One Year On: Are the ICRC’s Principles for Civilian Hackers Shaping the Laws of War?
In October 2023, the International Committee of the Red Cross (ICRC) laid down a stark warning: cyber warfare must not spiral into lawless destruction. Their eight rules for civilian hackers and four obligations for States were a bold attempt to align cyber operations with the laws of war. With a full year’s passage, have these principles steered cyber operations toward compliance, or do they remain mere rhetoric?
Are Hackers Paying Attention?
War is no longer confined to trenches and battlefields. Today, it plays out in code, servers, and networks. Civilian hackers—sometimes driven by patriotism, sometimes by chaos—have become engaged actors in modern conflicts. Their contribution muddies the waters, and their status remains opaque. Are they private actors, or controlled by a State? Many patriotic hackers act with the benefit of more-than-tacit State approval. Some States give active encouragement, or even target lists. Ukraine’s “IT Army” is just one example. To that end, the ICRC’s guidelines aimed to impose limits: no targeting civilians; no reckless malware; and no cyber strikes on hospitals or humanitarian groups. It is an effort to be celebrated. The question is, do these rules hold any weight?
For these rules to matter, hackers need to know—and care—about them. The reality? Many don’t. Cyber operations are often preferred for their non-kinetic effects and their deniability. Accountability for the individuals and the (possible) State sponsors is scarce. Patriotic hacking groups, often acting alongside or through States, see themselves as warriors rather than war criminals. The ICRC’s call for restraint struggles to compete with the lure of cyber supremacy.
The rise of decentralized hacking collectives has also complicated matters. Unlike State-backed cyber units, these loosely organized groups often operate independently, making it difficult to establish control or impose norms. Again, the International Law Commission’s Articles on State Responsibility include legal processes to determine when the conduct of private individuals can be attributed to a State, leading to international responsibility. But just because the legal processes exist does not mean that they are easily understood or followed.
Further complicating the issue is the fact that cyber warfare lacks the visceral immediacy of kinetic warfare. Many hacktivists see their work as a necessary countermeasure against perceived enemies, with little regard for the collateral damage they may cause. Unlike bombings or missile strikes, a cyber-attack can feel abstract even to those carrying it out. Hackers may not see the human cost of their actions, making it easier to dismiss concerns over legality and ethics. For the ICRC’s guidelines to have any impact, the proposed rules must be tailored to the environment they are meant to address. At best, the guidelines as they exist attempt to instil a sense of responsibility, but without direct consequences, they remain theoretical rather than practical.
Still, some hacking communities have taken note. Ethical hacker groups and cybersecurity experts have engaged with these principles in discussions about responsible cyber conduct. As reported by QuoIntelligence,on 6 October 2023, KillMilk (founder of KillNet) announced in a Telegram post that KillNet will comply with the ICRC’s rules. Yet again, merely reposting the ICRC’s rules does not translate to their internalisation or application. The BBC’s interviews with key hacktivist collectives provide valuable insight, revealing a widespread rejection of the ICRC’s rules as impractical for their operations.
A Necessary First Step, But Not Enough
Even if hacking groups are aware of these principles, compliance remains elusive. Although I noted at the start of this year that I believe that compliance with international humanitarian law is actually more positive than generally perceived, it is true that offensive cyber operations have relentlessly targeted energy grids, hospitals, and aid organizations, often with devastating humanitarian consequences. The ICRC’s guidelines align with the laws of war, but the lack of real-world adherence exposes the gaping enforcement gap in cyberspace.
The ICRC’s principles are a vital attempt to extend the laws of war into the cyber domain, but they are not self-enforcing. In a world where attribution is difficult and accountability is weak, voluntary compliance is a flimsy shield against cyber chaos. Real change will require more than moral appeals; it will demand international legal mechanisms, cooperation between States, and tangible penalties for violations.
Despite their current limitations, these principles have value. They provide a moral and legal framework that could one day underpin binding cyber warfare laws. But for now, they remain more of a guidepost than a guardrail.
One possible avenue for improvement is increasing awareness among the hacking community. Educational campaigns targeting young programmers and cybersecurity professionals could help instill these ethical principles early on. Additionally, governments and tech firms could collaborate to create incentives for responsible cyber conduct, discouraging reckless attacks that endanger civilians.
Conclusion
A full year on, the ICRC’s guidelines remain a necessary but insufficient response to the realities of cyber warfare. They highlight a critical issue: without stronger enforcement and accountability, the laws of war will struggle to keep pace with digital conflict. The world must decide. Will we let cyberspace remain a lawless battleground, or will we fight to impose order before the next crisis makes the cost too high to ignore?
Ultimately, the success of these principles hinges on more than just legal frameworks; they require buy-in from the very people they seek to regulate. Until the hacking community itself recognizes the need for ethical restraint, cyber warfare will continue to operate in a legal and moral grey zone, one where the cost of inaction could be devastating.
***
Samuel White is an Associate Professor at the National University of Singapore, where he is the Senior Research Fellow in Peace and Security at the Centre for International Law.
Photo credit: Getty Images via Unsplash
