations.
In 1999, hacktivists feared that if civilian hackers took it upon themselves to conduct cyber operations against those whom they see as enemies, this would be “one door that will be very hard to close if we allow it to be opened”.Footnote 198 Today, unfortunately, this door appears to have been opened. In the interest of the shared objective of States to maintain peace and stability and of promoting an open, secure, stable, accessible and peaceful ICT environment, this development should be reversed. Until this is achieved, however, it is essential to recall that even wars have limits, and that these must be respected by every person taking part in them – be they soldiers, rebels or hackers.
Open access
