William Casey Biggerstaff
Two days after Russia’s renewed invasion in February 2022, Ukraine’s Minister of Digital Transformation announced a call to digital arms on Twitter:
We are creating an IT army. We need digital talents. All operational tasks will be given [on this Telegram channel]. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.
Over a year later, the so-called IT Army has accumulated nearly 200,000 volunteers. These cyber operators have targeted the websites and networks of Russian companies and infrastructure through various cyber operations (see, e.g., here, here, here, and here) and used facial recognition software and social media to notify the families of dead Russian soldiers (see my legal analysis here).
Unsurprisingly, Russia’s Foreign Ministry has condemned this private “cyberwar” and warned of “dramatic consequences” for its operators. The International Committee of the Red Cross (ICRC) has separately expressed concern over the practice of “recruit[ing] civilian volunteers to take part in military cyber operations,” cautioning, “Even though not every form of civilian involvement on the digital battlefield qualifies as direct participation, the danger is that it may be seen as such by the enemy, thus exposing numerous civilians to a grave risk of harm.” In recognition of these admonitions, Ukraine is currently drafting a law “aiming to put an end to uncertainty about [the IT Army’s] status” by formally incorporating its members into the reserve component of its armed forces.
These events raise the challenging issue of the legal status under the law of armed conflict of members of the IT Army. This post examines whether they may be made the object of attack by Russia by virtue of being combatants, members of an organized armed group (OAG), or civilians directly participating in hostilities. It also briefly considers several legal implications if the IT Army’s members join Ukraine’s armed forces.
Combatants and Civilians Distinguished
As used in this post, combatants are persons in an international armed conflict who are privileged to engage in hostilities against the enemy and who, unless specially protected, may be made the object of attack (U.S. DoD Law of War Manual, §§ 4.3, 4.4.1). If captured, they are entitled to prisoner-of-war status and combatant immunity (§§ 4.4.2–.3).
If the IT Army’s members are not combatants, they are civilians. Under the 1977 Additional Protocol I (Ukraine and Russia are both parties) and customary international law, civilians are immune from direct attacks and protected from their incidental effects by the prohibition against indiscriminate attacks, the obligation to take feasible precautions in the attack, and the (targeting) rule of proportionality (see ICRC Customary International Humanitarian Law Study, Rules 11, 12, 14, 15, and 17; DoD Law of War Manual, §§ 5.5, 5.11–.12). As will be explained, however, civilians forfeit these protections if they directly participate in hostilities or are members of OAGs.
The Current Status of IT Army Members
There is little difficulty in finding that IT Army members are currently civilians. The two classic categories of combatants are laid out in the Regulations annexed to the 1907 Hague Convention IV (art. 1) and the 1949 Geneva Convention III (arts. 4(A)(1)–(2)), widely considered to reflect customary international law (see ICRC CIHL Study, Rule 3; DoD Law of War Manual, §§ 4.5–4.6), and which Additional Protocol I consolidates into one (art. 43(1); see ICRC 2020 Commentary to GC III, ¶ 1009). They include 1) members of the armed forces (including militias or volunteer corps forming a part thereof) and 2) members of other militias or volunteer corps “belonging to a Party.” The sine qua non of the first category is that the individuals in question, regardless of their function, must be formally incorporated (i.e., through enlistment or a similar mechanism) into the armed forces—a condition the IT Army currently lacks.
To fall under the second, the group to which a person belongs must collectively fulfill several conditions (see AP I, art. 43; ICRC 1987 Commentary to AP I, ¶ 1681). Suffice it to say that the IT Army fails to meet this requirement because the decentralized, Internet-based group appears to lack, for one, an organized, hierarchical structure and a commander capable of enforcing an internal disciplinary system (see ICRC 2020 Commentary to GC III, ¶¶ 1013-14; ICRC 1987 Commentary to AP I, ¶ 1672). Consequently, the IT Army’s members are civilians, at least for now.
Have They Forfeited Their Protections?
But qualifying as civilians does not mean their protections apply in all circumstances. In considering how current IT Army members may forfeit those protections, it is critical to distinguish civilians acting on an individual or unorganized basis from members of OAGs. Civilians only forfeit their targeting protections “for such time as they” directly participate (AP I, art. 51(3)). By contrast, some States, including the United States, treat membership in an OAG “as a separate basis upon which a person is liable to attack, apart from whether he or she has taken a direct part in hostilities,” until their membership ceases (DoD Law of War Manual, § 5.8.2.1). There is significant disagreement over which members may be targeted, however.
By one approach, all members of an OAG are targetable—it is their membership status that matters, not their particular role in the group’s hostilities (see DoD Law of War Manual, § 5.8.2.1). Under a more restrictive approach suggested by the ICRC in its Interpretive Guidance on the Notion of Direct Participation in Hostilities,only those individuals with a “continuous combat function,” in contrast to “exclusively political, administrative, or other non-combat functions,” may be targeted in the same manner as combatants (p. 33-34). Individuals not serving in such a capacity are targetable only when directly participating in hostilities.
In assessing whether the IT Army qualifies as an OAG in the cyber context, the guidance suggested by the International Group of Experts (IGE) in the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is instructive.
Such a group is ‘armed’ if it has the capacity of undertaking cyber attacks. It is ‘organised’ if it is under an established command structure and can conduct sustained military operations. The extent of organisation does not have to reach the level of a conventional military disciplined unit. However, cyber operations and computer attacks by private individuals do not suffice. Even small groups of hackers are unlikely to meet the requirement of organisation. Whether or not a given group is organised must be determined on a case-by-case basis. (Tallinn Manual 2.0, Rule 83, ¶ 11)
If one adopts the IGE’s approach, there is little doubt that the IT Army is armed. There is less certainty, however, that it is sufficiently organized. Although details in the media are limited, some reports broadly characterize the group—formed around a Twitter post and led through a Telegram channel—as a “decentralized,” “loosely corralled” amalgam of “vigilantes,” many of whom only associate over the Internet. Bearing such descriptions in mind, and without more specific details regarding the IT Army’s structure and organization, it is difficult to conclude that it is an OAG. If it is not, then Russia may only target those individuals whose specific acts, on a case-by-case basis, constitute direct participation.
What is Direct Participation?
The next question is what acts qualify as direct participation in hostilities. No authoritative consensus exists, but the Interpretive Guidance, for its part, suggests three “constitutive elements” (p. 46) that are fairly representative of the “relevant considerations” listed in the DoD Law of War Manual (§ 5.8.3) and helpful for understanding the applicable threshold. Considering the scale and variety of the IT Army’s activities, it is essential to note that only those specific acts that satisfy all three elements constitute direct participation.
Threshold of Harm
By the first, “[t]he act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack” (p. 46; see also ICRC’s Commentary to AP I, ¶ 1944). As this description makes clear, it encompasses not only those activities that result in physical harm, but also “any consequence adversely affecting the military operations or military capacity of a party to the conflict” (ICRC Interpretive Guidance, p. 47; see also DoD Law of War Manual, § 5.8.3). Thus, even if a cyber operation engaged in by an IT Army member does not qualify as a “cyber attack” (see Tallinn Manual 2.0, Rule 92 and Commentary to Rule 97, ¶ 5), it may nevertheless cross the threshold of harm.
Direct Causation
Next, “there must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part” (ICRC Interpretive Guidance, p. 51). As the inquiry is highly contextual, the point at which the causal chain becomes too attenuated has been the source of significant disagreement. In the cyber context, operations that result in or directly enable the impairment of military networks, equipment, functions, or capabilities likely qualify. By contrast, acts adversely affecting the general war effort generally do not suffice (p. 51-53; see also DoD Law of War Manual, § 5.8.3.2).
Belligerent Nexus
Finally, “the act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another” (ICRC Interpretive Guidance, p. 46). Considering the IT Army’s impetus and stated purpose, and the fact that its targets are provided by Ukrainian officials, there is little question that many, if not all, of its cyber operations satisfy this element.
With respect to the first two elements, many of the operations publicly attributed to the IT Army, in my view, fail to satisfy the applicable standard. A number, for example, have temporarily disabled or defaced Russian websites that have little, if any, connection to the Russian war effort, such as a video streaming service, a consumer electronics chain, and other purely commercial entities. Such acts are not likely to adversely affect Russian military operations.
In addition, many of the IT Army’s publicly reported cyber operations are not direct enough. Some operations, for example, have “focused on causing economic damage to Russia in order to weaken its ability to wage war against Ukraine.” While such acts may be likely to adversely affect Russian military operations, they are highly attenuated and better characterized as relating to Russia’s general war effort (see ICRC Interpretive Guidance, p. 51-52; DoD Law of War Manual, § 5.8.3.2).
On the other hand, although the limited details available in the media make it challenging to form firm conclusions, it is likely that at least some of the IT Army’s activities satisfy both elements. Consider, for instance, a report that the IT Army has “helped fend off Russia’s massive cyber attacks.” Although the precise nature and purpose of the attacks are unclear, assuming that some bear a connection to Russia’s military operations, there is little question that repelling them is both harmful and direct.
In another example, IT Army members stole the personally identifiable information of Russian military personnel and posted it online (i.e., a “doxing” operation). Presumably, the purpose of the hack was to disrupt Russian military operations by, at the very least, demoralizing, harassing, or distracting its forces. In this regard, it is critical to note that the act in question need only be likely to affect Russian military operations; there is no requirement that an adverse effect occurs. If one assumes that at least some of the soldiers in question were taking part in Russia’s military operations, there is a reasonable argument that the operation—in this case, a military information support operation (MISO)—would satisfy both elements. Again, the facts are uncertain, but given the volume and range of cyber operations conducted by the IT Army’s members, it is likely that at least some of them cross the rule’s threshold.
For How Long Does the Rule Apply?
The question of for how long the direct participation rule applies is often challenging because the loss of protections under the rule only applies “for such time” as direct participation endures. Assuming that at least some IT Army members’ acts qualify as direct participation, it is necessary to determine when such participation begins and ends for a cyber operation.
There is widespread agreement that Russian forces may target an IT Army member engaged in a cyber operation at his or her computer or while “travelling to and from the location where a computer used to mount an operation is based” (Tallinn Manual 2.0, Commentary to Rule 97, ¶ 8; see ICRC Commentary to AP I, ¶ 1943). But beyond these agreements, the scope of preparatory acts in the cyber context is far from settled. Similarly, the question of how to characterize an individual who repeatedly engages in acts of direct participation—the so-called “revolving door” problem—has been frequently debated (see ICRC Interpretive Guidance, p. 70; DoD Law of War Manual, § 5.8.4). Given the nature of cyber operations and modern capabilities, these open questions may be of little practical consequence for the IT Army. Regardless of where the line is, once an IT Army member permanently ceases their direct participation, they are no longer targetable by Russian forces.
As an aside, readers should briefly note that the preceding analysis, particularly the distinction between civilians and OAGs and the direct participation rule’s temporal restrictions, are germane to targeting. Civilians who participate in hostilities are also subject to detention, in which case, subject to limited exceptions, they do not receive prisoner-of-war status or combatant immunity. In that context, it is irrelevant whether they do so individually or as a member of an OAG. Nor does regaining their targeting protections by ceasing their participation bar them from being detained.
In sum, the IT Army’s members are currently not combatants; they are civilians. While it is difficult to be certain, some of them are likely engaging in cyber operations that may qualify as direct participation in hostilities. If they are, it is important to emphasize that the law of armed conflict does not prohibit them from doing so (though there may be domestic law consequences, a topic beyond this post’s scope). The conclusion that they are civilians will likely change, however, if Ukraine’s pending legislation passes.
Implications of the Draft Law
Even under the broad terms described by one media outlet, it is reasonably clear that the IT Army’s members would become combatants under Ukraine’s draft law through their formal incorporation into its armed forces’ reserve cyber component. As such, the applicable privileges and liabilities described above would inure to them. A few additional observations pertaining to this pending status are worth briefly noting.
First, since the IT Army is currently a multinational group, and as another Articles of War post explains, it should be noted that the law of armed conflict does not prohibit foreign nationals from serving in Ukraine’s cyber reserve force (see ICRC 2020 Commentary to GC III, ¶ 977). Should they do so, in addition to any practical challenges it would present (of which there are many), the presence of combatants outside Ukrainian territory would also raise significant legal issues beyond the scope of this post, such as those pertaining to neutrality (see here and here), that Ukraine should at least consider during the legislative process.
Second, combatants are obliged to comply with the law of armed conflict, including the obligation to distinguish themselves from the civilian population by, for example, wearing a fixed distinctive sign such as a military uniform (DoD Law of War Manual, § 5.4.8; see also AP I, arts. 44(3), (7)). As examined in another Articles of War post, in addition to the point that States and their forces should endeavor to comply with the law, failure to do so may result in the forfeiture of the offending individual’s prisoner of war status upon capture. Although the risks of capture in the cyber context are low, Ukraine would nonetheless be well-advised to implement and enforce such requirements for individuals who become members of its armed forces.
Third, as detailed in other Articles of War posts (here and here), Ukraine’s forces must take feasible precautions to protect the civilian population against the effects of attacks (i.e., “passive precautions”). They include, among others, “avoid[ing] locating military objectives within or near densely populated areas” (AP I, art. 58(b); see also ICRC Customary International Humanitarian Law Study, Rule 23). Related issues involve the prohibition against the use of human shields and the misuse of protected places. Considering that many IT Army members are presumably conducting their cyber operations amidst the civilian population, such as from computers located in their homes or similar locales, Ukraine would be prudent to consider how best to resource, deploy, and regulate its nascent cyber force in observance of legal requirements.
Conclusion
Thus far, the IT Army’s civilian volunteers have displayed incredible determination and fortitude in the face of Russian aggression. But their current efforts, however admirable, may subject them to “a grave risk of harm” that they may or may not fully comprehend. Given what’s at stake, Ukraine should be commended for its effort to incorporate the IT Army into its armed forces, in which case the benefits, in my eyes, far outweigh the risks. In doing so, Ukraine should take care to consider all the relevant implications and consequences of converting civilian volunteers into combatants.
No comments:
Post a Comment