While hacktivists likely believe that they are doing the right thing by contributing their skills to the side they support, at the very least they are committing crimes with these actions.
Avast started identifying calls for hacktivism almost as soon as the ground war in Ukraine commenced last week. Some were fraudulent, looking to capitalize on the tragedy, but others were genuine encouragement for “regular people” who want to contribute to the effort. While this is not the first time hacktivists have intervened in world events, there is one major difference between previous actions and this one: This is a war. And the rules are different during wartime.
It’s clear that these events are having a highly emotional impact on many. Those impacts include fear, anger, powerlessness and much more. These are complex emotions and a desire by some to lash out as a result of them should come as no surprise to anyone. What may be less obvious though is that individuals adding themselves to a war, the harms may outweigh any possible good to a dramatic degree and one which is not easily visible without a detailed analysis.
While hacktivists likely believe that they are doing the right thing by contributing their skills to the side they support, at the very least they are committing crimes with these actions. Where the lines get murkier, though, is determining the point at which an individual’s hacktivist actions against a wartime entity evolve from merely being a crime to making that person an active combatant. Whole volumes of legal and scholarly work have been put together on this topic. One of these, The Tallinn Manual, has even looked at what laws and treaties which exist today may already apply.
The Tallinn Manual is a non-legally binding manual that applies existing international laws to cyber operations. The goal is to take the laws that countries have already agreed upon and apply them to cyber conflicts, rather than creating a whole new set of laws for the world of cyber warfare. The first edition of the Manual includes 95 black letter rules that apply to cyber warfare, while the second edition builds upon the first with 154 black letter rules that do not rise to the level of cyber warfare but are still considered “malevolent cyber operations.”
According to Rule 6 of the Tallinn Manual, governments can be held responsible for cyber attacks conducted by private citizens or groups if they “have issued specific instructions or directed or controlled a particular group to engage.”
Rule 6 also states that states have an obligation of due diligence in ensuring that their territory is “not used to cause transboundary harm.” In other words, if a government knows that hacktivists within their country are attacking another nation and causing “serious adverse consequences”, they’re responsible for stopping them. While the scholars are not clear on what constitutes “serious adverse harm,” they do state that it does not have to include “physical damage to objects or injuries to individuals.”
While we have not yet seen public instructions from any of the involved governments in the Russia/Ukraine war, there has been clear “encouragement” on multiple sides and, in some cases, it would be difficult to argue that the government in question did not know that the attacks were taking place in their territory and in their name.
Because cyber warfare is so new in the history of humanity, “even legal scholars do not have an all-encompassing, end-to-end understanding of it,” Avast Global Head of Security Jeff Williams says. As a result, it can be difficult to determine exactly which acts of hacktivism count as acts of war and when they do, what kind of retaliation is acceptable. This largely has to do with the question of state responsibility when the “soldiers” — aka hackers, in this case — are widely distributed and often acting on their own accord. How do governments decide which “non-state” acts require retaliation? What does that retaliation look like? These are, unfortunately, questions to which we do not yet have answers. Williams asks the hypothetical question “If an act of war is worthy of a proportional response, what does proportionality look like for a ransomware attack against hospitals? That’s critical infrastructure and lives are at risk. Where would the line be drawn in retaliation methods? Would it be reasonable for a nation state in a war to target hacktivists directly with a kinetic response?”
Even setting aside the legal aspects, the effectiveness of such attacks are worth considering. There are many scenarios where an attack by an individual would have no effect such as with a DDoS against a site not in use because people are sheltering. Other considerations such as a hacktivist attack unknowingly disrupting a planned military operation or information collection represent cases where the action has had the opposite of the intended effect. Another case is that an attack uses a novel approach or previously unknown vulnerability which then is understood by the target of the attack and used to retaliate against those the hacktivist was hoping to support. What could possibly go wrong? Pretty much everything. First and foremost though, it’s a crime. That by itself should be a disincentive for people.
However, regardless of the (sometimes ambiguous) international laws surrounding cyber warfare, Avast strongly discourages individuals from engaging with hacktivism initiatives. In addition to being illegal, it is difficult to achieve good operational security, which puts potentially well-meaning hackers at risk. These actions can also lead to collateral damage both online and off. We are already seeing malware inserted into some of these tools and any attack on infrastructure negatively affects all people on the ground, not just those who support war.
Finally, as outlined here, there is a very real possibility of retaliation for cyber attacks in the form of physical attacks. And the lives of others is not a risk any of us should be willing to take.