On Wednesday the 4th of October, the International Committee of the Red Cross (ICRC) published 8 rules for “civilian hackers” during war along with 4 obligations for states to restrain them.
The rules seek to establish a framework for cyberattacks undertaken for ideological reasons (instead of economic ones). Their effectiveness is, however, dependent on the willingness of “hacktivists” to follow them. So far, the response from hacktivist groups has been varied.
The Rules In Brief
The ICRC’s rules can be summarised in one sentence.
"Do everything possible to minimse the risk to civilians even if your enemy does not"
The ICRC makes it very clear that its rules cover indirect risks (collateral damage) as well as direct attacks on civilian targets. It also explicitly prohibits using threats of violence to frighten a civilian population.
Significantly, the ICRC has also created 4 obligations for states that effectively place the activities of hacktivists in a similar framework as the activities of the regular military. The legal weight behind these obligations is based on the ‘due diligence’ obligation under international law.
The Background To The Rules
Hacktivism has been on the rise for at least a couple of decades. Not only are they becoming more frequent but they are also becoming more severe - and more dangerous to civilians.
Hacktivists have progressed from simply defacing governmental and military websites (DKD, 2003) to direct attacks on essential infrastructure (such as the Israeli railway network in September 2023). In between, the WannaCry attack of 2017 left the NHS crippled and could have resulted in widespread civilian fatalities.
Given this clear trend, it was, arguably, only a matter of time before a body such as the ICRC stepped in to try to impose some level of order on these activities. Recent geopolitical activity (especially the war in Ukraine) will have made this action even more pressing.
Their Likelihood Of Effectiveness
Like any set of rules, the 8 rules of engagement for hacktivists are only going to be effective if they are either followed voluntarily or enforced by a competent authority. Current indications suggest that getting voluntary compliance may be very difficult.
For example, the IT Army of Ukraine merely said that it would "make best efforts to follow the rules". Other groups such as Killnet and the Anonymous collective have been openly dismissive of them.
It looks, therefore, like the practical relevance of these rules will depend very much on how seriously governments take their four obligations to enforce them.
The Lesson For Businesses
In the modern world, no business should ever assume that cybercriminals will overlook them. No business is too big or too small to be a potential target. That’s why all businesses must implement robust cybersecurity. Contact us to find out how TMB can help you protect your business and everyone associated with it.
Image Source: Canva