Red Cross issues rules of engagement for hacktivists

In the wake of the surge in people joining patriotic cyber gangs, especially since Ukraine-Russia conflict, the International Committee of the Red Cross (ICRC) has issued eight rules of engagement for hacktivists who are involved in armed conflicts.

The eight rules are as follows:

1. Do not direct cyber-attacks against civilian objects
2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
3. When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
4. Do not conduct any cyber-operation against medical and humanitarian facilities
5. Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
6. Do not make threats of violence to spread terror among the civilian population
7. Do not incite violations of international humanitarian law
8. Comply with these rules even if the enemy does not

Further, ICRC has warned hacktivist groups that their actions can endanger lives.

ICRC legal adviser Dr Tilman Rodenhäuser stated, ‘Some experts consider civilian hacking activity as ‘cyber-vigilantism’ and argue that their operations are technically not sophisticated and unlikely to cause significant effects.’

‘However, some of the groups we’re seeing on both sides are large and these ‘armies’ have disrupted… banks, companies, pharmacies, hospitals, railway networks and civilian government services.’

Several hacking groups have expressed reservations about following these rules. A spokesperson from Killnet has stated, ‘Why should I listen to the Red Cross?’ Anonymous Sudan has stated, ‘Adhering to the rules can place one party at a disadvantage,’ and that the new rules were ‘not viable and that breaking them for the group’s cause is unavoidable’. They also stated that the group ‘always operated based on several principles, including rules cited by the ICRC’, but had now lost faith in the organisation and would not follow its new rules.

Why does it matter? The rules themselves are extracted from international humanitarian law (IHL), which protects civilians and soldiers who are no longer able to fight, in armed conflicts. The ICRC underlined that any actors in cyberspace must be aware of these 8 rules and respect them as a minimum. However, the application of IHL in cyberspace is still a point of contention, as seen in the negotiations within the UN Open-Ended Working Group (OEWG) on security of and in the use of information and communications technologies 2021–2025.