In Ukraine’s cyber-war with Russia, who is a civilian and what is a war crime?

On February 24, the hacker collective Anonymous declared cyberwar on Russia, claiming that it was targeting state TV stations, government ministries, and banks in a series of retaliatory strikes for Russia’s cyberattacks on Ukrainian government websites and businesses. The term “cyberwar” may have sounded like hyperbole, but international legal experts tell Rest of World that the volunteers joining the effort to attack Russia in cyberspace may, legally speaking, have made themselves into active combatants —  and legitimate targets for retaliation. They could even unwittingly find themselves complicit in war crimes.

The Geneva Conventions, the laws that govern the conduct of war, were established in the aftermath of World War II, and, although they’ve been updated and amended since, they didn’t anticipate that cyberspace could become a theater of conflict. The gray areas left by that omission means there are conflicting interpretations about what war crimes might look like in cyberspace and who is accountable when they happen.

“We still have no clear single, common legal interpretation of how the Geneva Convention applies to cyberwarfare,” said Nathaniel Raymond, a lecturer at the Jackson School of Global Affairs at Yale University and an expert in technology and human rights.

At the core of the rules of war is the distinction between combatants and noncombatants, like medical personnel. Under the Geneva Conventions, war crimes include torture, killing hostages, and, most important, attacks on civilians. War crimes are assessed against four different categories: proportionality (is the attack proportional to the threat?), necessity (is the attack necessary?), precaution (were steps taken to minimize harm to civilians and civilian infrastructure?), and distinction (was care taken to attack a military target rather than a civilian one?). But in cyberconflicts, these standards are hard to properly assess.

“The problem with cyber is that you do not know where something is going to go and what are the second- and third-order consequences,” said Klara Jordan, chief public policy officer at the CyberPeace Institute. For example, the malware used in the 2017 Russian NotPetya cyberattack on Ukraine ended up spreading across multiple countries, damaging companies and infrastructure.

Legal experts agree that, for instance, a direct cyberattack on a hospital that causes civilians to die would be a war crime, just as bombing a hospital would also constitute a war crime. But taking out an electrical grid that supplies a hospital probably wouldn’t be, according to Raymond. Distinguishing between what’s civilian and what’s military can be particularly tricky in cyberwarfare, where the same critical infrastructure might serve schools and military bases alike.

“We have specific language [in the Geneva Conventions] about the ‘intentional release of dangerous forces,’” said Raymond. That language, he said, specifically refers to things like dams and how releasing floodwaters could harm both combatants and civilians. “Many of us interpret taking out an electrical grid as not only the release of dangerous forces but creating conditions that would have indiscriminate civilian effects. But that’s not an internationally agreed-upon position.”

The nature of cyberconflict also blurs the distinction between combatants and civilians. When hackers answered the Ukrainian government’s call to join the fight online, or when the hacking group Anonymous began targeting websites and services inside Russia — including the Ministry of Defense — they could have crossed that line.

“They are now becoming part of this armed conflict,” said Jordan. “They are becoming combatants under the rules of international law, and, in the case of Ukraine, these individuals now can be a legitimate target of Russian forces.” 

This means that anyone taking a side in a cyberconflict is fair game for retaliatory cyberattacks, or even a physical attack. “Your distance from the battlefield doesn’t matter. Once you are participating in hostilities, you lose your civilian protections,” Jordan said.

Employees of private companies may also fall into this category. In many countries, a private company might run an electrical grid and might task its employees with defending the grid from a cyberattack. For the company and the employee, even that still might count as taking on the role of a combatant. “That part of the law remains unsettled,” Jordan said.

Many of these cyber volunteers are likely not trained in the rules of war, and might not be considering the second- or third-order effects of their attacks, but could still be held responsible if their actions violate the laws of armed conflict. For instance, many experts have highlighted that posting the identities of captured Russian soldiers online may be a violation of the Geneva Conventions. 

“It’s quite different from traditional warfare,” said Deborah Brown, a senior digital rights researcher at Human Rights Watch. “There’s a range of actors, starting from direct state actors to actors who are employed by, or acting at the direction of, a state to proxies who are ideologically aligned to individuals who find themselves compelled or motivated to act on behalf of the state.”

Even if the international community can come down on definitions of war crimes in cyberspace, holding anyone accountable will be very challenging. It is already challenging to prove and prosecute war crimes in analog warfare. “The fact that it’s difficult to bring perpetrators to justice is not a unique cyber issue,” Brown said. Collecting evidence and getting a case through the international criminal justice system can take years.

Cyberwarfare happens in what Raymond calls a “battle space uniquely suited to deception.” Mis- and disinformation are rife in modern warfare and can be used to obscure who is responsible for an attack — which is hard enough as it is. Unpicking where an attack originated requires complex forensic investigations, and attackers use middlemen, mercenaries, and cutouts to disguise their origins. But, Jordan said, that doesn’t mean it’s impossible to trace where attacks come from. What’s really important is what happens next. “I think what is a global challenge is once you have the tactical attribution, what do you do with it?” she said. “This is where I think we are seeing much less accountability for cyberattacks. What is the political willingness to hold someone accountable for the cyberattacks they’re doing?”