Wartime muddies waters for 'hacktivist' threat

Daniel Lincoln / Unsplash

The rise of hacktivism in a world mired in two significant wars blurs the lines between military and citizen combatants, and although one humanitarian organization has proposed rules that hacktivists should follow to minimize civilian damage, holding them accountable won't be easy.

Alongside nation-states, "hacktivists" are emerging as prominent cyber threat actors as the world copes with active wars in Ukraine and the Middle East. Hacktivists are ostensibly civilians or groups unaffiliated with governments motivated to engage in malicious cyber activity on behalf of ideological or political causes.

According to Check Point, hacktivism was a major factor fueling an 8% rise in cyberattacks from mid-2022 to mid-2023. Most organizations targeted by hacktivists tend to be government entities, although recent targets include several civilian organizations, such as industrial systems, internet providers, banks and newspapers.

So far, the hacktivists in the world's war zones, motivated mainly by attention, have opted for less destructive options such as distributed denial-of-service (DDoS) attacks, website defacements and, in some cases, data theft. However, experts warn that because some nation-states use these groups as proxies, ramped-up actions by hacktivists could provide cover for more damaging activities by adversarial countries such as Russia, China, Iran and others down the road.

Holding hacktivists accountable for their actions could be just as challenging, if not more so, than doing the same for nation-state adversaries responsible for more harmful cyber efforts. "Rules and laws without actual enforcement show that laws are worthless without accountability," Jeremiah Fowler, security researcher and co-founder of Security Discovery, told README.

Blurred lines between civilians and nation-states

Although the term "hacktivist" conveys the idea that the groups undertaking cyber actions are ordinary civilian activists motivated to advance their causes, in practice, many nation-states either direct the activities of these groups or tacitly condone them. For example, one of the earliest and most prominent hacktivist groups associated with the Ukraine war, the IT Army of Ukraine, was reportedly supported and directed by President Volodymyr Zelenskyy's government at the outset.

The Killnet hacktivist group has been active in launching various DDoS and misinformation campaigns since the outbreak of war in Ukraine and is now engaged in cyberattacks against the Israeli government during the Israel-Hamas war. It is widely believed to be a tool of the Kremlin. Like Killnet, the hacktivist group Anonymous Sudan, which is not affiliated with the granddaddy of hacktivist groups Anonymous, is also believed to be an arm of the Russian government and has been active on the Ukraine and Hamas war fronts.

The imprecise lines between nation-states and civilian groups make the already complex situations surrounding wartime digital aggression even more challenging to parse, particularly when it comes to protecting civilians. "What we see is a blurring of the lines between civilians and military civilians and weapon bearers, and blurring this line will make it difficult to ensure protection of those who need to be protected as civilians in situations of armed conflict," International Committee of the Red Cross (ICRC) President Mirjana Spoljaric Egger said during an event that unveiled the group's recent report, Protecting Civilians Against Digital Threats During Armed Conflict.

Ilya Chunin / Unsplash

Perhaps most concerning are the potentially further confusing situations generated by bona fide believers who typically launch emotionally motivated cyberattacks without fully considering the ramifications. "The thing about hacktivism is anyone with an internet connection anywhere in the world can jump on the bandwagon for any causes they support," Fowler said.

Rules of the road for hacktivists

To help guide the rise of hacktivism during wartime, the ICRC developed a set of eight rules for civilian hackers during war and four obligations for states to restrain them. The ICRC calls the actions of civilian hackers worrying for three reasons: they cause harm to civilian populations, either directly or incidentally; they risk exposing themselves and people close to them to military operations; and the more they take an active part in warfare, the more the line blurs between civilians and combatants.

Noting that civilian hackers must respect the laws of the countries where they reside, the ICRC says if they choose to disobey those laws, international humanitarian law (IHL) contains hundreds of rules that aim to safeguard civilians. The most egregious violations of these rules may be prosecuted nationally or internationally. "What we are particularly concerned with as a humanitarian organization is how cyber operations disable civilian governance systems, how they disable civilian infrastructure and disrupt the provision of critical services," Spoljaric Egger said.

Whittling down to the basics, the ICRC spelled out eight rules for hacktivists to avoid criminal prosecution. They are:

1. Do not direct cyberattacks against civilian objects.
2. Do not use malware or other tools or techniques that spread automatically and indiscriminately damage military objectives and civilian objects.
3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
4. Do not conduct any cyber operations against medical and humanitarian facilities.
5. Do not conduct any cyberattack against objects indispensable to the population's survival or that can release dangerous forces.
6. Do not make threats of violence to spread terror among the civilian population.
7. Do not incite violations of international humanitarian law.
8. Comply with these rules even if the enemy does not.

Regarding what states can do to ensure civilian hackers respect IHL, the ICRC advocates, first and foremost, the adoption and enforcement of national laws that regulate civilian hacking. In times of armed conflict, the ICRC says these legal commitments should mean:

1. If civilian hackers act under a State's instruction, direction, or control, that state is internationally legally responsible for any conduct of those individuals that is inconsistent with the state's international legal obligations, including international humanitarian law.
2. States must not encourage civilians or groups to act in violation of international humanitarian law.
3. States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory.
4. States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations.

The ICRC's Spoljaric Egger said that "governments pay a lot of attention to cybersecurity, but they pay much less attention to whether this is compliant with international humanitarian law. We need to make sure that this is operationalized into the different national legislatures and rules and regulations and concepts of operations."

Tech companies should also have obligations to limit the negative impact of hacktivist attacks on civilians, Gulshan Rai, former national cybersecurity coordinator of the Prime Minister of India and ICRC board member, said during the Red Cross event. "The responsibility is on the tech company more because, ultimately, the entire thing is moving from the public space to the private sector," he said. "They have to come forward."

Countries that remain silent about the non-state civilian hacktivists within their borders should also take action, Marcus Willett, Senior Adviser for Cyber at the International Institute for Strategic Studies and ICRC board member, said at the ICRC event. "Irresponsible cyber operations, for example, ones that are uncontrolled and scattershot and therefore indiscriminate, could well cause harm amounting to the committing of a war crime by the belligerent state which runs them. But also, if such operations are run by non-state groups, it's important to emphasize that it is the responsibility of states to prevent such violations by non-state groups operating from their territory. If the hosting state is in a position to do something about it, they must not choose to turn a blind eye."

Will hacktivists take heed?

Whether hacktivists, particularly those unaffiliated with nation-states, will take these suggestions to heart is an open question. "Our board is not naive enough to think that many non-state activist groups, in particular cyber criminals, will feel beholden to international law," Willett said.

Regarding the eight rules, "While some of [the hacktivists] unsurprisingly dismissed them, others have indicated their willingness to respect them," Willett said. According to reports, at least two hacktivist groups with alleged ties to the Russian government, Killnet and Anonymous Sudan, have scoffed at the ICRC's rules.

Chris Painter, President of the Global Forum on Cyber Expertise, tells README that the rules the ICRC advocates for hacktivists are sound solutions to a complex problem. He notes that it is U.S. policy to tell companies not to hack back lest they inadvertently hit innocent parties. "But it's a challenging issue when hacktivists act on behalf of government or sometimes just act in sympathy for a government, but the government doesn't really have any command and control over them. It's like anything else. How do you punish a country?"

The accountability part, however, is "very hard," he adds. "I don't pretend to know the answers to those difficult questions."