How can we address the accountability of civilian hackers and cyber mercenaries in modern conflicts? The rise of volunteer cyber participants in the Ukrainian conflict reveals significant gaps in the legal and ethical standards. This opinion piece argues that existing international laws are inadequate for managing the complex roles of these actors and calls for urgent reform. By examining the impact of civilian cyber operations on military and civilian targets, the article highlights the shortcomings of current legal frameworks. It draws parallels to past issues with private military contractors and emphasizes the need for updated guidelines to ensure accountability and oversight. Recommendations are made for states and international organizations to clarify legal standards and develop effective oversight mechanisms. The piece concludes with a call for immediate action to adapt international law to the evolving landscape of cyber warfare.
Evolving Cyber Warfare in the Russian-Ukrainian Conflict: Assessing Impact and Response
The Russian-Ukrainian conflict began in February 2014 with the Maidan Revolution and Russia’s annexation of Crimea, has evolved significantly over time. It intensified in April 2014 with the conflict in Donbass and reached a critical point with Russia’s full-scale invasion in February 2022.
The invasion has been marked by extensive cyberattacks, profoundly impacting both military and civilian spheres. According to a CyberPeace Institute study, nearly 2000 cyber incidents were recorded across 23 critical infrastructure sectors, affecting Ukraine, Russia, and 49 other countries. These attacks have disrupted essential services, such as telecommunications and utilities. Notably, the Viasat satellite network attack resulted in over two weeks of internet outages, while a malware wiper attack on February 25, 2022, significantly hampered refugee processing into Romania. Russian cyber operations have encompassed a range of tactics, including destructive attacks that delete data and damage systems, disruptive attacks like Distributed Denial of Service (DDoS) attacks, espionage, and disinformation campaigns. These operations not only disrupt civilian life but also complicate international security, highlighting the need for a robust response to cyber warfare and the protection of global infrastructure.
Voluntary Civilian Hackers in the Ukrainian Conflict: Evaluating their Impact and Legal Implications
Voluntary civilian hackers, also known as “hacktivists”, have significantly impacted the Ukrainian conflict through their cyber operations. Motivated by patriotism and ideology, these individuals have supported Ukraine’s defense against Russian aggression.
In response to the invasion, Ukraine’s Deputy Prime Minister, Mykhailo Fedorov, announced the formation of the IT Army on February 26,2022. This volunteer cyber force quickly expanded to over 300,000 members coordinated via Telegram, undertaking various cyber operations such as Distributed Denial of Service (DDoS) attacks on Russian targets, including Gazprom and major banks. The effectiveness of these attacks remains debated.
Notable figures in this space include Kristopher Kortright, known as “Voltage,” who leads an international team recognized for data theft and surveillance activities. Additionally, groups like Hack your Mom and InformNapalm, now part of the Ukrainian Cyber Alliance (operating through Facebook), have contributed by dismantling the Trigona ransomware gang, allegedly linked to the Russian government. Despite these efforts, the role of hacktivists introduces significant ethical and legal complexities, particularly when their actions impact civilian entities. The Ukrainian government is considering formalizing the IT Army’s status, following the precedents set by Finland and Estonia with their reserve cyber forces. This move highlights the growing role of voluntary civilian hackers in modern conflicts and underscores the need for robust legal frameworks to address the evolving challenges of cyber warfare.
Legal and Ethical Challenges of Civilian Cyber Vigilantism: Accountability and Oversight in Modern Conflicts
Voluntary civilian participation in cyber warfare presents significant ethical and legal issues, particularly concerning accountability, proportionality and compliance with international law. Unlike state actions, which are governed by established norms and prohibitions, the conduct of private individuals in cyberspace often escapes clear legal frameworks. This problem mirrors the challenges posed by private military contractors like Blackwater in Iraq, whose activities blurred the lines between lawful and unlawful conduct.
International law outlines principles for state behaviour in cyberspace, including UN norms of responsible state behaviour in cyberspace that prohibits attacks on critical infrastructure and emergency services. However, applying these laws to cyber operations and determining when they constitute acts of war, as defined in UN General Assembly Resolution 3314, remains uncertain. The resolution specifies criteria such as attacks by state armed forces, allowing territory for aggression, or sending mercenaries to attack another state. The challenge is defining whether the incidents cross the threshold of an attack and assessing the physical, financial, societal and environmental impacts.
The involvement of loosely affiliated actors in cyberattacks complicates their legal status under International Humanitarian Law. Civilians are protected from targets unless they directly participate in hostilities, whereas combatants, who are lawful targets, are afforded protections under the third Geneva Convention and Additional Protocol I. Hacktivist groups, which may engage directly in hostilities, raise questions about their status as legitimate targets or potential subjects of prosecution. The IT Army is in fact unlikely to be considered an organized armed group with regard to the combatant status, as its members do not belong to regular or irregular armed forces and it lacks official recognition, for the moment being, as part of the Ukrainian defence apparatus.
Civilians supporting hostilities may fit various categories: indirect supporters, direct participants in hostilities (DPH), or a leveé en masse – a term that could apply if they operated without formal command, though this status remains complicated by the decentralized nature of hacktivism. Current standards define participation based on the harm inflicted, intent and direct causation supporting one party’s military efforts to the detriment of another. It is thought that even cyber operations that do not reach the threshold of a traditional attack can still meet the DPH criteria if they disrupt enemy military operations. Hacktivists who engage in cyber activities could thus lose civilian protections if identified as directly participating in hostilities, considering that Russia has signalled a broad definition of DPH, particularly for mercenaries and foreign volunteers and those assisting Ukraine with weapon transport. Moreover, if these activities are state-endorsed, foreign hackers might be treated as mercenaries, risking criminal prosecution. This would apply also if they would not be recognised as combatants and prisoners of war status.
State Obligations and the Legal Status of Voluntary Cyber Hackers: Frameworks and Oversight in Modern Conflicts
The International Committee of the Red Cross has issued guidelines emphasizing the need to avoid targeting civilian infrastructure, minimizing collateral damage and adhering to international law irrespective of enemy conduct. Furthermore, the International Criminal Court is investigating cybercrimes that might violate the Rome Statute, highlighting the need for clear identification and guidance in this evolving domain. As broadly analysed by Herpig & Shah and others, states are not responsible for the actions of private individuals but are obligated to exercise due diligence in prosecuting cybercriminals. A voluntary cyber hacker is essentially a cybercriminal under international law. This framework underscores the necessity of establishing comprehensive legal standards and oversight mechanisms to address the challenges posed by private sectors in cyber warfare. Moreover, states may still be held accountable for cyber groups operating within their jurisdiction. Target states may allege a breach of due diligence if a state fails to prevent attacks originating within its borders, potentially inviting sanctions, diplomatic expulsions, internet blocks, or retaliatory cyber measures.
CONCLUSIONS
This opinion piece has explored the critical roles of civilian hackers, state, and non-state actors in the Ukrainian conflict, emphasizing their transformative impact on modern warfare. The discussion highlighted the pressing ethical and legal issues surrounding cyber warfare: to address these challenges effectively, we need to establish clearer international legal frameworks that specifically address the nuances of cyber operations. These frameworks should clearly define acceptable cyber conduct, set robust accountability measures, and provide guidance for ethical behavior among civilian hackers and other non-state actors. International cooperation is essential to develop and enforce these standards, facilitating joint strategies and responses. Such steps are crucial for safeguarding democratic processes and managing the evolving landscape of hybrid threats.
Thumbnail image: credits to @jefflssantos on Unsplash.
