There are rules in war. International humanitarian law regulates what combatants can and can’t do, with the goal of protecting civilians and limiting suffering.
Most of these laws were developed during the 19th and 20th centuries. But in our own century a new kind of battlefield has emerged: the domain of cyberattacks, digital campaigns and online information operations. All these have played a heightened role in Russia’s war in Ukraine and, increasingly, in the current Israel–Hamas conflict.
There is a persistent myth that cyberspace is a lawless wild west. This could not be further from the truth. There is a clear international consensus that existing laws of war apply online.
In the past month, we have seen three significant developments in this area. Rules for “civilian hackers” have begun to gain traction. A new international humanitarian report has recommended ways forward for governments, tech companies and others. And the International Criminal Court has for the first time signalled that it considers cyber warfare to fall within its jurisdiction.
Rules for hacktivists
On October 4 2023, two advisers to the International Committee of the Red Cross proposed a set of rules for “civilian hackers” during war. The proposals include things like “do not conduct any cyber operation against medical and humanitarian facilities” and “when planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians”.
The authors were motivated by evidence of online attacks disrupting banks, companies, pharmacies, hospitals, railway networks and civilian government services.
Cyber, digital and information operations – used alongside “real-world” military operations – have risen into the mainstream during Russia’s war in Ukraine. Many operations are carried out by civilian groups not formally connected to the military.
Read more: Russia is using an onslaught of cyber attacks to undermine Ukraine's defence capabilities
These manoeuvres are not spectacular. However, as Jeremy Fleming (former head of GCHQ, United Kingdom’s electronic spy agency) put it:
it was never our understanding that a catastrophic cyberattack was central to Russia’s use of offensive cyber in their military doctrine. To think otherwise, misjudges how cyber has an effect in military campaigns. That’s not to say that we haven’t seen cyber in this conflict. We have – and lots of it.
After the proposed rules for civilian hackers were published, something extraordinary happened.
Two of the largest hacktivist groups actively engaged on opposite sides of the war in Ukraine are the Russian-affiliated Killnet and the Ukrainian IT Army. Spokespeople for both groups vowed to the BBC they would uphold the rules.
Digital threats during armed conflict
It is not just actors in Ukraine, and not just hacktivist groups, who must comply with the laws of war in cyberspace.
On October 18, the International Committee of the Red Cross published the final report of its global advisory board on digital threats during armed conflicts.
The report is the culmination of two years of work. The board comprises a diverse group of experts spanning the geopolitical spectrum, including the United States, Russia, China, South Africa, Mexico, India and Australia (including me).
We worked on “the international consensus that the established principles and rules of [international humanitarian law] apply to all forms of warfare and to all kinds of weapons, be they new or old, digital or physical”.
To safeguard civilians against digital threats, the report includes 25 action-oriented recommendations for belligerents, states, tech companies and humanitarian organisations.
Since 2013, negotiated agreements at the United Nations have recognised that existing international law applies to what states do in cyberspace.
In 2021, Russia, China, the US, Australia and every country in the United Nations went one step further, explicitly recognising the application of the laws of war to cyber operations.
The International Committee of the Red Cross – its mission being “to prevent suffering by promoting and strengthening humanitarian law and universal humanitarian principles” – has also affirmed this many times, including via the reports above.
The International Criminal Court weighs in
Of course, agreeing to the rules doesn’t prevent irresponsible actors from breaking them. And this is where the third significant development comes in.
In September 2023, Karim A.A. Khan, the prosecutor of the International Criminal Court, signalled the court would begin “collecting and reviewing” evidence of cyber warfare. It will also examine “misuse of the internet to amplify hate speech and disinformation, which may facilitate or even directly lead to the occurrence of atrocities”.
This is the first time the International Criminal Court has expressly indicated cyber warfare and misuse of the internet fall within its jurisdiction. This puts governments, militaries, tech companies and hacktivists on notice that they do not act with impunity in cyberspace.
As the war drags on in Ukraine and conflict escalates between Israel and Hamas (including increasing reports of hacktivism), all parties would do well to reflect that the rules of cyber warfare are clear.
Bombs or bytes, missiles or malware, international humanitarian law applies.