International Committee of the Red Cross rules of engagement for civilian hackers
2023 rules for cyber-war conflicts
On 4 October 2023 the International Committee of the Red Cross published rules of engagement for civilian hackers involved in conflicts.[1][2] The rules had been described as a "Geneva Code of cyber-war".[3]
Background
Since 2013 there has been a rise in hacking associated with conflicts, such as the Syrian civil war, which led to attacks on Western media.[1][2] This has significantly accelerated after the Russian invasion of Ukraine.[1][2]
Rules
The rules are:
- Do not attack civilian targets.[1][2]
- Do not use malware or other tools or techniques that spread automatically and attack military and civilian targets indiscriminately.[1][2]
- When planning a cyber-attack against a military target, do everything possible to avoid or minimise any impact on civilians.[1][2]
- Do not conduct any cyber-attack against medical and humanitarian facilities.[1][2]
- Do not conduct any cyber-attack against anything essential to the survival of the population or that can release dangerous forces.[1][2]
- Do not threaten violence to spread terror among civilians.[1][2]
- Do not incite violations of international humanitarian law.[1][2]
- Comply with these rules even if the enemy doesn't.[1][2]
The ICRC has also asked governments to restrain hackers and enforce existing laws against cybercrime.[1][2]
Responses
The IT Army of Ukraine has said they will "make best efforts to follow the rules" even if it puts them at a disadvantage with their enemies.[1] They also said that attacks on healthcare facilities had already been ruled out by them.[1][3]
Killnet initially refused to follow the rules, but a couple of days later agreed to abide by them.[1][3]
A high-ranking member of Anonymous said they had "always operated based on several principles, including rules cited by the ICRC" but had become disillusioned with the organisation and would not follow the rules.[1]
A representative of Anonymous Sudan said the rules were "not viable and that breaking them for the group's cause is unavoidable".[1]
References
- ^ a b c d e f g h i j k l m n o p q Tidy, Joe (2023-10-04). "Rules of engagement issued to hacktivists after chaos". BBC News. Retrieved 2023-10-15.
- ^ a b c d e f g h i j k l Starks, Tim; DiMolfetta, David (2023-10-05). "Red Cross officials want civilian hackers to follow rules amid war. Here's why". Washington Post. Retrieved 2023-10-15.
- ^ a b c Tidy, Joe (2023-10-06). "Ukraine cyber-conflict: Hacking gangs vow to de-escalate". BBC News. Retrieved 2023-10-15.
Further reading
- Rodenhäuser, Tilman; Vignati, Mauro (4 October 2023). "8 rules for "civilian hackers" during war, and 4 obligations for states to restrain them". EJIL: Talk! (www.ejiltalk.org). European Society of International Law. Retrieved 16 October 2023.
External links
- 8 rules for “civilian hackers” during war, and 4 obligations for states to restrain them - International Committee of the Red Cross blog on Law and Policy
- v
- t
- e
Hacking in the 2020s
| ← 2010s | Timeline | 2030s → |
| 2020 |
|
|---|---|
| 2021 |
|
| 2022 | |
| 2023 | |
| 2024 |
- Anonymous
- Anonymous Sudan
- Berserk Bear
- Clop
- Cozy Bear
- DarkMatter
- DarkSide
- Dridex
- Ghostwriter
- GnosticPlayers
- Guacamaya
- Hafnium
- IT Army of Ukraine
- Killnet
- Lapsus$
- LightBasin
- Lockbit
- REvil
- Sandworm
- Sakura Samurai
- ShinyHunters
- Wizard Spider
publicly disclosed
- SMBGhost (2020)
- Thunderspy (2020)
- PrintNightmare (2021)
- FORCEDENTRY (2021)
- Log4Shell (2021)
- Account pre-hijacking (2022)
- Retbleed (2022)
- Downfall (2023)
- LogoFAIL (2023)
- Reptar (2023)
- Terrapin (2023)
- GoFetch (2024)
| 2020 | |
|---|---|
| 2021 |
|
| 2022 |
|
