Rules of engagement issued to hacktivists after chaos

Posted on by ESET Ireland

The International Committee of the Red Cross has, for the first time, published rules of engagement for civilian hackers involved in conflicts.

According to the BBC*, the organisation warns unprecedented numbers of people are joining patriotic cyber-gangs. The eight rules include bans on attacks on hospitals, hacking tools that spread uncontrollably and threats that engender terror among civilians.

Based on international humanitarian law, the rules are:

  1. Do not direct cyber-attacks against civilian objects
  2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
  3. When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
  4. Do not conduct any cyber-operation against medical and humanitarian facilities
  5. Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
  6. Do not make threats of violence to spread terror among the civilian population
  7. Do not incite violations of international humanitarian law
  8. Comply with these rules even if the enemy does not

Jake Moore, Global Security Advisor at ESET, commented that rules of engagement can work in physical war but cybercrime and nation state digital war is a separate game altogether. Civilian hacking activity acts differently in the way that their activity is often not attributed to a particular enemy– a rarity in physical war.

The enhancement of being able to act in war under an invisibility cloak adds a dimension that sets up rules to fail. Furthermore, the way some targets are chosen in cybercrime means there is often collateral damage miles away simply due to how the networks are set up and which third parties are used.

With many hospitals and humanitarian facilities targeted by cybercriminals in the past, it is also clear that such threat actors do not have the same ethical or moral high ground as those deciding the rules. However, this initial creation is a starting point that was still desperately required to help mitigate those attackers which may have the slightest of conscience.

*ESET does not bear any responsibility for the accuracy of this information.

Leave a comment