Interning a Hacker

Recently, at a workshop at Harvard Law School, I grappled with the question of internment in any international armed conflict (IAC) in the near future. It is a question some are uncomfortable with, although the concept of internment remains legally available under international humanitarian law (IHL) (as a previous Articles of War post has discussed). Internment’s application to emerging threats, particularly in cyberspace, raises complex questions.

Australia, like many other States, has a history of wartime internment. During the Second World War, Australia interned around 75 percent of the resident Japanese population along with 16,000 residents of German and Italian descent, and more than 2,000 British nationals. The United States adopted similar policies, most notably the internment of 127,000 Japanese Americans, as well as thousands of people of German and Italian origin. These measures were carried out during a period of conventional warfare in which diaspora communities were broadly perceived as security threats. The United States even went so far as to request support from Peru interning Japanese diaspora in assessed staging areas for a Japanese landing in Latin America.

In the decades since, the rise of international human rights law and strengthened domestic legal protections in many jurisdictions have made a recurrence of such internment policies highly unlikely. In the United States, the Civil Liberties Act of 1988 formally acknowledged the injustice of Japanese American internment by providing survivors who were citizens or permanent residents with an official apology and $20,000 in compensation. Yet these are domestic legal frameworks, subject to repeal or interpretation. Other States, such as Australia, do not have the same domestic limitations on possible internment, yet domestic prosecutions for espionage or sabotage under criminal law may not offer the flexibility or speed often desired by a government in an emergency. Sweeping regulations allowing for internment, on the discretion of a Minister, have historically been passed. What is clear, though, is that the internment of civilians in an IAC is permitted under the 1949 Fourth Geneva Convention (GC IV). The threshold for interning civilians is “only if the security of the Detaining Power makes it absolutely necessary.” This is an assessment made by the State, for the State’s security.

Relevant Law

Article 42 of the GC IV doesn’t just regulate internment. It dignifies it. Articles 79 to 141 (63 articles if my maths is right) lay out an architecture of humane treatment: clean water; medical care; family visits; no torture; no degradation. Article 39 further requires the detaining power to ensure support for the internee and their dependents if internment deprives them of their livelihood.​

These provisions were drafted with conventional warfare in mind. The challenge is applying them to non-kinetic, networked threats. If a civilian poses a significant cyber threat, for example, through disruptive code, espionage, or interference with critical infrastructure, can a State lawfully intern that civilian? And if so, what does it look like in practice?​

Interning Hackers

The traditional model of internment, wherein the internee is within a physical detention facility guarded by military personnel, may be inappropriate or ineffective against a cyber-capable actor. Instead, the State (if they deem it absolutely necessary) may opt for a form of controlled isolation: a secure environment devoid of network access, cloud connectivity, or communication tools. The purpose remains the same, to neutralize the threat, but the method reflects the nature of the digital domain.​

Nevertheless, even a cyber-adapted internment must comply with the procedural and substantive safeguards under IHL. Most notably, Rule 128 of the International Committee of the Red Cross’s Customary International Humanitarian Law Study asserts that civilians interned in international armed conflict must be released as soon as the reasons for internment cease to exist, and in any case no later than the end of active hostilities. In cyber conflict, determining the end of the threat is far from straightforward. If a hacker’s infrastructure has been dismantled and access to systems removed, does that suffice to end the justification for internment? Or does the persistence of dormant code, unknown backdoors, or potential future re-engagement necessitate continued detention?​

Moreover, internment decisions must be subject to timely review and regular re-assessment. GC IV mandates that each internee be provided with a right to appeal, and that decisions be reconsidered at least twice annually. In the cyber context, assessing the ongoing threat posed by an individual may require technical expertise beyond the capabilities of a conventional review board. Additionally, risk may stem not only from what the individual has done, but from what they know, or are capable of doing, a subjective and potentially speculative standard.​

A further complication arises in the regulation of communications. GC IV emphasizes the right of internees to maintain contact with family, but cyber operations challenge the assumption that personal correspondence is innocuous. Can communication channels themselves serve as a vector for malware, instructions, or covert coordination? If so, is supervised internet access feasible or even safe? Is the monitoring of seemingly benign communications (e.g., love letters or family updates) for concealed code consistent with the internee’s right to dignity and privacy?​

Concluding Thoughts

These questions are not abstract. They reflect real and emerging dilemmas faced by States seeking to respond to cyber threats within a legal and ethical framework. Internment remains a lawful tool in armed conflict, but its implementation in the cyber context will require careful balancing of military necessity, humanitarian obligations, and technical feasibility.

While internment remains permissible under IHL, its application to cyber conflict introduces significant operational, legal, and ethical complexities. These challenges demand close attention not only from military lawyers, but from policymakers, technologists, and civil society. The legal architecture is in place, but its adaptation to new forms of warfare requires rigorous scrutiny, innovation, and a steadfast commitment to the rule of law.​

***

Dr Samuel White is the Senior Research Fellow in Peace and Security at the National University of Singapore’s Centre for International Law.

The views expressed are those of the author, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense. 

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published.

Photo credit: Unsplash