Pages

27 October 2023

Hacking against humanity: Are Red Cross cyber rules credible?

Christopher Whyte

Civilian hacking in conflict is on the rise. Recent non-state cyber activity surrounding the Ukraine and Israel conflicts has contributed to destabilizing both situations and enhanced risk of harm to civilian populations. A recent set of notional rules for non-state hacker behavior during ongoing conflict seeks to address this reality, suggesting that hacktivists and patriotic hackers alike should limit their activities to protect civilian populations in line with the principles of International Humanitarian Law (IHL).

To the surprise of some in the global community, these rules - promulgated in early October by the International Committee of the Red Cross (ICRC) - were received with some acceptance by hacker groups tied to ongoing conflicts. The surge of non-state cyber aggression in the wake of Hamas's October 7 attack, however, has thrown cold water on the idea that constraining norms of behavior surrounding civilian hacking in conflict are achievable. After all, the time between general acceptance of these principles and deviation from that position was measured in mere days for some hacker groups.

Against the grain of these developments, there is reason to be optimistic about new progressive, constraining norms against counter-population hacking led by neutral intermediaries like the ICRC. There is evidence of growing global awareness that cyber for cyber's sake is rarely as gainful as desired, and of patterns of support for digital restraint vis-a-vis civilian populations that align with norm emergence features seen with other disruptive technologies. It's also worthwhile to distinguish between conflict and crisis. In particular, state interests appear to drive civilian hacking at such critical junctures in ways that demand recognition. As such, the ICRC and advocates of the applicability of IHL to cyberspace should be bullish about their initiative, so long as they remain pragmatic about the scope and strength of norm evolution.

New Red Cross hacking rules: Old problems, new credibility?

In promulgating new rules on civilian hackers during armed crises, the ICRC cites three broad areas of concern. Most clearly, the Red Cross is worried about the potential for harm produced by non-state hacking against civilian populations, whether via direct hacking or second-order effects. Second, "civilian hackers risk exposing themselves, and people close to them, to military operations," expanding the scope of conflict unnecessarily. Finally, by expanding the scope of armed disputes, particularly those with deep-rooted issues and constituents, hacking can blur the line "between who is a civilian and who a combatant." Should these last two developments take place, the ICRC worries that international law - and its mission - becomes far more ambiguous in how it would be applied in conflict zones.

In response, the ICRC suggests a set of rules that should govern the behavior of civilian hackers in conflict. Perhaps counterintuitively, the final rule is the simplest and takes primacy over all others: Actors should endeavor to follow rules of upstanding humanitarian practice even if their adversaries do not.

Beyond this simple stipulation, the next three are closely related and state that non-state hackers:
  1. Should not directly target civilians and non-military objects;
  2. Should not use techniques (such as worms) that might indiscriminately impact non-military elements; and
  3. Should take all feasible steps to minimize possible civilian collateral harm.
With reference to critical infrastructures, the ICRC also suggests that non-state hackers should never target humanitarian or medical facilities of any kind. Moreover, no cyberattack should be levied against infrastructure that is "indispensable to the survival of the population or that can release dangerous forces." The clear reference here is to infrastructure like the electrical grid that services civilian populations indiscriminately and sensitive facilities - such as dams or nuclear facilities - that come with risk in their misuse.

Finally, non-state hackers should strive to avoid terrorizing civilian populations. This comes in two forms. First, hackers should avoid causing fear and panic in a population, particularly where doing so increases the possibility of physical harm to civilians. This might include disruptions of government messaging systems used during crisis to warn citizens of danger or the spread of disinformation inciting factional violence. Second, hackers should not use their skills to enable others to break any of the above rules, for instance by sharing technical capabilities with unscrupulous actors or encouraging others to violate IHL on their behalf.

Does the International Humanitarian Law fit in the digital age?

The launch of Russia's war against Ukraine in early 2022 produced months of debate in the global cybersecurity community. Where was the cyber blitzkrieg of popular and pundit imagining? Experts quickly weighed in. "Cyberwar" tied to the conflict, they pointed out, made as little strategic sense as the term itself but its absence shouldn't draw attention away from cyberspace. Sure enough, the last 20 months of war in Ukraine have featured dozens of hacking entities and untold thousands of digital operators on both sides fighting to aid military activities, disrupt society, and control the conflict's information environment.

Parallel to these developments, the past two weeks have seen as many as 40 hacking groups from around the world pile into the rapidly deteriorating conflict between Israeli and the Islamist militant movement Hamas. Data shows immense DDoS activity targeting both Israeli and Palestinian targets starting just hours after the initial incursion from Gaza. On the side of Hamas, in particular, hacking groups have vowed to degrade Jerusalem's ability to respond to the October 7 attack and to disrupt Israeli society more broadly.

This has resulted in the downing of more than 80 websites tied to government services, media outlets, and prominent Israeli companies. Of particular significance are credible claims of compromise of the Iron Dome air defense system and the national electrical grid. One actor, AnonGhost, is even reported to have tampered with the state-run rocket alert app Red Alert in an effort to spread false missile alerts. Taken together, these activities reflect an incredible concentration of digital will to lay siege to both national combatants.

While rapid acceptance of Red Cross rules on non-state hacking during conflict by entities like Killnet and the Ukrainian-affiliated IT Army was promising, cyber and information attacks against both Hamas and Israel highlight the continuing challenge of squaring the principles of international law against the realities of digital conflict. Challenges with attributing cyberattacks and with exerting sufficient influence over malicious actors to verify their compliance (or punish non-compliance) with established rules are endemic to this arena of global competition.

Beyond this base challenge, the trappings of international law - both IHL and the Law of Armed Conflict (LOAC) - are often argued to be ill-fitting to the technical challenges of parsing permitted activities online apart from those that are prohibited. How, for instance, should one distinguish infrastructure critical to humanitarian and general societal functions from potential military operation? Military and intelligence operations use online infrastructure that is primarily privately owned and at least partially exists in grey space. With something like the international legal requirements that protected assets and persons are marked in clear and distinctive ways (e.g., an aid worker sporting the Geneva emblem on their uniform), there are often few domain-, network-, or platform-specific methods for signaling prohibited targets. Even if, for instance, a specialized designation were to be applied for major facilities (e.g., a .med or .+++ domain), challenges still persist around issues like telemedicine protection or the use of spoofing techniques as a workaround.

These and many other issues are also relevant because of the way in which international law treats the moral basis of combatant activities. The LOAC holds that warfighting must occur as a last resort and must stem from just provocation. Likewise, usage of weapons deemed to be cruel and unethical must be avoided, as should disproportionate armed activities and the targeting of civilians. The multi-purpose utility of cyber instruments prevents a weapon- or technique-based regime from constraining malign behavior. The claim of just cause in response to a developing conflict offers hackers that self-identify as combatants a deniability argument that marries ethical use of cyberspace for conflict with the potential for unintended operational spillover causing civilian harm.

Case for optimism: Why crisis hacking doesn't preclude restraint

Despite such challenges, the ICRC and other advocates of observing IHL principles in cyberspace have reason to remain optimistic and even bullish. Foremost is a growing recognition by major security stakeholders that cyber for cyber's sake won't necessarily achieve strategic goals in international contests. While cyber operations cede many advantages to political actors, digital action alone is most often associated with marginal returns beyond the scope of a unique security situation. In those circumstances, cyber operation is usually driven by conditions in other domains.

With regards to civilian hacking during conflict, there is an extremely relevant differentiation to be made between conflict and crisis. Conflict most often refers to the totality of friction, armed standoff, and discord resulting from divergent interests between actors. Crises are critical junctures within which stakeholders interpret strategic interests via reference to situational, temporary lenses. In the case of crisis moments during both the Ukraine-Russia and Hamas-Israel conflicts (particularly the onset of major hostilities), civilian hacker involvement has taken on unique character, namely an over-emphasis on performative, degradative action that aligns with state (or, in the case of Hamas, organizational) operational interests.

Civilian hacking during such critical moments of broader armed conflicts cannot be considered to emerge from the same logic of decision found at other times. Without question, recent non-state actions in cyberspace have violated the ICRC's proposed rules of conduct. AnonGhost's attempts to manipulate the Red Alert rocket alert app is a prime example of this, as are recent attacks on aid groups and ongoing efforts to compromise Israeli electric grid and telecommunications systems.

The inherent value of such activities for the broader strategic and socio-cultural competitions involved diminishes dramatically beyond the present period of flux. This firmly positions cyber activities as an arena of possible compromise when conflict resolution efforts succeed in deescalating the crisis. Conflict resolution is always characterized by ready movement on such marginal capacities paired with stubbornness on more substantial points of engagement.

Pushing toward a norm cascade

Constraining norms on the use of technologies, weapons, or tactics used in conflict only develop after significant inertia has been achieved. Norm emergence is characterized by independent acknowledgement of acceptable rules of engagement from all sides of an issue. Emergence is only the start. Sufficient support for new norms of behavior eventually produces cascading acknowledgement of taboos that benefit all and go beyond that acknowledgement to be internalized by competing societies.

The challenge of this emergence phase of norm-building is in planning those actions that will maximize the chances of sparking a cascade of support. With civilian hacking in conflict, the recognition that there are nested logics of action across different conflict and crisis conditions is critical. Through this lens, we should feel optimistic about the chance that the rules set by a neutral intermediary like the Red Cross will take hold. Counterintuitively, perhaps the best supporting evidence for this argument lies in the incidence of so much malign behavior during recent crises in both the Hamas-Israel and Ukraine-Russia conflicts. Norm emergence is not just characterized by independent acknowledgement of rules, but also by clear delineation of actions between periods of distinct geopolitical character.

How public-private collaboration can build constraining civilian hacking norms

The Red Cross and the international community will find evidence of a norm cascade around civilian hacking during conflict when we see clear imitation of this divergent set of behaviors by a critical mass of non-state cyber entities. What needs to happen to get to that moment?

The strategic posture adopted by both public and private actors around the world should recognize the time-and-place context of non-state hacker actions. As a baseline, the international community should strive to consistently emphasize the worst excesses of civilian hacking during conflict as they intersect with violations of IHL. More narrowly, the line between conflict and crisis must be made stark. Private industry should adopt a neutrality posture surrounding crisis wherever possible, differentiated from traditional support that an actor might feel obliged to produce for one or other position in a broader conflict. Crisis escalation is a dangerous phenomenon for civilian populations and should roundly be held as an unacceptable venue for malicious hacking alongside other violations of international law.

Private actors should also name and shame violations of ICRC rules via a strategy of compartmentalization, placing greater emphasis on the detail of the action during periods of general tension vs. on the drivers of cyber activity during crisis. This might be matched by governmental efforts to deter via actions that disproportionately punish transgressors outside of crisis and focus on practical protection of civilian populations during.

Finally, governments would do well to more directly court associations with civilian hackers whose operations and interests may align with national interests as a means of reducing ambiguity and increasing reputational accountability during crisis. While governments or substantial national private actors might be understandably loathed to consider such associations - to retain deniability and avoid liability - the reality is that such ambiguity hampers the emergence of shared norms surrounding conflicts defined by national, religious, or cultural conditions. As such, unblurring lines and recognizing key distinctions between hacking and what drives it are critical for building on the promise of what the Red Cross now proposes.

No comments:

Post a Comment