Rules of engagement issued to hacktivists after chaos

Related topics
A member of the Squad 303/Anonymous hacker group
Image caption,

A member of the Squad 303/Anonymous hacker group attacking Russia

The International Committee of the Red Cross (ICRC) has, for the first time, published rules of engagement for civilian hackers involved in conflicts.

The organisation warns unprecedented numbers of people are joining patriotic cyber-gangs since the Ukraine invasion.

The eight rules include bans on attacks on hospitals, hacking tools that spread uncontrollably and threats that engender terror among civilians.

But some cyber-gangs have told BBC News they plan to ignore them.

'Spreading globally'

The ICRC, responsible for overseeing and monitoring the rules of war, is sending the new rules to hacking groups, external particularly involved in the Ukraine war. It is also warning hackers their actions can endanger lives, including their own if deemed to make them a legitimate military target.

Patriotic hacking has risen over the past decade. The ICRC statement highlights pro-Syrian cyber-attacks on Western news media in 2013.

But the worrying trend, accelerated by the Russia-Ukraine conflict, is now spreading globally, ICRC legal adviser Dr Tilman Rodenhäuser says.

"Some experts consider civilian hacking activity as 'cyber-vigilantism' and argue that their operations are technically not sophisticated and unlikely to cause significant effects," he says.

"However, some of the groups we're seeing on both sides are large and these 'armies' have disrupted... banks, companies, pharmacies, hospitals, railway networks and civilian government services."

Based on international humanitarian law, the rules are:

  1. Do not direct cyber-attacks against civilian objects

  2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately

  3. When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians

  4. Do not conduct any cyber-operation against medical and humanitarian facilities

  5. Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces

  6. Do not make threats of violence to spread terror among the civilian population

  7. Do not incite violations of international humanitarian law

  8. Comply with these rules even if the enemy does not

The ICRC is also imploring governments to restrain hacking and enforce existing laws.

The Ukraine conflict has blurred the boundaries between civilian and military hacking, with civilian groups such as the IT Army of Ukraine being set up and encouraged by the government to attack Russian targets.

The IT Army of Ukraine, which has 160,000 members on its Telegram channel, also targets public services such as railway systems and banks.

Its spokesman told BBC News that the group will "make best efforts to follow the rules" even though it may place them at a disadvantage to their adversaries. The spokesman added that attacks on healthcare targets has been a longstanding red line already.

Large groups in Russia have similarly attacked Ukraine and allied countries - including disruptive but temporary attacks, such as knocking websites offline, on hospitals.

Image caption,

Killnet's leader, Killmilk, plans to ignore the rules

"Why should I listen to the Red Cross?" a representative of Killnet, which has 90,000 supporters on its Telegram channel, asked BBC News.

Pro-Russian groups are accused of working directly for, or in conjunction, with the Kremlin. But Killnet strongly denies this.

Meanwhile, a representative of Anonymous Sudan, which in recent months has begun attacking technology companies and government services it says are critical of Sudan or Islam, told BBC News the new rules were "not viable and that breaking them for the group's cause is unavoidable".

And a high-profile member of the Anonymous collective told BBC News it had "always operated based on several principles, including rules cited by the ICRC" but had now lost faith in the organisation and would not be following its new rules.

Update 6th October: The IT Army of Ukraine spokesperson contacted the BBC to confirm it will make best efforts to follow the rules.

Sign up for our morning newsletter and get BBC News in your inbox.