18 October 2023

A Hacktivist Code of Conduct May Be Too Little Too Late

EMILIO IASIELLO

Recently, the International Committee of the Red Cross(ICRC) released ethical guidelines for civilian hackers and hacktivists to consider prior to engaging in armed conflicts. The eight recommendations are based on humanitarian law-based rules in order to protect civilians regardless of the reasons that initiated the conflict or making any judgment on those involved. Because International Humanitarian Law (IHL) doesn’t have provisions against offensive cyber operations, the guidelines stress the need for nonstate combatants to adhere to basic humanitarian principles when conducting operations in support of a state. IHL generally provides the rules that protect civilians during armed conflict, and any violations are subject to war crime consideration and may be prosecuted by international courts. Because impactful cyber attacks are not the sole purview of nation states, savvy groups and individuals are able to cause significant disruptions whose repercussions can directly affect those critical infrastructures and services on which civilians rely.

Clearly, the events in Ukraine have brought about the need for the ICRC to disseminate these guidelines as state-on-state armed conflict has allowed entry for nonstate entities in cyberspace to get involved and help their sides. Hacktivist activity against governments is not necessarily a new development. In the late 1990s, hacktivists associated with the Cult of the Dead Cow supported Chinese citizens by helping them access blocked websites. Fast forward to today, and the capabilities of hacktivist groups have grown substantially with groups able to engage in more disruptive attacks, ushering in the weaponization of hacktivism, a disconcerting turn of events given the lack of global cyber norm standardization that exists. While the results of these attacks by both pro-Russian and pro-Ukrainian hacktivists have not been too detrimental, some of the incidents ascribed to them have involved the targeting of critical infrastructures. Railway sites and energy companies have already been targeted by these actors. What’s more, attacks have expanded past the two main states embroiled in the conflict, often targeting those perceived as allies or aiding the adversary. As such, private companies have been caught in the crosshairs of hacktivist operations.

The ICRC’s move may have first seemed a lofty albeit naïve hope, there are signs that at least some of the hacktivists to whom the first ever “Geneva’s Code for Cyber War” was directed are taking note. According to recent reporting, two of the largest hacktivist groups that have been engaged in the Ukraine war have agreed to abide by the guidelines. This is certainly a promising development, especially given the International Criminal Court’s decision to investigate cyber incidents as possible war crimes. However, there is justifiably some skepticism with respect to how such guidelines could and would be enforced, and what organization would be charged with that mission. After all, adversarial hacktivists are seen as villains, while hacktivist supporters are held in a different light. For example, Ukraine has rightfully condemned pro-Russian hacktivists for their activities, but has praised the hacktivists supporting Kyiv in their efforts against Russia and its sympathizers, and openly solicited those capable cyber citizens to join the fight. Considering the intent behind the new guidelines, such pronouncements seem contradictory.

Furthermore, trying to apply accountability for a questionable attack could present its own set of difficulties. For example, while a group may take responsibility for questionable attack, identifying the actual members and affiliates (which can number in the hundreds) involved is a much more difficult task. Many times, these members are dispersed globally, making such an endeavor challenging at best, impossible at worst. Would the group be held responsible for the work of one or two people? And what criteria would be used to constitute membership of that group? These are questions that need to be addressed. Additionally, it should be noted that other hacktivist groups involved in the fray have not agreed to comply. One pro-Ukraine group subsequently defaced the Russian Red Cross branch’s website and stated that it would maximize its efforts. Similarly, some pro-Russian groups believed that the rules were “not viable.” Moreover, there is no guarantee that those that do will not revert in the future. Since the guidelines are strictly voluntary and not a formal legally binding contract, they rely on people’s moral compass to regulate behavior. People find this hard enough in the physical world, no less the cyber world.

The Red Cross guidelines presciently come at a time when geographic hotspots and geopolitical conflict has increased cyber malfeasance by nonstate actors. Over the weekend, Iran’s incursions into Israel have also stumbled into cyberspace where hacktivist and patriotic hackers have conducted attacks. Russia-aligned Anonymous Sudan pronounced its support for HAMAS, and directed an attack against an Israeli alert system. What’s more, the Palestinian hacker group “Ghosts of Palestine” is soliciting hacker assistance to attack Israeli and U.S. private and public infrastructure. While it’s not clear the degree to which this call for volunteers will create the havoc that they intend, it further bolsters belief that increased hacktivist participation is a foregone conclusion during political crisis. One only need look at burgeoning trouble areas such as China-Taiwan and China-India to see if any perceived escalation in territorial disputes will spill online with the global hacktivists taking sides. All of these countries have formidable hacking communities that could quickly assemble in support of their government in the spirit of patriotism and nationalistic pride.

The longer states willingly ignore codifying laws of state behavior, the more brazen militarized nonstate actors will be in cyberspace. The Red Cross guidelines make sense as citizens should not be the targets of adversaries looking to inflict pain on an opposing government. But this does not happen all the time as citizens are frequently victimized, whether intentionally or not, during periods of geopolitical conflict. So, this will likely be the case in cyberspace until there are tangible repercussions for such activities. Unfortunately, if such accountability is not being satisfactorily levied against governments to influence and adjust how they operate, it is dubious that it can or will be against nonstate actors that enjoy some level of government protection and/or backing. The more they engage in these geopolitical conflicts, the more governments will see their utility and perhaps even look to cultivate their own hacktivist supporters as a means of nonofficial engagement. For those groups aligned closely with a government’s goals and who have demonstrated the willingness to use their capabilities in support of such, they become a battle-tested state asset that may purposefully seek to target civilian infrastructures to maximize attack effects where their state sponsors cannot.

No comments: